From 04a8b85de8375093258475bbea84ae2b68a67a29 Mon Sep 17 00:00:00 2001 From: Eva Date: Fri, 13 Oct 2023 11:20:08 -0400 Subject: [PATCH] fix tests --- .../parsed_cve_mappings_attack_objects.csv | 1706 +++ .../parsed_cve_mappings_metadata.csv | 2 + .../parsed_nist800-53-r4-10.1_mappings.yaml | 9384 ++++++++-------- ...800-53-r4-10.1_mappings_attack_objects.csv | 4693 ++++++++ ...d_nist800-53-r4-10.1_mappings_metadata.csv | 2 + ...00-53-r4-10.1_mappings_metadata_object.csv | 2 + ...0-53-r4-10.1_mappings_navigator_layer.json | 2 +- .../parsed_nist800-53-r5-10.1_mappings.yaml | 9510 ++++++++-------- ...800-53-r5-10.1_mappings_attack_objects.csv | 4756 ++++++++ ...d_nist800-53-r5-10.1_mappings_metadata.csv | 2 + ...00-53-r5-10.1_mappings_metadata_object.csv | 2 + ...0-53-r5-10.1_mappings_navigator_layer.json | 2 +- .../parsed_nist800-53-r4-12.1_mappings.yaml | 9730 ++++++++-------- ...800-53-r4-12.1_mappings_attack_objects.csv | 4866 ++++++++ ...d_nist800-53-r4-12.1_mappings_metadata.csv | 2 + ...00-53-r4-12.1_mappings_metadata_object.csv | 2 + ...0-53-r4-12.1_mappings_navigator_layer.json | 2 +- .../parsed_nist800-53-r5-12.1_mappings.yaml | 9858 ++++++++--------- ...800-53-r5-12.1_mappings_attack_objects.csv | 4930 +++++++++ ...d_nist800-53-r5-12.1_mappings_metadata.csv | 2 + ...00-53-r5-12.1_mappings_metadata_object.csv | 2 + ...0-53-r5-12.1_mappings_navigator_layer.json | 2 +- .../r4/parsed_nist800-53-r4-8.2_mappings.yaml | 8238 +++++++------- ...t800-53-r4-8.2_mappings_attack_objects.csv | 4120 +++++++ ...ed_nist800-53-r4-8.2_mappings_metadata.csv | 2 + ...800-53-r4-8.2_mappings_metadata_object.csv | 2 + ...00-53-r4-8.2_mappings_navigator_layer.json | 2 +- .../r5/parsed_nist800-53-r5-8.2_mappings.yaml | 8382 +++++++------- ...t800-53-r5-8.2_mappings_attack_objects.csv | 4192 +++++++ ...ed_nist800-53-r5-8.2_mappings_metadata.csv | 2 + ...800-53-r5-8.2_mappings_metadata_object.csv | 2 + ...00-53-r5-8.2_mappings_navigator_layer.json | 2 +- .../r4/parsed_nist800-53-r4-9.0_mappings.yaml | 8656 +++++++-------- ...t800-53-r4-9.0_mappings_attack_objects.csv | 4329 ++++++++ ...ed_nist800-53-r4-9.0_mappings_metadata.csv | 2 + ...800-53-r4-9.0_mappings_metadata_object.csv | 2 + ...00-53-r4-9.0_mappings_navigator_layer.json | 2 +- .../r5/parsed_nist800-53-r5-9.0_mappings.yaml | 8756 +++++++-------- ...t800-53-r5-9.0_mappings_attack_objects.csv | 4379 ++++++++ ...ed_nist800-53-r5-9.0_mappings_metadata.csv | 2 + ...800-53-r5-9.0_mappings_metadata_object.csv | 2 + ...00-53-r5-9.0_mappings_navigator_layer.json | 2 +- .../AWS/parsed_security_stack_mappings.yaml | 4605 +++++++- ...security_stack_mappings_attack-objects.csv | 976 +- ...security_stack_mappings_attack_objects.csv | 821 ++ ...arsed_security_stack_mappings_metadata.csv | 2 + ...curity_stack_mappings_navigator_layer.json | 2 +- .../Azure/parsed_security_stack_mappings.yaml | 8213 +++++++++++++- ...security_stack_mappings_attack-objects.csv | 1922 ++-- ...security_stack_mappings_attack_objects.csv | 1476 +++ ...arsed_security_stack_mappings_metadata.csv | 2 + ...curity_stack_mappings_navigator_layer.json | 2 +- .../GCP/parsed_security_stack_mappings.yaml | 864 +- ...security_stack_mappings_attack-objects.csv | 864 +- ...security_stack_mappings_attack_objects.csv | 904 ++ ...arsed_security_stack_mappings_metadata.csv | 2 + .../parsed_veris_mappings_attack_objects.csv | 914 ++ .../1.3.5/parsed_veris_mappings_metadata.csv | 2 + .../parsed_veris_mappings_attack_objects.csv | 1093 ++ .../1.3.7/parsed_veris_mappings_metadata.csv | 2 + .../cli/mapex/write_parsed_mappings.py | 8 +- .../cli/mapex_convert/parse_nist_mappings.py | 2 +- .../r4/parsed_nist800-53-r4-10_1mappings.json | 2 +- .../r5/parsed_nist800-53-r5-10_1mappings.json | 2 +- .../r4/parsed_nist800-53-r4-12_1mappings.json | 2 +- .../r5/parsed_nist800-53-r5-12_1mappings.json | 2 +- .../r4/parsed_nist800-53-r4-8_2mappings.json | 2 +- .../r5/parsed_nist800-53-r5-8_2mappings.json | 2 +- .../r4/parsed_nist800-53-r4-9_0mappings.json | 2 +- .../r5/parsed_nist800-53-r5-9_0mappings.json | 2 +- .../security_stack/AWS/parsed_AWS.json | 2 +- .../security_stack/Azure/parsed_Azure.json | 2 +- .../security_stack/GCP/parsed_GCP.json | 2 +- .../expected_cve_results_attack_objects.csv | 10 +- ...expected_cve_results_mapping_platforms.csv | 5 - .../csv/cve/expected_cve_results_metadata.csv | 5 +- .../expected_nist_results_attack_objects.csv | 6 +- ...xpected_nist_results_mapping_platforms.csv | 3 - .../nist/expected_nist_results_metadata.csv | 5 +- ..._security_stack_results_attack_objects.csv | 20 +- ...curity_stack_results_mapping_platforms.csv | 5 - ...pected_security_stack_results_metadata.csv | 5 +- .../expected_veris_results_attack_objects.csv | 8 +- ...pected_veris_results_mapping_platforms.csv | 4 - .../veris/expected_veris_results_metadata.csv | 6 +- .../expected_results/expected_results_json.py | 595 +- .../expected_results_navigator_layer.py | 110 + .../security_stack/AWS_attack-objects.csv | 5 - .../security_stack/AWS_attack_objects.csv | 15 + .../security_stack/AWS_mapping-platforms.csv | 5 - tests/files/security_stack/AWS_metadata.csv | 5 +- tests/parsers.py | 60 + tests/{test_cli.py => test_mapex_cli.py} | 264 +- tests/test_mapex_convert_cli.py | 87 + 94 files changed, 94927 insertions(+), 39534 deletions(-) create mode 100644 src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata_object.csv create mode 100644 src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_metadata.csv create mode 100644 src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_attack_objects.csv create mode 100644 src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_metadata.csv delete mode 100644 tests/expected_results/csv/cve/expected_cve_results_mapping_platforms.csv delete mode 100644 tests/expected_results/csv/nist/expected_nist_results_mapping_platforms.csv delete mode 100644 tests/expected_results/csv/security_stack/expected_security_stack_results_mapping_platforms.csv delete mode 100644 tests/expected_results/csv/veris/expected_veris_results_mapping_platforms.csv create mode 100644 tests/expected_results/expected_results_navigator_layer.py delete mode 100644 tests/files/security_stack/AWS_attack-objects.csv create mode 100644 tests/files/security_stack/AWS_attack_objects.csv delete mode 100644 tests/files/security_stack/AWS_mapping-platforms.csv create mode 100644 tests/parsers.py rename tests/{test_cli.py => test_mapex_cli.py} (58%) create mode 100644 tests/test_mapex_convert_cli.py diff --git a/src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_attack_objects.csv new file mode 100644 index 00000000..e1b5194c --- /dev/null +++ b/src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_attack_objects.csv @@ -0,0 +1,1706 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15243,Primary Impact,0 +1,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15243,Exploitation Technique,0 +2,,T1078,Valid Accounts,[],[],,CVE-2019-15243,Exploitation Technique,0 +3,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-15976,Primary Impact,0 +4,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15976,Secondary Impact,0 +5,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15976,Exploitation Technique,0 +6,,T1499,Endpoint Denial of Service,[],[],,CVE-2019-15956,Primary Impact,0 +7,,T1098,Account Manipulation,[],[],,CVE-2019-15956,Primary Impact,0 +8,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15956,Exploitation Technique,0 +9,,T1078,Valid Accounts,[],[],,CVE-2019-15956,Exploitation Technique,0 +10,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15958,Primary Impact,0 +11,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15958,Exploitation Technique,0 +12,,T1574,Hijack Execution Flow,[],[],,CVE-2019-12660,Primary Impact,0 +13,,T1562,Impair Defenses,[],[],,CVE-2019-12660,Secondary Impact,0 +14,,T1078,Valid Accounts,[],[],,CVE-2019-12660,Exploitation Technique,0 +15,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1753,Primary Impact,0 +16,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1753,Secondary Impact,0 +17,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1753,Exploitation Technique,0 +18,,T1078,Valid Accounts,[],[],,CVE-2019-1753,Exploitation Technique,0 +19,,T1557,Man-in-the-Middle,[],[],,CVE-2019-1860,Primary Impact,0 +20,,T1005,Data from Local System,[],[],,CVE-2019-1860,Secondary Impact,0 +21,,T1036,Masquerading,[],[],,CVE-2019-1831,Primary Impact,0 +22,,T1566,Phishing,[],[],,CVE-2019-1831,Secondary Impact,0 +23,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1942,Primary Impact,0 +24,,T1005,Data from Local System,[],[],,CVE-2019-1942,Secondary Impact,0 +25,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-1942,Secondary Impact,0 +26,,T1133,External Remote Services,[],[],,CVE-2019-1942,Exploitation Technique,0 +27,,T1078,Valid Accounts,[],[],,CVE-2019-1942,Exploitation Technique,0 +28,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15972,Primary Impact,0 +29,,T1005,Data from Local System,[],[],,CVE-2019-15972,Secondary Impact,0 +30,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-15972,Secondary Impact,0 +31,,T1133,External Remote Services,[],[],,CVE-2019-15972,Exploitation Technique,0 +32,,T1078,Valid Accounts,[],[],,CVE-2019-15972,Exploitation Technique,0 +33,,T1608,Stage Capabilities,[],[],,CVE-2019-16009,Primary Impact,0 +34,,T1204.001,Malicious Link,[],[],,CVE-2019-16009,Exploitation Technique,0 +35,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1879,Primary Impact,0 +36,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1879,Secondary Impact,0 +37,,T1078,Valid Accounts,[],[],,CVE-2019-1879,Exploitation Technique,0 +38,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1863,Primary Impact,0 +39,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-1863,Secondary Impact,0 +40,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1863,Exploitation Technique,0 +41,,T1078,Valid Accounts,[],[],,CVE-2019-1863,Exploitation Technique,0 +42,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-3403,Primary Impact,0 +43,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-3403,Secondary Impact,0 +44,,T1078,Valid Accounts,[],[],,CVE-2020-3403,Exploitation Technique,0 +45,,T1059.007,JavaScript,[],[],,CVE-2019-1941,Primary Impact,0 +46,,T1557,Man-in-the-Middle,[],[],,CVE-2019-1941,Secondary Impact,0 +47,,T1204.001,Malicious Link,[],[],,CVE-2019-1941,Exploitation Technique,0 +48,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3292,Primary Impact,0 +49,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-3292,Secondary Impact,0 +50,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3292,Exploitation Technique,0 +51,,T1078,Valid Accounts,[],[],,CVE-2020-3292,Exploitation Technique,0 +52,,T1529,System Shutdown/Reboot,[],[],,CVE-2018-15397,Primary Impact,0 +53,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15397,Exploitation Technique,0 +54,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-3253,Primary Impact,0 +55,,T1078,Valid Accounts,[],[],,CVE-2020-3253,Exploitation Technique,0 +56,,T1059.007,JavaScript,[],[],,CVE-2019-1838,Primary Impact,0 +57,,T1557,Man-in-the-Middle,[],[],,CVE-2019-1838,Secondary Impact,0 +58,,T1204.001,Malicious Link,[],[],,CVE-2019-1838,Exploitation Technique,0 +59,,T1059.007,JavaScript,[],[],,CVE-2020-3233,Primary Impact,0 +60,,T1557,Man-in-the-Middle,[],[],,CVE-2020-3233,Secondary Impact,0 +61,,T1204.001,Malicious Link,[],[],,CVE-2020-3233,Exploitation Technique,0 +62,,T1608,Stage Capabilities,[],[],,CVE-2018-15401,Primary Impact,0 +63,,T1204.001,Malicious Link,[],[],,CVE-2018-15401,Exploitation Technique,0 +64,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15249,Primary Impact,0 +65,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15249,Exploitation Technique,0 +66,,T1078,Valid Accounts,[],[],,CVE-2019-15249,Exploitation Technique,0 +67,,T1059.007,JavaScript,[],[],,CVE-2019-15280,Primary Impact,0 +68,,T1557,Man-in-the-Middle,[],[],,CVE-2019-15280,Secondary Impact,0 +69,,T1189,Drive-by Compromise,[],[],,CVE-2019-15280,Exploitation Technique,0 +70,,T1608,Stage Capabilities,[],[],,CVE-2019-15288,Primary Impact,0 +71,,T1133,External Remote Services,[],[],,CVE-2019-15288,Exploitation Technique,0 +72,,T1078,Valid Accounts,[],[],,CVE-2019-15288,Exploitation Technique,0 +73,,T1608,Stage Capabilities,[],[],,CVE-2019-1781,Primary Impact,0 +74,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1781,Secondary Impact,0 +75,,T1078,Valid Accounts,[],[],,CVE-2019-1781,Exploitation Technique,0 +76,,T1565.002,Transmitted Data Manipulation,[],[],,CVE-2020-3460,Primary Impact,0 +77,,T1185,Man in the Browser,[],[],,CVE-2020-3460,Secondary Impact,0 +78,,T1059.007,JavaScript,[],[],,CVE-2020-3137,Primary Impact,0 +79,,T1557,Man-in-the-Middle,[],[],,CVE-2020-3137,Secondary Impact,0 +80,,T1204.001,Malicious Link,[],[],,CVE-2020-3137,Exploitation Technique,0 +81,,T1005,Data from Local System,[],[],,CVE-2020-3312,Primary Impact,0 +82,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3312,Exploitation Technique,0 +83,,T1608,Stage Capabilities,[],[],,CVE-2019-1768,Primary Impact,0 +84,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1768,Secondary Impact,0 +85,,T1078,Valid Accounts,[],[],,CVE-2019-1768,Exploitation Technique,0 +86,,T1608,Stage Capabilities,[],[],,CVE-2020-3379,Primary Impact,0 +87,,T1078,Valid Accounts,[],[],,CVE-2020-3379,Exploitation Technique,0 +88,,T1563,Remote Service Session Hijacking,[],[],,CVE-2019-1724,Primary Impact,0 +89,,T1529,System Shutdown/Reboot,[],[],,CVE-2019-1817,Primary Impact,0 +90,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1817,Exploitation Technique,0 +91,,T1005,Data from Local System,[],[],,CVE-2020-3477,Primary Impact,0 +92,,T1078,Valid Accounts,[],[],,CVE-2020-3477,Exploitation Technique,0 +93,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CVE-2019-1794,Primary Impact,0 +94,,T1078,Valid Accounts,[],[],,CVE-2019-1794,Exploitation Technique,0 +95,,T1105,Ingress Tool Transfer,[],[],,CVE-2019-1620,Primary Impact,0 +96,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1620,Secondary Impact,0 +97,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-3216,Primary Impact,0 +98,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-3216,Secondary Impact,0 +99,,T1499,Endpoint Denial of Service,[],[],,CVE-2020-3306,Primary Impact,0 +100,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3306,Exploitation Technique,0 +101,,T1489,Service Stop,[],[],,CVE-2019-1886,Primary Impact,0 +102,,T1489,Service Stop,[],[],,CVE-2019-1711,Primary Impact,0 +103,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-3375,Primary Impact,0 +104,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3375,Exploitation Technique,0 +105,,T1608,Stage Capabilities,[],[],,CVE-2019-1857,Primary Impact,0 +106,,T1204.001,Malicious Link,[],[],,CVE-2019-1857,Exploitation Technique,0 +107,,T1499.002,Service Exhaustion Flood,[],[],,CVE-2019-1703,Primary Impact,0 +108,,T1005,Data from Local System,[],[],,CVE-2019-15963,Primary Impact,0 +109,,T1078,Valid Accounts,[],[],,CVE-2019-15963,Exploitation Technique,0 +110,,T1105,Ingress Tool Transfer,[],[],,CVE-2019-1689,Primary Impact,0 +111,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-1689,Secondary Impact,0 +112,,T1531,Account Access Removal,[],[],,CVE-2019-1689,Secondary Impact,0 +113,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-3476,Primary Impact,0 +114,,T1078,Valid Accounts,[],[],,CVE-2020-3476,Exploitation Technique,0 +115,,T1608,Stage Capabilities,[],[],,CVE-2018-15466,Primary Impact,0 +116,,T1005,Data from Local System,[],[],,CVE-2018-15466,Secondary Impact,0 +117,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15287,Primary Impact,0 +118,,T1204.002,Malicious File,[],[],,CVE-2019-15287,Exploitation Technique,0 +119,,T1133,External Remote Services,[],[],,CVE-2019-15998,Primary Impact,0 +120,,T1078,Valid Accounts,[],[],,CVE-2019-15998,Exploitation Technique,0 +121,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1889,Primary Impact,0 +122,,T1078,Valid Accounts,[],[],,CVE-2019-1889,Exploitation Technique,0 +123,,T1489,Service Stop,[],[],,CVE-2020-3134,Primary Impact,0 +124,,T1542.001,System Firmware,[],[],,CVE-2019-1736,Primary Impact,0 +125,,T1499,Endpoint Denial of Service,[],[],,CVE-2020-3120,Primary Impact,0 +126,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1764,Primary Impact,0 +127,,T1204.001,Malicious Link,[],[],,CVE-2019-1764,Exploitation Technique,0 +128,,T1565.002,Transmitted Data Manipulation,[],[],,CVE-2019-1943,Primary Impact,0 +129,,T1189,Drive-by Compromise,[],[],,CVE-2019-1943,Secondary Impact,0 +130,,T1557,Man-in-the-Middle,[],[],,CVE-2019-1943,Exploitation Technique,0 +131,,T1059.007,JavaScript,[],[],,CVE-2019-1665,Primary Impact,0 +132,,T1557,Man-in-the-Middle,[],[],,CVE-2019-1665,Secondary Impact,0 +133,,T1204.001,Malicious Link,[],[],,CVE-2019-1665,Exploitation Technique,0 +134,,T1059.007,JavaScript,[],[],,CVE-2019-15994,Primary Impact,0 +135,,T1557,Man-in-the-Middle,[],[],,CVE-2019-15994,Secondary Impact,0 +136,,T1204.001,Malicious Link,[],[],,CVE-2019-15994,Exploitation Technique,0 +137,,T1477,Exploit via Radio Interfaces,[],[],,CVE-2019-1747,Primary Impact,0 +138,,T1489,Service Stop,[],[],,CVE-2019-1747,Secondary Impact,0 +139,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-15959,Primary Impact,0 +140,,T1091,Replication Through Removable Media,[],[],,CVE-2019-15959,Exploitation Technique,0 +141,,T1565.002,Transmitted Data Manipulation,[],[],,CVE-2019-15974,Primary Impact,0 +142,,T1189,Drive-by Compromise,[],[],,CVE-2019-15974,Secondary Impact,0 +143,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1772,Primary Impact,0 +144,,T1566,Phishing,[],[],,CVE-2019-1772,Exploitation Technique,0 +145,,T1204.002,Malicious File,[],[],,CVE-2019-1772,Exploitation Technique,0 +146,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3133,Primary Impact,0 +147,,T1566.001,Spearphishing Attachment,[],[],,CVE-2020-3133,Exploitation Technique,0 +148,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-12696,Primary Impact,0 +149,,T1204.002,Malicious File,[],[],,CVE-2019-12696,Exploitation Technique,0 +150,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-3387,Primary Impact,0 +151,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3387,Exploitation Technique,0 +152,,T1133,External Remote Services,[],[],,CVE-2020-3387,Exploitation Technique,0 +153,,T1059.007,JavaScript,[],[],,CVE-2018-15393,Primary Impact,0 +154,,T1557,Man-in-the-Middle,[],[],,CVE-2018-15393,Secondary Impact,0 +155,,T1204.001,Malicious Link,[],[],,CVE-2018-15393,Exploitation Technique,0 +156,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-1594,Primary Impact,0 +157,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1594,Exploitation Technique,0 +158,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-3440,Primary Impact,0 +159,,T1566,Phishing,[],[],,CVE-2020-3440,Exploitation Technique,0 +160,,T1204.002,Malicious File,[],[],,CVE-2020-3440,Exploitation Technique,0 +161,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1876,Primary Impact,0 +162,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1876,Secondary Impact,0 +163,,T1059.007,JavaScript,[],[],,CVE-2020-3121,Primary Impact,0 +164,,T1557,Man-in-the-Middle,[],[],,CVE-2020-3121,Secondary Impact,0 +165,,T1204.001,Malicious Link,[],[],,CVE-2020-3121,Exploitation Technique,0 +166,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1612,Primary Impact,0 +167,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1612,Secondary Impact,0 +168,,T1078,Valid Accounts,[],[],,CVE-2019-1612,Exploitation Technique,0 +169,,T1133,External Remote Services,[],[],,CVE-2019-1612,Exploitation Technique,0 +170,,T1078,Valid Accounts,[],[],,CVE-2019-1715,Primary Impact,0 +171,,T1557,Man-in-the-Middle,[],[],,CVE-2019-1715,Primary Impact,0 +172,,T1040,Network Sniffing,[],[],,CVE-2019-1715,Primary Impact,0 +173,,T1110,Brute Force,[],[],,CVE-2019-1715,Exploitation Technique,0 +174,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1609,Primary Impact,0 +175,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1609,Secondary Impact,0 +176,,T1078,Valid Accounts,[],[],,CVE-2019-1609,Exploitation Technique,0 +177,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-1836,Primary Impact,0 +178,,T1133,External Remote Services,[],[],,CVE-2019-1836,Exploitation Technique,0 +179,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-15289,Primary Impact,0 +180,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15289,Exploitation Technique,0 +181,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-15444,Primary Impact,0 +182,,T1005,Data from Local System,[],[],,CVE-2018-15444,Secondary Impact,0 +183,,T1133,External Remote Services,[],[],,CVE-2018-15444,Exploitation Technique,0 +184,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1611,Primary Impact,0 +185,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1611,Secondary Impact,0 +186,,T1078,Valid Accounts,[],[],,CVE-2019-1611,Exploitation Technique,0 +187,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3407,Primary Impact,0 +188,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3407,Exploitation Technique,0 +189,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-3237,Primary Impact,0 +190,,T1133,External Remote Services,[],[],,CVE-2020-3237,Exploitation Technique,0 +191,,T1574,Hijack Execution Flow,[],[],,CVE-2018-15376,Primary Impact,0 +192,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-15376,Primary Impact,0 +193,,T1566,Phishing,[],[],,CVE-2018-15376,Exploitation Technique,0 +194,,T1091,Replication Through Removable Media,[],[],,CVE-2018-15376,Exploitation Technique,0 +195,,T1204.002,Malicious File,[],[],,CVE-2018-15376,Exploitation Technique,0 +196,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-15276,Primary Impact,0 +197,,T1189,Drive-by Compromise,[],[],,CVE-2019-15276,Exploitation Technique,0 +198,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15276,Exploitation Technique,0 +199,,T1566,Phishing,[],[],,CVE-2019-15276,Exploitation Technique,0 +200,,T1542.004,ROMMONkit,[],[],,CVE-2020-3416,Primary Impact,0 +201,,T1078,Valid Accounts,[],[],,CVE-2020-3416,Exploitation Technique,0 +202,,T1080,Taint Shared Content,[],[],,CVE-2020-3126,Primary Impact,0 +203,,T1204.002,Malicious File,[],[],,CVE-2020-3126,Primary Impact,0 +204,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3126,Exploitation Technique,0 +205,,T1059.007,JavaScript,[],[],,CVE-2020-3356,Primary Impact,0 +206,,T1557,Man-in-the-Middle,[],[],,CVE-2020-3356,Secondary Impact,0 +207,,T1204.001,Malicious Link,[],[],,CVE-2020-3356,Exploitation Technique,0 +208,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1915,Primary Impact,0 +209,,T1098,Account Manipulation,[],[],,CVE-2019-1915,Secondary Impact,0 +210,,T1189,Drive-by Compromise,[],[],,CVE-2019-1915,Exploitation Technique,0 +211,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1915,Exploitation Technique,0 +212,,T1566,Phishing,[],[],,CVE-2019-1915,Exploitation Technique,0 +213,,T1204.002,Malicious File,[],[],,CVE-2019-1915,Exploitation Technique,0 +214,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-1746,Primary Impact,0 +215,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1746,Exploitation Technique,0 +216,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3397,Primary Impact,0 +217,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3397,Exploitation Technique,0 +218,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1812,Primary Impact,0 +219,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2019-1812,Secondary Impact,0 +220,,T1078,Valid Accounts,[],[],,CVE-2019-1812,Exploitation Technique,0 +221,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3322,Primary Impact,0 +222,,T1566,Phishing,[],[],,CVE-2020-3322,Exploitation Technique,0 +223,,T1204.002,Malicious File,[],[],,CVE-2020-3322,Exploitation Technique,0 +224,,T1574,Hijack Execution Flow,[],[],,CVE-2020-3198,Primary Impact,0 +225,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3198,Primary Impact,0 +226,,T1189,Drive-by Compromise,[],[],,CVE-2020-3198,Exploitation Technique,0 +227,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3198,Exploitation Technique,0 +228,,T1133,External Remote Services,[],[],,CVE-2020-3198,Exploitation Technique,0 +229,,T1566,Phishing,[],[],,CVE-2020-3198,Exploitation Technique,0 +230,,T1204.002,Malicious File,[],[],,CVE-2020-3198,Exploitation Technique,0 +231,,T1091,Replication Through Removable Media,[],[],,CVE-2020-3198,Exploitation Technique,0 +232,,T1574,Hijack Execution Flow,[],[],,CVE-2020-3309,Primary Impact,0 +233,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-3309,Secondary Impact,0 +234,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3309,Exploitation Technique,0 +235,,T1133,External Remote Services,[],[],,CVE-2020-3309,Exploitation Technique,0 +236,,T1005,Data from Local System,[],[],,CVE-2020-3177,Primary Impact,0 +237,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3177,Exploitation Technique,0 +238,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3510,Primary Impact,0 +239,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3510,Exploitation Technique,0 +240,,T1542.004,ROMMONkit,[],[],,CVE-2020-3513,Primary Impact,0 +241,,T1078,Valid Accounts,[],[],,CVE-2020-3513,Exploitation Technique,0 +242,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-3409,Primary Impact,0 +243,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3409,Exploitation Technique,0 +244,,T1059.007,JavaScript,[],[],,CVE-2020-3349,Primary Impact,0 +245,,T1557,Man-in-the-Middle,[],[],,CVE-2020-3349,Secondary Impact,0 +246,,T1204.001,Malicious Link,[],[],,CVE-2020-3349,Exploitation Technique,0 +247,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-15392,Primary Impact,0 +248,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15392,Exploitation Technique,0 +249,,T1499,Endpoint Denial of Service,[],[],,CVE-2018-15462,Primary Impact,0 +250,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15462,Exploitation Technique,0 +251,,T1499,Endpoint Denial of Service,[],[],,CVE-2019-1704,Primary Impact,0 +252,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1704,Exploitation Technique,0 +253,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2020-3244,Primary Impact,0 +254,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-3244,Exploitation Technique,0 +255,,T1005,Data from Local System,[],[],,CVE-2020-3240,Primary Impact,0 +256,,T1505.003,Web Shell,[],[],,CVE-2020-3240,Primary Impact,0 +257,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CVE-2020-3240,Secondary Impact,0 +258,,T1552.001,Credentials In Files,[],[],,CVE-2020-3240,Secondary Impact,0 +259,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-3240,Secondary Impact,0 +260,,T1133,External Remote Services,[],[],,CVE-2020-3240,Exploitation Technique,0 +261,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1790,Primary Impact,0 +262,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1790,Secondary Impact,0 +263,,T1078,Valid Accounts,[],[],,CVE-2019-1790,Exploitation Technique,0 +264,,T1078.001,Default Accounts,[],[],,CVE-2020-5364,Primary Impact,0 +265,,T1005,Data from Local System,[],[],,CVE-2020-5364,Secondary Impact,0 +266,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3707,Primary Impact,0 +267,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-3735,Primary Impact,0 +268,,T1078,Valid Accounts,[],[],,CVE-2019-3735,Exploitation Technique,0 +269,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-11048,Primary Impact,0 +270,,T1005,Data from Local System,[],[],,CVE-2018-11048,Secondary Impact,0 +271,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-11048,Secondary Impact,0 +272,,T1133,External Remote Services,[],[],,CVE-2018-11048,Exploitation Technique,0 +273,,T1059.007,JavaScript,[],[],,CVE-2019-3754,Primary Impact,0 +274,,T1557,Man-in-the-Middle,[],[],,CVE-2019-3754,Secondary Impact,0 +275,,T1204.001,Malicious Link,[],[],,CVE-2019-3754,Exploitation Technique,0 +276,,T1078.001,Default Accounts,[],[],,CVE-2020-5374,Primary Impact,0 +277,,T1078.001,Default Accounts,[],[],,CVE-2018-15771,Primary Impact,0 +278,,T1005,Data from Local System,[],[],,CVE-2018-15771,Secondary Impact,0 +279,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-15782,Primary Impact,0 +280,,T1566,Phishing,[],[],,CVE-2018-15782,Exploitation Technique,0 +281,,T1204.002,Malicious File,[],[],,CVE-2018-15782,Exploitation Technique,0 +282,,T1485,Data Destruction,[],[],,CVE-2019-3723,Primary Impact,0 +283,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-3723,Secondary Impact,0 +284,,T1574,Hijack Execution Flow,[],[],,CVE-2019-3723,Secondary Impact,0 +285,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3723,Exploitation Technique,0 +286,,T1078,Valid Accounts,[],[],,CVE-2018-11045,Primary Impact,0 +287,,T1110,Brute Force,[],[],,CVE-2018-11045,Exploitation Technique,0 +288,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5345,Primary Impact,0 +289,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-5345,Exploitation Technique,0 +290,,T1059.007,JavaScript,[],[],,CVE-2020-5336,Primary Impact,0 +291,,T1557,Man-in-the-Middle,[],[],,CVE-2020-5336,Secondary Impact,0 +292,,T1204.001,Malicious Link,[],[],,CVE-2020-5336,Exploitation Technique,0 +293,,T1078,Valid Accounts,[],[],,CVE-2018-15795,Primary Impact,0 +294,,T1110,Brute Force,[],[],,CVE-2018-15795,Exploitation Technique,0 +295,,T1078.001,Default Accounts,[],[],,CVE-2020-5365,Primary Impact,0 +296,,T1110,Brute Force,[],[],,CVE-2020-5365,Exploitation Technique,0 +297,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2019-3717,Primary Impact,0 +298,,T1200,Hardware Additions,[],[],,CVE-2019-3717,Exploitation Technique,0 +299,,T1005,Data from Local System,[],[],,CVE-2019-3732,Primary Impact,0 +300,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3732,Exploitation Technique,0 +301,,T1005,Data from Local System,[],[],,CVE-2019-3731,Primary Impact,0 +302,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3731,Exploitation Technique,0 +303,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5326,Primary Impact,0 +304,,T1542.001,System Firmware,[],[],,CVE-2020-5326,Secondary Impact,0 +305,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-15776,Primary Impact,0 +306,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15776,Exploitation Technique,0 +307,,T1563,Remote Service Session Hijacking,[],[],,CVE-2019-18573,Primary Impact,0 +308,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-3727,Primary Impact,0 +309,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-3727,Secondary Impact,0 +310,,T1489,Service Stop,[],[],,CVE-2019-3728,Primary Impact,0 +311,,T1563,Remote Service Session Hijacking,[],[],,CVE-2019-3790,Primary Impact,0 +312,,T1078,Valid Accounts,[],[],,CVE-2019-3790,Exploitation Technique,0 +313,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-3719,Primary Impact,0 +314,,T1204.002,Malicious File,[],[],,CVE-2019-3719,Exploitation Technique,0 +315,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-15764,Primary Impact,0 +316,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15764,Exploitation Technique,0 +317,,T1496,Resource Hijacking,[],[],,CVE-2018-11084,Primary Impact,0 +318,,T1059.007,JavaScript,[],[],,CVE-2020-5339,Primary Impact,0 +319,,T1185,Man in the Browser,[],[],,CVE-2020-5339,Secondary Impact,0 +320,,T1189,Drive-by Compromise,[],[],,CVE-2020-5339,Exploitation Technique,0 +321,,T1557,Man-in-the-Middle,[],[],,CVE-2018-15784,Primary Impact,0 +322,,T1005,Data from Local System,[],[],,CVE-2020-5386,Primary Impact,0 +323,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-3704,Primary Impact,0 +324,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-3704,Secondary Impact,0 +325,,T1078,Valid Accounts,[],[],,CVE-2019-3704,Exploitation Technique,0 +326,,T1005,Data from Local System,[],[],,CVE-2019-3799,Primary Impact,0 +327,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3799,Exploitation Technique,0 +328,,T1059.007,JavaScript,[],[],,CVE-2019-18578,Primary Impact,0 +329,,T1185,Man in the Browser,[],[],,CVE-2019-18578,Secondary Impact,0 +330,,T1189,Drive-by Compromise,[],[],,CVE-2019-18578,Exploitation Technique,0 +331,,T1059.007,JavaScript,[],[],,CVE-2020-5340,Primary Impact,0 +332,,T1185,Man in the Browser,[],[],,CVE-2020-5340,Secondary Impact,0 +333,,T1189,Drive-by Compromise,[],[],,CVE-2020-5340,Exploitation Technique,0 +334,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5358,Primary Impact,0 +335,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5371,Primary Impact,0 +336,,T1005,Data from Local System,[],[],,CVE-2020-5371,Secondary Impact,0 +337,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3758,Primary Impact,0 +338,,T1136,Create Account,[],[],,CVE-2019-3758,Secondary Impact,0 +339,,T1005,Data from Local System,[],[],,CVE-2018-11051,Primary Impact,0 +340,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-11051,Exploitation Technique,0 +341,,T1542.001,System Firmware,[],[],,CVE-2020-5378,Primary Impact,0 +342,,T1005,Data from Local System,[],[],,CVE-2019-3767,Primary Impact,0 +343,,T1078,Valid Accounts,[],[],,CVE-2018-15800,Primary Impact,0 +344,,T1110,Brute Force,[],[],,CVE-2018-15800,Exploitation Technique,0 +345,,T1059.007,JavaScript,[],[],,CVE-2018-11059,Primary Impact,0 +346,,T1185,Man in the Browser,[],[],,CVE-2018-11059,Secondary Impact,0 +347,,T1189,Drive-by Compromise,[],[],,CVE-2018-11059,Exploitation Technique,0 +348,,T1098,Account Manipulation,[],[],,CVE-2019-3775,Primary Impact,0 +349,,T1059.007,JavaScript,[],[],,CVE-2018-11075,Primary Impact,0 +350,,T1185,Man in the Browser,[],[],,CVE-2018-11075,Secondary Impact,0 +351,,T1204.002,Malicious File,[],[],,CVE-2018-11075,Exploitation Technique,0 +352,,T1542.001,System Firmware,[],[],,CVE-2020-5376,Primary Impact,0 +353,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-15761,Primary Impact,0 +354,,T1078,Valid Accounts,[],[],,CVE-2018-15761,Exploitation Technique,0 +355,,T1552,Unsecured Credentials,[],[],,CVE-2019-3787,Primary Impact,0 +356,,T1078,Valid Accounts,[],[],,CVE-2019-3787,Secondary Impact,0 +357,,T1098,Account Manipulation,[],[],,CVE-2019-3787,Secondary Impact,0 +358,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-15797,Primary Impact,0 +359,,T1552,Unsecured Credentials,[],[],,CVE-2018-15797,Exploitation Technique,0 +360,,T1499,Endpoint Denial of Service,[],[],,CVE-2018-15772,Primary Impact,0 +361,,T1005,Data from Local System,[],[],,CVE-2020-5331,Primary Impact,0 +362,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5362,Primary Impact,0 +363,,T1098,Account Manipulation,[],[],,CVE-2020-5362,Secondary Impact,0 +364,,T1059.007,JavaScript,[],[],,CVE-2019-18571,Primary Impact,0 +365,,T1185,Man in the Browser,[],[],,CVE-2019-18571,Secondary Impact,0 +366,,T1204.002,Malicious File,[],[],,CVE-2019-18571,Exploitation Technique,0 +367,,T1552.001,Credentials In Files,[],[],,CVE-2019-3782,Primary Impact,0 +368,,T1098,Account Manipulation,[],[],,CVE-2019-3782,Secondary Impact,0 +369,,T1542.001,System Firmware,[],[],,CVE-2020-5379,Primary Impact,0 +370,,T1552,Unsecured Credentials,[],[],,CVE-2018-11088,Primary Impact,0 +371,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-11088,Secondary Impact,0 +372,,T1078.001,Default Accounts,[],[],,CVE-2018-11062,Primary Impact,0 +373,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-15758,Primary Impact,0 +374,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15758,Exploitation Technique,0 +375,,T1552.001,Credentials In Files,[],[],,CVE-2019-3780,Primary Impact,0 +376,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-3780,Secondary Impact,0 +377,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5369,Primary Impact,0 +378,,T1005,Data from Local System,[],[],,CVE-2020-5366,Primary Impact,0 +379,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5366,Exploitation Technique,0 +380,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-3798,Primary Impact,0 +381,,T1136,Create Account,[],[],,CVE-2019-3798,Exploitation Technique,0 +382,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5373,Primary Impact,0 +383,,T1005,Data from Local System,[],[],,CVE-2020-5373,Secondary Impact,0 +384,,T1036,Masquerading,[],[],,CVE-2019-3788,Secondary Impact,0 +385,,T1566.002,Spearphishing Link,[],[],,CVE-2019-3788,Exploitation Technique,0 +386,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-11060,Primary Impact,0 +387,,T1036,Masquerading,[],[],,CVE-2018-11067,Secondary Impact,0 +388,,T1566.002,Spearphishing Link,[],[],,CVE-2018-11067,Exploitation Technique,0 +389,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5328,Secondary Impact,0 +390,,T1563,Remote Service Session Hijacking,[],[],,CVE-2019-3784,Primary Impact,0 +391,,T1553,Subvert Trust Controls,[],[],,CVE-2019-3762,Primary Impact,0 +392,,T1588.004,Digital Certificates,[],[],,CVE-2019-3762,Exploitation Technique,0 +393,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-18582,Primary Impact,0 +394,,T1574,Hijack Execution Flow,[],[],,CVE-2018-11049,Primary Impact,0 +395,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5350,Primary Impact,0 +396,,T1098,Account Manipulation,[],[],,CVE-2020-5350,Secondary Impact,0 +397,,T1550.001,Application Access Token,[],[],,CVE-2018-15801,Secondary Impact,0 +398,,T1562,Impair Defenses,[],[],,CVE-2019-18581,Primary Impact,0 +399,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-18581,Secondary Impact,0 +400,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5332,Primary Impact,0 +401,,T1036,Masquerading,[],[],,CVE-2019-3778,Secondary Impact,0 +402,,T1566.002,Spearphishing Link,[],[],,CVE-2019-3778,Exploitation Technique,0 +403,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-15774,Primary Impact,0 +404,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15780,Primary Impact,0 +405,,T1005,Data from Local System,[],[],,CVE-2018-15780,Secondary Impact,0 +406,,T1005,Data from Local System,[],[],,CVE-2019-3786,Primary Impact,0 +407,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-3786,Exploitation Technique,0 +408,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3706,Primary Impact,0 +409,,T1055.001,Dynamic-link Library Injection,[],[],,CVE-2018-11072,Primary Impact,0 +410,,T1059.007,JavaScript,[],[],,CVE-2018-11073,Primary Impact,0 +411,,T1185,Man in the Browser,[],[],,CVE-2018-11073,Secondary Impact,0 +412,,T1189,Drive-by Compromise,[],[],,CVE-2018-11073,Exploitation Technique,0 +413,,T1557,Man-in-the-Middle,[],[],,CVE-2018-11087,Primary Impact,0 +414,,T1059.007,JavaScript,[],[],,CVE-2019-3708,Primary Impact,0 +415,,T1185,Man in the Browser,[],[],,CVE-2019-3708,Secondary Impact,0 +416,,T1204.001,Malicious Link,[],[],,CVE-2019-3708,Exploitation Technique,0 +417,,T1548.003,Sudo and Sudo Caching,[],[],,CVE-2018-15767,Primary Impact,0 +418,,T1600,Weaken Encryption,[],[],,CVE-2018-11069,Primary Impact,0 +419,,T1110,Brute Force,[],[],,CVE-2018-11069,Exploitation Technique,0 +420,,T1552,Unsecured Credentials,[],[],,CVE-2019-3763,Primary Impact,0 +421,,T1078 ,Valid Accounts,[],[],,CVE-2019-3763,Secondary Impact,0 +422,,T1485,Data Destruction,[],[],,CVE-2019-3750,Primary Impact,0 +423,,T1552,Unsecured Credentials,[],[],,CVE-2020-15105,Primary Impact,0 +424,,T1078 ,Valid Accounts,[],[],,CVE-2020-15105,Secondary Impact,0 +425,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15188,Primary Impact,0 +426,,T1133,External Remote Services,[],[],,CVE-2020-15188,Exploitation Technique,0 +427,,T1036,Masquerading,[],[],,CVE-2020-5250,Primary Impact,0 +428,,T1478,Install Insecure or Malicious Configuration,[],[],,CVE-2020-5250,Secondary Impact,0 +429,,T1005,Data from Local System,[],[],,CVE-2019-16768,Primary Impact,0 +430,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15147,Primary Impact,0 +431,,T1133,External Remote Services,[],[],,CVE-2020-15147,Exploitation Technique,0 +432,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15118,Primary Impact,0 +433,,T1185,Man in the Browser,[],[],,CVE-2020-15118,Secondary Impact,0 +434,,T1574,Hijack Execution Flow,[],[],,CVE-2020-5210,Primary Impact,0 +435,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-5210,Primary Impact,0 +436,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-11055,Primary Impact,0 +437,,T1185,Man in the Browser,[],[],,CVE-2020-11055,Secondary Impact,0 +438,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5283,Primary Impact,0 +439,,T1185,Man in the Browser,[],[],,CVE-2020-5283,Secondary Impact,0 +440,,T1574,Hijack Execution Flow,[],[],,CVE-2020-15211,Primary Impact,0 +441,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-15211,Exploitation Technique,0 +442,,T1005,Data from Local System,[],[],,CVE-2020-5220,Primary Impact,0 +443,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5220,Exploitation Technique,0 +444,,T1005,Data from Local System,[],[],,CVE-2020-11021,Primary Impact,0 +445,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11021,Exploitation Technique,0 +446,,T1059.007,JavaScript,[],[],,CVE-2020-5269,Primary Impact,0 +447,,T1557,Man-in-the-Middle,[],[],,CVE-2020-5269,Secondary Impact,0 +448,,T1204.001,Malicious Link,[],[],,CVE-2020-5269,Exploitation Technique,0 +449,,T1059.007,JavaScript,[],[],,CVE-2020-11030,Primary Impact,0 +450,,T1557,Man-in-the-Middle,[],[],,CVE-2020-11030,Secondary Impact,0 +451,,T1204.001,Malicious Link,[],[],,CVE-2020-11030,Exploitation Technique,0 +452,,T1059.007,JavaScript,[],[],,CVE-2020-11036,Primary Impact,0 +453,,T1185,Man in the Browser,[],[],,CVE-2020-11036,Secondary Impact,0 +454,,T1189,Drive-by Compromise,[],[],,CVE-2020-11036,Exploitation Technique,0 +455,,T1574,Hijack Execution Flow,[],[],,CVE-2020-15100,Primary Impact,0 +456,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-15100,Primary Impact,0 +457,,T1078,Valid Accounts,[],[],,CVE-2020-15100,Exploitation Technique,0 +458,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15094,Primary Impact,0 +459,,T1040,Network Sniffing,[],[],,CVE-2020-15094,Exploitation Technique,0 +460,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15140,Primary Impact,0 +461,,T1133,External Remote Services,[],[],,CVE-2020-15140,Exploitation Technique,0 +462,,T1005,Data from Local System,[],[],,CVE-2020-11087,Primary Impact,0 +463,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2020-11087,Secondary Impact,0 +464,,T1059.007,JavaScript,[],[],,CVE-2020-11023,Primary Impact,0 +465,,T1557,Man-in-the-Middle,[],[],,CVE-2020-11023,Secondary Impact,0 +466,,T1204.001,Malicious Link,[],[],,CVE-2020-11023,Exploitation Technique,0 +467,,T1563,Remote Service Session Hijacking,[],[],,CVE-2020-5290,Primary Impact,0 +468,,T1189,Drive-by Compromise,[],[],,CVE-2020-5290,Exploitation Technique,0 +469,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11090,Primary Impact,0 +470,,T1036,Masquerading,[],[],,CVE-2020-5270,Secondary Impact,0 +471,,T1059.007,JavaScript,[],[],,CVE-2020-5270,Secondary Impact,0 +472,,T1557,Man-in-the-Middle,[],[],,CVE-2020-5270,Secondary Impact,0 +473,,T1005,Data from Local System,[],[],,CVE-2020-5270,Secondary Impact,0 +474,,T1566.002,Spearphishing Link,[],[],,CVE-2020-5270,Exploitation Technique,0 +475,,T1574,Hijack Execution Flow,[],[],,CVE-2020-5254,Primary Impact,0 +476,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5254,Exploitation Technique,0 +477,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15096,Primary Impact,0 +478,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-15096,Exploitation Technique,0 +479,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11013,Primary Impact,0 +480,,T1552 ,Unsecured Credentials,[],[],,CVE-2020-15095,Primary Impact,0 +481,,T1036 ,Masquerading,[],[],,CVE-2020-15233,Secondary Impact,0 +482,,T1566.002,Spearphishing Link,[],[],,CVE-2020-15233,Exploitation Technique,0 +483,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5252,Primary Impact,0 +484,,T1005,Data from Local System,[],[],,CVE-2020-11019,Primary Impact,0 +485,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11019,Primary Impact,0 +486,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2020-11019,Secondary Impact,0 +487,,T1068 ,Exploitation for Privilege Escalation,[],[],,CVE-2020-15182,Primary Impact,0 +488,,T1204.001,Malicious Link,[],[],,CVE-2020-15182,Exploitation Technique,0 +489,,T1059.007,JavaScript,[],[],,CVE-2020-5264,Primary Impact,0 +490,,T1557,Man-in-the-Middle,[],[],,CVE-2020-5264,Secondary Impact,0 +491,,T1204.001,Malicious Link,[],[],,CVE-2020-5264,Exploitation Technique,0 +492,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11078,Primary Impact,0 +493,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11050,Primary Impact,0 +494,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-15170,Primary Impact,0 +495,,T1478 ,Install Insecure or Malicious Configuration,[],[],,CVE-2020-15170,Primary Impact,0 +496,,T1005 ,Data from Local System,[],[],,CVE-2020-5295,Primary Impact,0 +497,,T1133,External Remote Services,[],[],,CVE-2020-5295,Exploitation Technique,0 +498,,T1505.003,Web Shell,[],[],,CVE-2020-15189,Primary Impact,0 +499,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15189,Secondary Impact,0 +500,,T1133 ,External Remote Services,[],[],,CVE-2020-15189,Exploitation Technique,0 +501,,T1005,Data from Local System,[],[],,CVE-2020-15137,Primary Impact,0 +502,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-15137,Primary Impact,0 +503,,T1190 ,Exploit Public-Facing Application,[],[],,CVE-2020-15137,Exploitation Technique,0 +504,,T1078,Valid Accounts,[],[],,CVE-2020-11035,Primary Impact,0 +505,,T1557,Man-in-the-Middle,[],[],,CVE-2020-11035,Primary Impact,0 +506,,T1040,Network Sniffing,[],[],,CVE-2020-11035,Primary Impact,0 +507,,T1110,Brute Force,[],[],,CVE-2020-11035,Exploitation Technique,0 +508,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5217,Primary Impact,0 +509,,T1185,Man in the Browser,[],[],,CVE-2020-5217,Secondary Impact,0 +510,,T1190 ,Exploit Public-Facing Application,[],[],,CVE-2020-5261,Primary Impact,0 +511,,T1040,Network Sniffing,[],[],,CVE-2020-5261,Exploitation Technique,0 +512,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11054,Primary Impact,0 +513,,T1189,Drive-by Compromise,[],[],,CVE-2020-11054,Exploitation Technique,0 +514,,T1574,Hijack Execution Flow,[],[],,CVE-2020-4068,Primary Impact,0 +515,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-4068,Primary Impact,0 +516,,T1189,Drive-by Compromise,[],[],,CVE-2020-4068,Exploitation Technique,0 +517,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-4068,Exploitation Technique,0 +518,,T1133,External Remote Services,[],[],,CVE-2020-4068,Exploitation Technique,0 +519,,T1566,Phishing,[],[],,CVE-2020-4068,Exploitation Technique,0 +520,,T1204.002,Malicious File,[],[],,CVE-2020-4068,Exploitation Technique,0 +521,,T1091,Replication Through Removable Media,[],[],,CVE-2020-4068,Exploitation Technique,0 +522,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-15109,Primary Impact,0 +523,,T1565,Data Manipulation,[],[],,CVE-2020-15109,Secondary Impact,0 +524,,T1133,External Remote Services,[],[],,CVE-2020-15109,Exploitation Technique,0 +525,,T1059.007,JavaScript,[],[],,CVE-2020-11082,Primary Impact,0 +526,,T1557,Man-in-the-Middle,[],[],,CVE-2020-11082,Secondary Impact,0 +527,,T1204.001,Malicious Link,[],[],,CVE-2020-11082,Exploitation Technique,0 +528,,T1078,Valid Accounts,[],[],,CVE-2020-15093,Primary Impact,0 +529,,T1557,Man-in-the-Middle,[],[],,CVE-2020-15093,Primary Impact,0 +530,,T1040,Network Sniffing,[],[],,CVE-2020-15093,Primary Impact,0 +531,,T1110,Brute Force,[],[],,CVE-2020-15093,Exploitation Technique,0 +532,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5225,Primary Impact,0 +533,,T1565,Data Manipulation,[],[],,CVE-2020-5225,Secondary Impact,0 +534,,T1133,External Remote Services,[],[],,CVE-2020-5225,Exploitation Technique,0 +535,,T1059.007,JavaScript,[],[],,CVE-2020-5266,Primary Impact,0 +536,,T1557,Man-in-the-Middle,[],[],,CVE-2020-5266,Secondary Impact,0 +537,,T1189,Drive-by Compromise,[],[],,CVE-2020-5266,Exploitation Technique,0 +538,,T1574,Hijack Execution Flow,[],[],,CVE-2020-15208,Primary Impact,0 +539,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-15208,Primary Impact,0 +540,,T1059 ,Command and Scripting Interpreter,[],[],,CVE-2020-11010,Primary Impact,0 +541,,T1005,Data from Local System,[],[],,CVE-2020-11010,Secondary Impact,0 +542,,T1505.003,Web Shell,[],[],,CVE-2020-11010,Secondary Impact,0 +543,,T1136,Create Account,[],[],,CVE-2020-11010,Secondary Impact,0 +544,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11010,Secondary Impact,0 +545,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-11010,Secondary Impact,0 +546,,T1133,External Remote Services,[],[],,CVE-2020-11010,Exploitation Technique,0 +547,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-16784,Primary Impact,0 +548,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-16784,Primary Impact,0 +549,,T1059.006,Python,[],[],,CVE-2019-16784,Secondary Impact,0 +550,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15143,Primary Impact,0 +551,,T1133,External Remote Services,[],[],,CVE-2020-15143,Exploitation Technique,0 +552,,T1574,Hijack Execution Flow,[],[],,CVE-2020-11039,Primary Impact,0 +553,,T1005,Data from Local System,[],[],,CVE-2020-11039,Primary Impact,0 +554,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11039,Primary Impact,0 +555,,T1574,Hijack Execution Flow,[],[],,CVE-2020-15199,Primary Impact,0 +556,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-15199,Primary Impact,0 +557,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-16760,Primary Impact,0 +558,,T1478,Install Insecure or Malicious Configuration,[],[],,CVE-2019-16760,Secondary Impact,0 +559,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15179,Primary Impact,0 +560,,T1185,Man in the Browser,[],[],,CVE-2020-15179,Secondary Impact,0 +561,,T1059.007,JavaScript,[],[],,CVE-2020-5271,Primary Impact,0 +562,,T1557,Man-in-the-Middle,[],[],,CVE-2020-5271,Secondary Impact,0 +563,,T1204.001,Malicious Link,[],[],,CVE-2020-5271,Exploitation Technique,0 +564,,T1078.001,Default Accounts,[],[],,CVE-2020-5231,Primary Impact,0 +565,,T1136,Create Account,[],[],,CVE-2020-5231,Secondary Impact,0 +566,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-5279,Primary Impact,0 +567,,T1005,Data from Local System,[],[],,CVE-2020-11059,Primary Impact,0 +568,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15183,Primary Impact,0 +569,,T1185,Man in the Browser,[],[],,CVE-2020-15183,Secondary Impact,0 +570,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11044,Primary Impact,0 +571,,T1005,Data from Local System,[],[],,CVE-2020-5284,Primary Impact,0 +572,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-15162,Primary Impact,0 +573,,T1185,Man in the Browser,[],[],,CVE-2020-15162,Secondary Impact,0 +574,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-11073,Primary Impact,0 +575,,T1204.002,Malicious File,[],[],,CVE-2020-11073,Exploitation Technique,0 +576,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5267,Primary Impact,0 +577,,T1185,Man in the Browser,[],[],,CVE-2020-5267,Secondary Impact,0 +578,,T1574,Hijack Execution Flow,[],[],,CVE-2020-11068,Primary Impact,0 +579,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11068,Primary Impact,0 +580,,T1505.003,Web Shell,[],[],,CVE-2020-5297,Primary Impact,0 +581,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5297,Secondary Impact,0 +582,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5241,Primary Impact,0 +583,,T1185,Man in the Browser,[],[],,CVE-2020-5241,Secondary Impact,0 +584,,T1574,Hijack Execution Flow,[],[],,CVE-2020-5253,Primary Impact,0 +585,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-5253,Primary Impact,0 +586,,T1478,Install Insecure or Malicious Configuration,[],[],,CVE-2020-5253,Exploitation Technique,0 +587,,T1589,Gather Victim Identity Information,[],[],,CVE-2020-15132,Primary Impact,0 +588,,T1563,Remote Service Session Hijacking,[],[],,CVE-2019-16782,Primary Impact,0 +589,,T1110,Brute Force,[],[],,CVE-2019-16782,Exploitation Technique,0 +590,,T1005,Data from Local System,[],[],,CVE-2020-11045,Primary Impact,0 +591,,T1185,Man in the Browser,[],[],,CVE-2020-11083,Secondary Impact,0 +592,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-5281,Primary Impact,0 +593,,T0814,Denial of Service,[],[],,CVE-2020-6986,Primary Impact,0 +594,,T1499,Endpoint Denial of Service,[],[],,CVE-2020-6986,Primary Impact,0 +595,,T1036,Masquerading,[],[],,CVE-2018-17934,Secondary Impact,0 +596,,T1005,Data from Local System,[],[],,CVE-2018-17934,Secondary Impact,0 +597,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-17934,Secondary Impact,0 +598,,T1202,Indirect Command Execution,[],[],,CVE-2018-17934,Exploitation Technique,0 +599,,T1505.003,Web Shell,[],[],,CVE-2020-12029,Primary Impact,0 +600,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-12029,Secondary Impact,0 +601,,T1133,External Remote Services,[],[],,CVE-2020-12029,Exploitation Technique,0 +602,,T1552.001,Credentials In Files,[],[],,CVE-2018-7520,Primary Impact,0 +603,,T1574,Hijack Execution Flow,[],[],,CVE-2018-7499,Primary Impact,0 +604,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-7499,Primary Impact,0 +605,,T1005,Data from Local System,[],[],,CVE-2019-6522,Primary Impact,0 +606,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-6522,Primary Impact,0 +607,,T1574,Hijack Execution Flow,[],[],,CVE-2019-10980,Primary Impact,0 +608,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-10980,Primary Impact,0 +609,,T1574,Hijack Execution Flow,[],[],,CVE-2019-6538,Primary Impact,0 +610,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-6538,Primary Impact,0 +611,,T1005,Data from Local System,[],[],,CVE-2019-6538,Primary Impact,0 +612,,T1557,Man-in-the-Middle,[],[],,CVE-2019-6538,Primary Impact,0 +613,,T0860,Wireless Compromise,[],[],,CVE-2019-6538,Exploitation Technique,0 +614,,T1477,Exploit via Radio Interfaces,[],[],,CVE-2019-6538,Exploitation Technique,0 +615,,T1005,Data from Local System,[],[],,CVE-2018-7526,Primary Impact,0 +616,,T1005,Data from Local System,[],[],,CVE-2018-5445,Primary Impact,0 +617,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-5454,Primary Impact,0 +618,,T1574,Hijack Execution Flow,[],[],,CVE-2018-14819,Primary Impact,0 +619,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-6960,Primary Impact,0 +620,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-12014,Primary Impact,0 +621,,T1005,Data from Local System,[],[],,CVE-2019-13511,Primary Impact,0 +622,,T1204.001,Malicious Link,[],[],,CVE-2019-13511,Exploitation Technique,0 +623,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-12038,Primary Impact,0 +624,,T1204.001,Malicious Link,[],[],,CVE-2020-12038,Exploitation Technique,0 +625,,T1539,Steal Web Session Cookie,[],[],,CVE-2019-6563,Primary Impact,0 +626,,T1078,Valid Accounts,[],[],,CVE-2019-6563,Secondary Impact,0 +627,,T1110,Brute Force,[],[],,CVE-2019-6563,Exploitation Technique,0 +628,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-19007,Primary Impact,0 +629,,T1133,External Remote Services,[],[],,CVE-2018-19007,Exploitation Technique,0 +630,,T1005,Data from Local System,[],[],,CVE-2018-18990,Primary Impact,0 +631,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-14781,Primary Impact,0 +632,,T1040,Network Sniffing,[],[],,CVE-2018-14781,Exploitation Technique,0 +633,,T1078.001,Default Accounts,[],[],,CVE-2018-10633,Primary Impact,0 +634,,T1574,Hijack Execution Flow,[],[],,CVE-2018-10610,Primary Impact,0 +635,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-10610,Primary Impact,0 +636,,T1005,Data from Local System,[],[],,CVE-2018-10610,Primary Impact,0 +637,,T1557,Man-in-the-Middle,[],[],,CVE-2018-10610,Primary Impact,0 +638,,T1574,Hijack Execution Flow,[],[],,CVE-2018-14809,Primary Impact,0 +639,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-14809,Primary Impact,0 +640,,T1005,Data from Local System,[],[],,CVE-2018-14809,Primary Impact,0 +641,,T1557,Man-in-the-Middle,[],[],,CVE-2018-14809,Primary Impact,0 +642,,T0816,Device Restart/Shutdown,[],[],,CVE-2018-18995,Secondary Impact,0 +643,,T1529,System Shutdown/Reboot,[],[],,CVE-2018-18995,Secondary Impact,0 +644,,T0855,Unauthorized Command Message,[],[],,CVE-2018-18995,Secondary Impact,0 +645,,T0836,Modify Parameter,[],[],,CVE-2018-18995,Secondary Impact,0 +646,,T1213,Data from Information Repositories,[],[],,CVE-2018-18995,Secondary Impact,0 +647,,T0855,Unauthorized Command Message,[],[],,CVE-2018-5459,Primary Impact,0 +648,,T0833,,[],[],,CVE-2018-5459,Secondary Impact,0 +649,,T1005,Data from Local System,[],[],,CVE-2018-5459,Secondary Impact,0 +650,,T1485,Data Destruction,[],[],,CVE-2018-5459,Secondary Impact,0 +651,,T1565.001,Stored Data Manipulation,[],[],,CVE-2018-5459,Secondary Impact,0 +652,,T1499,Endpoint Denial of Service,[],[],,CVE-2019-13555,Primary Impact,0 +653,,T0826,Loss of Availability,[],[],,CVE-2019-13555,Secondary Impact,0 +654,,T1552,Unsecured Credentials,[],[],,CVE-2020-12008,Primary Impact,0 +655,,T0859,Valid Accounts,[],[],,CVE-2020-12008,Secondary Impact,0 +656,,T0842,Network Sniffing,[],[],,CVE-2020-12008,Exploitation Technique,0 +657,,T1078.001,Default Accounts,[],[],,CVE-2019-10990,Primary Impact,0 +658,,T1066,,[],[],,CVE-2019-10990,Secondary Impact,0 +659,,T1563,Remote Service Session Hijacking,[],[],,CVE-2018-8852,Primary Impact,0 +660,,T1574.001,DLL Search Order Hijacking,[],[],,CVE-2019-10971,Primary Impact,0 +661,,T1083,File and Directory Discovery,[],[],,CVE-2018-10590,Primary Impact,0 +662,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-10590,Exploitation Technique,0 +663,,T1496,Resource Hijacking,[],[],,CVE-2020-16200,Primary Impact,0 +664,,T0826,Loss of Availability,[],[],,CVE-2020-16200,Secondary Impact,0 +665,,T1574,Hijack Execution Flow,[],[],,CVE-2018-10636,Primary Impact,0 +666,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-10636,Primary Impact,0 +667,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-10636,Secondary Impact,0 +668,,T1499,Endpoint Denial of Service,[],[],,CVE-2018-19010,Primary Impact,0 +669,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-19010,Exploitation Technique,0 +670,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-7500,Primary Impact,0 +671,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-18234,Primary Impact,0 +672,,T1005,Data from Local System,[],[],,CVE-2019-18234,Secondary Impact,0 +673,,T1505.003,Web Shell,[],[],,CVE-2019-18234,Secondary Impact,0 +674,,T1136,Create Account,[],[],,CVE-2019-18234,Secondary Impact,0 +675,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-18234,Secondary Impact,0 +676,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-18234,Secondary Impact,0 +677,,T1133,External Remote Services,[],[],,CVE-2019-18234,Exploitation Technique,0 +678,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-6964,Primary Impact,0 +679,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-6964,Primary Impact,0 +680,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-6964,Secondary Impact,0 +681,,T1005,Data from Local System,[],[],,CVE-2020-6993,Primary Impact,0 +682,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-6993,Exploitation Technique,0 +683,,T1078.001,Default Accounts,[],[],,CVE-2020-14510,Primary Impact,0 +684,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-14510,Secondary Impact,0 +685,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-14510,Secondary Impact,0 +686,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-14508,Primary Impact,0 +687,,T1499,Endpoint Denial of Service,[],[],,CVE-2020-14508,Primary Impact,0 +688,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-14508,Exploitation Technique,0 +689,,T1574,Hijack Execution Flow,[],[],,CVE-2018-7494,Primary Impact,0 +690,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-7494,Primary Impact,0 +691,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-7004,Primary Impact,0 +692,,T1036,Masquerading,[],[],,CVE-2018-5451,Primary Impact,0 +693,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-10603,Primary Impact,0 +694,,T1133,External Remote Services,[],[],,CVE-2020-10603,Exploitation Technique,0 +695,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-17889,Primary Impact,0 +696,,T1574,Hijack Execution Flow,[],[],,CVE-2019-13522,Primary Impact,0 +697,,T1204.002,Malicious File,[],[],,CVE-2019-13522,Exploitation Technique,0 +698,,T1091,Replication Through Removable Media,[],[],,CVE-2020-12024,Primary Impact,0 +699,,T0875,,[],[],,CVE-2018-17924,Primary Impact,0 +700,,T0803,Block Command Message,[],[],,CVE-2018-17924,Secondary Impact,0 +701,,T0804,Block Reporting Message,[],[],,CVE-2018-17924,Secondary Impact,0 +702,,T0855,Unauthorized Command Message,[],[],,CVE-2018-17924,Exploitation Technique,0 +703,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-12000,Primary Impact,0 +704,,T1133,External Remote Services,[],[],,CVE-2020-12000,Exploitation Technique,0 +705,,T1574,Hijack Execution Flow,[],[],,CVE-2018-17910,Primary Impact,0 +706,,T1202,Indirect Command Execution,[],[],,CVE-2018-10589,Primary Impact,0 +707,,T1574,Hijack Execution Flow,[],[],,CVE-2018-8835,Primary Impact,0 +708,,T1204.002,Malicious File,[],[],,CVE-2018-8835,Exploitation Technique,0 +709,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-17908,Primary Impact,0 +710,,T1562,Impair Defenses,[],[],,CVE-2018-17908,Exploitation Technique,0 +711,,T1552,Unsecured Credentials,[],[],,CVE-2018-17900,Primary Impact,0 +712,,T1078 ,Valid Accounts,[],[],,CVE-2018-17900,Secondary Impact,0 +713,,T1005,Data from Local System,[],[],,CVE-2020-16211,Primary Impact,0 +714,,T1204.002,Malicious File,[],[],,CVE-2020-16211,Exploitation Technique,0 +715,,T1574,Hijack Execution Flow,[],[],,CVE-2018-10620,Primary Impact,0 +716,,T1575,Native Code,[],[],,CVE-2018-17911,Primary Impact,0 +717,,T1552,Unsecured Credentials,[],[],,CVE-2019-6549,Primary Impact,0 +718,,T1078 ,Valid Accounts,[],[],,CVE-2019-6549,Secondary Impact,0 +719,,T1562,Impair Defenses,[],[],,CVE-2018-17892,Primary Impact,0 +720,,T1575,Native Code,[],[],,CVE-2018-14802,Primary Impact,0 +721,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-18987,Primary Impact,0 +722,,T1574,Hijack Execution Flow,[],[],,CVE-2018-18987,Secondary Impact,0 +723,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-18987,Secondary Impact,0 +724,,T1036,Masquerading,[],[],,CVE-2020-16198,Primary Impact,0 +725,,T1110,Brute Force,[],[],,CVE-2019-18263,Exploitation Technique,0 +726,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-10602,Primary Impact,0 +727,,T1575,Native Code,[],[],,CVE-2019-10987,Primary Impact,0 +728,,T1575,Native Code,[],[],,CVE-2019-13541,Primary Impact,0 +729,,T1528,Steal Application Access Token,[],[],,CVE-2020-0884,Primary Impact,0 +730,,T1040,Network Sniffing,[],[],,CVE-2020-0884,Exploitation Technique,0 +731,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-1025,Primary Impact,0 +732,,T1574,Hijack Execution Flow,[],[],,CVE-2019-0911,Primary Impact,0 +733,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-0911,Primary Impact,0 +734,,T1189,Drive-by Compromise,[],[],,CVE-2019-0911,Exploitation Technique,0 +735,,T1204.002,Malicious File,[],[],,CVE-2019-0911,Exploitation Technique,0 +736,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-1111,Primary Impact,0 +737,,T1005,Data from Local System,[],[],,CVE-2020-1111,Secondary Impact,0 +738,,T1565,Data Manipulation,[],[],,CVE-2020-1111,Secondary Impact,0 +739,,T1485,Data Destruction,[],[],,CVE-2020-1111,Secondary Impact,0 +740,,T1136,Create Account,[],[],,CVE-2020-1111,Secondary Impact,0 +741,,T1574,Hijack Execution Flow,[],[],,CVE-2018-8355,Primary Impact,0 +742,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-8355,Primary Impact,0 +743,,T1005,Data from Local System,[],[],,CVE-2018-8355,Secondary Impact,0 +744,,T1565,Data Manipulation,[],[],,CVE-2018-8355,Secondary Impact,0 +745,,T1485,Data Destruction,[],[],,CVE-2018-8355,Secondary Impact,0 +746,,T1136,Create Account,[],[],,CVE-2018-8355,Secondary Impact,0 +747,,T1189,Drive-by Compromise,[],[],,CVE-2018-8355,Exploitation Technique,0 +748,,T1204.002,Malicious File,[],[],,CVE-2018-8355,Exploitation Technique,0 +749,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1087,Primary Impact,0 +750,,T1574,Hijack Execution Flow,[],[],,CVE-2020-0671,Primary Impact,0 +751,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-0671,Primary Impact,0 +752,,T1005,Data from Local System,[],[],,CVE-2020-0671,Secondary Impact,0 +753,,T1565,Data Manipulation,[],[],,CVE-2020-0671,Secondary Impact,0 +754,,T1485,Data Destruction,[],[],,CVE-2020-0671,Secondary Impact,0 +755,,T1136,Create Account,[],[],,CVE-2020-0671,Secondary Impact,0 +756,,T1565,Data Manipulation,[],[],,CVE-2019-1270,Primary Impact,0 +757,,T1485,Data Destruction,[],[],,CVE-2019-1270,Primary Impact,0 +758,,T1202,Indirect Command Execution,[],[],,CVE-2019-1270,Exploitation Technique,0 +759,,T1574,Hijack Execution Flow,[],[],,CVE-2020-0898,Primary Impact,0 +760,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-0898,Primary Impact,0 +761,,T1574,Hijack Execution Flow,[],[],,CVE-2019-1118,Primary Impact,0 +762,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-1118,Primary Impact,0 +763,,T1005,Data from Local System,[],[],,CVE-2019-1118,Secondary Impact,0 +764,,T1565,Data Manipulation,[],[],,CVE-2019-1118,Secondary Impact,0 +765,,T1485,Data Destruction,[],[],,CVE-2019-1118,Secondary Impact,0 +766,,T1136,Create Account,[],[],,CVE-2019-1118,Secondary Impact,0 +767,,T1189,Drive-by Compromise,[],[],,CVE-2019-1118,Exploitation Technique,0 +768,,T1204.002,Malicious File,[],[],,CVE-2019-1118,Exploitation Technique,0 +769,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-1456,Primary Impact,0 +770,,T1005,Data from Local System,[],[],,CVE-2020-1456,Secondary Impact,0 +771,,T1565,Data Manipulation,[],[],,CVE-2020-1456,Secondary Impact,0 +772,,T1485,Data Destruction,[],[],,CVE-2020-1456,Secondary Impact,0 +773,,T1478,Install Insecure or Malicious Configuration,[],[],,CVE-2020-1456,Secondary Impact,0 +774,,T1036,Masquerading,[],[],,CVE-2020-1456,Secondary Impact,0 +775,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1086,Primary Impact,0 +776,,T1574,Hijack Execution Flow,[],[],,CVE-2020-1109,Primary Impact,0 +777,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-1109,Primary Impact,0 +778,,T1005,Data from Local System,[],[],,CVE-2020-1109,Secondary Impact,0 +779,,T1565,Data Manipulation,[],[],,CVE-2020-1109,Secondary Impact,0 +780,,T1485,Data Destruction,[],[],,CVE-2020-1109,Secondary Impact,0 +781,,T1136,Create Account,[],[],,CVE-2020-1109,Secondary Impact,0 +782,,T1574,Hijack Execution Flow,[],[],,CVE-2019-0576,Primary Impact,0 +783,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-0576,Primary Impact,0 +784,,T1204.002,Malicious File,[],[],,CVE-2019-0576,Exploitation Technique,0 +785,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-1347,Primary Impact,0 +786,,T1485,Data Destruction,[],[],,CVE-2020-1163,Primary Impact,0 +787,,T1565,Data Manipulation,[],[],,CVE-2020-1068,Primary Impact,0 +788,,T1574,Hijack Execution Flow,[],[],,CVE-2020-1495,Primary Impact,0 +789,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-1495,Primary Impact,0 +790,,T1005,Data from Local System,[],[],,CVE-2020-1495,Secondary Impact,0 +791,,T1565,Data Manipulation,[],[],,CVE-2020-1495,Secondary Impact,0 +792,,T1485,Data Destruction,[],[],,CVE-2020-1495,Secondary Impact,0 +793,,T1136,Create Account,[],[],,CVE-2020-1495,Secondary Impact,0 +794,,T1204.002,Malicious File,[],[],,CVE-2020-1495,Exploitation Technique,0 +795,,T1566,Phishing,[],[],,CVE-2020-1495,Exploitation Technique,0 +796,,T1574,Hijack Execution Flow,[],[],,CVE-2020-1425,Primary Impact,0 +797,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-1425,Primary Impact,0 +798,,T1574,Hijack Execution Flow,[],[],,CVE-2018-8248,Primary Impact,0 +799,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-8248,Primary Impact,0 +800,,T1005,Data from Local System,[],[],,CVE-2018-8248,Secondary Impact,0 +801,,T1565,Data Manipulation,[],[],,CVE-2018-8248,Secondary Impact,0 +802,,T1485,Data Destruction,[],[],,CVE-2018-8248,Secondary Impact,0 +803,,T1136,Create Account,[],[],,CVE-2018-8248,Secondary Impact,0 +804,,T1189,Drive-by Compromise,[],[],,CVE-2018-8248,Exploitation Technique,0 +805,,T1204.002,Malicious File,[],[],,CVE-2018-8248,Exploitation Technique,0 +806,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-0758,Primary Impact,0 +807,,T1098,Account Manipulation,[],[],,CVE-2020-0758,Exploitation Technique,0 +808,,T1005,Data from Local System,[],[],,CVE-2020-1141,Primary Impact,0 +809,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2020-1141,Secondary Impact,0 +810,,T1574,Hijack Execution Flow,[],[],,CVE-2018-8111,Primary Impact,0 +811,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-8111,Primary Impact,0 +812,,T1005,Data from Local System,[],[],,CVE-2018-8111,Secondary Impact,0 +813,,T1565,Data Manipulation,[],[],,CVE-2018-8111,Secondary Impact,0 +814,,T1485,Data Destruction,[],[],,CVE-2018-8111,Secondary Impact,0 +815,,T1136,Create Account,[],[],,CVE-2018-8111,Secondary Impact,0 +816,,T1204.002,Malicious File,[],[],,CVE-2018-8111,Exploitation Technique,0 +817,,T1566,Phishing,[],[],,CVE-2018-8111,Exploitation Technique,0 +818,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-8607,Primary Impact,0 +819,,T1005,Data from Local System,[],[],,CVE-2018-8607,Secondary Impact,0 +820,,T1565,Data Manipulation,[],[],,CVE-2018-8607,Secondary Impact,0 +821,,T1485,Data Destruction,[],[],,CVE-2018-8607,Secondary Impact,0 +822,,T1478,Install Insecure or Malicious Configuration,[],[],,CVE-2018-8607,Secondary Impact,0 +823,,T1036,Masquerading,[],[],,CVE-2018-8607,Secondary Impact,0 +824,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1021,Primary Impact,0 +825,,T1574,Hijack Execution Flow,[],[],,CVE-2020-1569,Primary Impact,0 +826,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-1569,Primary Impact,0 +827,,T1005,Data from Local System,[],[],,CVE-2020-1569,Secondary Impact,0 +828,,T1565,Data Manipulation,[],[],,CVE-2020-1569,Secondary Impact,0 +829,,T1485,Data Destruction,[],[],,CVE-2020-1569,Secondary Impact,0 +830,,T1136,Create Account,[],[],,CVE-2020-1569,Secondary Impact,0 +831,,T1204.002,Malicious File,[],[],,CVE-2020-1569,Exploitation Technique,0 +832,,T1566,Phishing,[],[],,CVE-2020-1569,Exploitation Technique,0 +833,,T1565,Data Manipulation,[],[],,CVE-2019-1423,Primary Impact,0 +834,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1423,Secondary Impact,0 +835,,T1574,Hijack Execution Flow,[],[],,CVE-2020-16874,Primary Impact,0 +836,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-16874,Primary Impact,0 +837,,T1005,Data from Local System,[],[],,CVE-2020-16874,Secondary Impact,0 +838,,T1565,Data Manipulation,[],[],,CVE-2020-16874,Secondary Impact,0 +839,,T1485,Data Destruction,[],[],,CVE-2020-16874,Secondary Impact,0 +840,,T1136,Create Account,[],[],,CVE-2020-16874,Secondary Impact,0 +841,,T1204.002,Malicious File,[],[],,CVE-2020-16874,Exploitation Technique,0 +842,,T1005,Data from Local System,[],[],,CVE-2019-1013,Primary Impact,0 +843,,T1204.002,Malicious File,[],[],,CVE-2019-1013,Exploitation Technique,0 +844,,T1566,Phishing,[],[],,CVE-2019-1013,Exploitation Technique,0 +845,,T1574,Hijack Execution Flow,[],[],,CVE-2019-0609,Primary Impact,0 +846,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-0609,Primary Impact,0 +847,,T1005,Data from Local System,[],[],,CVE-2019-0609,Secondary Impact,0 +848,,T1565,Data Manipulation,[],[],,CVE-2019-0609,Secondary Impact,0 +849,,T1485,Data Destruction,[],[],,CVE-2019-0609,Secondary Impact,0 +850,,T1136,Create Account,[],[],,CVE-2019-0609,Secondary Impact,0 +851,,T1204.002,Malicious File,[],[],,CVE-2019-0609,Exploitation Technique,0 +852,,T1566,Phishing,[],[],,CVE-2019-0609,Exploitation Technique,0 +853,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-1190,Primary Impact,0 +854,,T1574,Hijack Execution Flow,[],[],,CVE-2018-8353,Primary Impact,0 +855,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-8353,Primary Impact,0 +856,,T1005,Data from Local System,[],[],,CVE-2018-8353,Secondary Impact,0 +857,,T1565,Data Manipulation,[],[],,CVE-2018-8353,Secondary Impact,0 +858,,T1485,Data Destruction,[],[],,CVE-2018-8353,Secondary Impact,0 +859,,T1136,Create Account,[],[],,CVE-2018-8353,Secondary Impact,0 +860,,T1204.002,Malicious File,[],[],,CVE-2018-8353,Exploitation Technique,0 +861,,T1566,Phishing,[],[],,CVE-2018-8353,Exploitation Technique,0 +862,,T1574,Hijack Execution Flow,[],[],,CVE-2018-8110,Primary Impact,0 +863,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-8110,Primary Impact,0 +864,,T1005,Data from Local System,[],[],,CVE-2018-8110,Secondary Impact,0 +865,,T1565,Data Manipulation,[],[],,CVE-2018-8110,Secondary Impact,0 +866,,T1485,Data Destruction,[],[],,CVE-2018-8110,Secondary Impact,0 +867,,T1136,Create Account,[],[],,CVE-2018-8110,Secondary Impact,0 +868,,T1204.002,Malicious File,[],[],,CVE-2018-8110,Exploitation Technique,0 +869,,T1566,Phishing,[],[],,CVE-2018-8110,Exploitation Technique,0 +870,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-8575,Primary Impact,0 +871,,T1005,Data from Local System,[],[],,CVE-2018-8575,Secondary Impact,0 +872,,T1565,Data Manipulation,[],[],,CVE-2018-8575,Secondary Impact,0 +873,,T1485,Data Destruction,[],[],,CVE-2018-8575,Secondary Impact,0 +874,,T1136,Create Account,[],[],,CVE-2018-8575,Secondary Impact,0 +875,,T1204.002,Malicious File,[],[],,CVE-2018-8575,Exploitation Technique,0 +876,,T1566,Phishing,[],[],,CVE-2018-8575,Exploitation Technique,0 +877,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1031,Primary Impact,0 +878,,T1005,Data from Local System,[],[],,CVE-2019-1031,Secondary Impact,0 +879,,T1565,Data Manipulation,[],[],,CVE-2019-1031,Secondary Impact,0 +880,,T1485,Data Destruction,[],[],,CVE-2019-1031,Secondary Impact,0 +881,,T1478,Install Insecure or Malicious Configuration,[],[],,CVE-2019-1031,Secondary Impact,0 +882,,T1036,Masquerading,[],[],,CVE-2019-1031,Secondary Impact,0 +883,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1402,Primary Impact,0 +884,,T1005,Data from Local System,[],[],,CVE-2020-0955,Primary Impact,0 +885,,T1134,Access Token Manipulation,[],[],,CVE-2020-0981,Primary Impact,0 +886,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-0981,Secondary Impact,0 +887,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2020-0981,Secondary Impact,0 +888,,T1005,Data from Local System,[],[],,CVE-2018-8160,Primary Impact,0 +889,,T1110,Brute Force,[],[],,CVE-2018-8160,Secondary Impact,0 +890,,T1566,Phishing,[],[],,CVE-2018-8160,Exploitation Technique,0 +891,,T1574,Hijack Execution Flow,[],[],,CVE-2019-1106,Primary Impact,0 +892,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-1106,Primary Impact,0 +893,,T1189,Drive-by Compromise,[],[],,CVE-2019-1106,Exploitation Technique,0 +894,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-1106,Exploitation Technique,0 +895,,T1574,Hijack Execution Flow,[],[],,CVE-2019-1035,Primary Impact,0 +896,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-1035,Primary Impact,0 +897,,T1204.002,Malicious File,[],[],,CVE-2019-1035,Exploitation Technique,0 +898,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-1035,Exploitation Technique,0 +899,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-8431,Primary Impact,0 +900,,T1565,Data Manipulation,[],[],,CVE-2018-8431,Secondary Impact,0 +901,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2018-8489,Primary Impact,0 +902,,T1574,Hijack Execution Flow,[],[],,CVE-2019-0926,Primary Impact,0 +903,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-0926,Primary Impact,0 +904,,T1189,Drive-by Compromise,[],[],,CVE-2019-0926,Exploitation Technique,0 +905,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-0926,Exploitation Technique,0 +906,,T1574,Hijack Execution Flow,[],[],,CVE-2019-1052,Primary Impact,0 +907,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-1052,Primary Impact,0 +908,,T1189,Drive-by Compromise,[],[],,CVE-2019-1052,Exploitation Technique,0 +909,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-1052,Exploitation Technique,0 +910,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-1471,Primary Impact,0 +911,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-0636,Primary Impact,0 +912,,T1003,OS Credential Dumping,[],[],,CVE-2014-1812,Uncategorized,0 +913,,T1552.001,Credentials In Files,[],[],,CVE-2014-1812,Uncategorized,0 +914,,T1005,Data from Local System,[],[],,CVE-2020-11652,Uncategorized,0 +915,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11652,Uncategorized,0 +916,,T1005,Data from Local System,[],[],,CVE-2017-16651,Uncategorized,0 +917,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-16651,Uncategorized,0 +918,,T1005,Data from Local System,[],[],,CVE-2015-0984,Uncategorized,0 +919,,T1190,Exploit Public-Facing Application,[],[],,CVE-2015-0984,Uncategorized,0 +920,,T1552,Unsecured Credentials,[],[],,CVE-2015-0984,Uncategorized,0 +921,,T1005,Data from Local System,[],[],,CVE-2019-9670,Uncategorized,0 +922,,T1552.001,Credentials In Files,[],[],,CVE-2019-9670,Uncategorized,0 +923,,T1036.,,[],[],,CVE-2018-15869,Uncategorized,0 +924,,T1525,Implant Internal Image,[],[],,CVE-2018-15869,Uncategorized,0 +925,,T1036.005,Match Legitimate Name or Location,[],[],,CVE-2020-6808,Uncategorized,0 +926,,T1040,Network Sniffing,[],[],,CVE-2018-11749,Uncategorized,0 +927,,T1552,Unsecured Credentials,[],[],,CVE-2018-11749,Uncategorized,0 +928,,T1046,Network Service Scanning,[],[],,CVE-2012-6685,Uncategorized,0 +929,,T1055,Process Injection,[],[],,CVE-2016-0099,Uncategorized,0 +930,,T1055,Process Injection,[],[],,CVE-2013-3336,Uncategorized,0 +931,,T1055,Process Injection,[],[],,CVE-2020-6820,Uncategorized,0 +932,,T1189,Drive-by Compromise,[],[],,CVE-2020-6820,Uncategorized,0 +933,,T1055,Process Injection,[],[],,CVE-2019-9978,Uncategorized,0 +934,,T1189,Drive-by Compromise,[],[],,CVE-2019-9978,Uncategorized,0 +935,,T1059,Command and Scripting Interpreter,[],[],,CVE-2015-2945,Uncategorized,0 +936,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-2945,Uncategorized,0 +937,,T1059,Command and Scripting Interpreter,[],[],,CVE-2014-4114,Uncategorized,0 +938,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2014-4114,Uncategorized,0 +939,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2014-4114,Uncategorized,0 +940,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-1458,Uncategorized,0 +941,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1458,Uncategorized,0 +942,,T1059,Command and Scripting Interpreter,[],[],,CVE-2010-3888,Uncategorized,0 +943,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-3888,Uncategorized,0 +944,,T1059.007,JavaScript,[],[],,CVE-2019-13538,Uncategorized,0 +945,,T1185,Man in the Browser,[],[],,CVE-2019-13538,Uncategorized,0 +946,,T1059.007,JavaScript,[],[],,CVE-2015-6475,Uncategorized,0 +947,,T1185,Man in the Browser,[],[],,CVE-2015-6475,Uncategorized,0 +948,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-8835,Uncategorized,0 +949,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-8467,Uncategorized,0 +950,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-12659,Uncategorized,0 +951,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-10751,Uncategorized,0 +952,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-1027,Uncategorized,0 +953,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1215,Uncategorized,0 +954,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-1214,Uncategorized,0 +955,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-0859,Uncategorized,0 +956,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-9862,Uncategorized,0 +957,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-9488,Uncategorized,0 +958,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-8599,Uncategorized,0 +959,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-5463,Uncategorized,0 +960,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-11776,Uncategorized,0 +961,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-1274,Uncategorized,0 +962,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-0263,Uncategorized,0 +963,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2016-5195,Uncategorized,0 +964,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-7910,Uncategorized,0 +965,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-2387,Uncategorized,0 +966,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-2360,Uncategorized,0 +967,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-0016,Uncategorized,0 +968,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2014-4113,Uncategorized,0 +969,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2014-1807,Uncategorized,0 +970,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2014-0322,Uncategorized,0 +971,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2012-0181,Uncategorized,0 +972,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2010-2884,Uncategorized,0 +973,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2010-2743,Uncategorized,0 +974,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2009-1612,Uncategorized,0 +975,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5539,Uncategorized,0 +976,, T1565.001,Stored Data Manipulation,[],[],,CVE-2020-5539,Uncategorized,0 +977,,T1005,Data from Local System,[],[],,CVE-2020-5539,Uncategorized,0 +978,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-13289,Uncategorized,0 +979,,T1078,Valid Accounts,[],[],,CVE-2017-13289,Uncategorized,0 +980,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-15821,Uncategorized,0 +981,,T1133,External Remote Services,[],[],,CVE-2019-15821,Uncategorized,0 +982,,T1136,Create Account,[],[],,CVE-2019-15821,Uncategorized,0 +983,,T1565,Data Manipulation,[],[],,CVE-2019-15821,Uncategorized,0 +984,,T1149,,[],[],,CVE-2019-15821,Uncategorized,0 +985,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2013-0707,Uncategorized,0 +986,,T1189,Drive-by Compromise,[],[],,CVE-2013-0707,Uncategorized,0 +987,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-0707,Uncategorized,0 +988,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-10817,Uncategorized,0 +989,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2020-10817,Uncategorized,0 +990,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-5786,Uncategorized,0 +991,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2019-5786,Uncategorized,0 +992,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-0213,Uncategorized,0 +993,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2017-0213,Uncategorized,0 +994,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-2215,Uncategorized,0 +995,,T1404,Exploit OS Vulnerability,[],[],,CVE-2019-2215,Uncategorized,0 +996,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-0808,Uncategorized,0 +997,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2019-0808,Uncategorized,0 +998,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-7533,Uncategorized,0 +999,,T1499,Endpoint Denial of Service,[],[],,CVE-2017-7533,Uncategorized,0 +1000,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-8649,Uncategorized,0 +1001,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-8649,Uncategorized,0 +1002,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-12652,Uncategorized,0 +1003,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-12652,Uncategorized,0 +1004,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2014-6324,Uncategorized,0 +1005,,T1558.001,Golden Ticket,[],[],,CVE-2014-6324,Uncategorized,0 +1006,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-5954,Uncategorized,0 +1007,,T1565.001,Stored Data Manipulation,[],[],,CVE-2019-5954,Uncategorized,0 +1008,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2008-4996,Uncategorized,0 +1009,,T1565.001,Stored Data Manipulation,[],[],,CVE-2008-4996,Uncategorized,0 +1010,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-15211,Uncategorized,0 +1011,,T1566,Phishing,[],[],,CVE-2017-15211,Uncategorized,0 +1012,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2010-1592,Uncategorized,0 +1013,,T1574.002,DLL Side-Loading,[],[],,CVE-2010-1592,Uncategorized,0 +1014,,T1078,Valid Accounts,[],[],,CVE-2017-11368,Uncategorized,0 +1015,,T1212,Exploitation for Credential Access,[],[],,CVE-2017-11368,Uncategorized,0 +1016,,T1078,Valid Accounts,[],[],,CVE-2016-5645,Uncategorized,0 +1017,,T1542.001,System Firmware,[],[],,CVE-2016-5645,Uncategorized,0 +1018,,T1078.003.,,[],[],,CVE-2011-3172,Uncategorized,0 +1019,,T1083,File and Directory Discovery,[],[],,CVE-2013-0629,Uncategorized,0 +1020,,T1078,Valid Accounts,[],[],,CVE-2013-0629,Uncategorized,0 +1021,,T1083,File and Directory Discovery,[],[],,CVE-2016-3298,Uncategorized,0 +1022,,T1189,Drive-by Compromise,[],[],,CVE-2016-3298,Uncategorized,0 +1023,,T1083,File and Directory Discovery,[],[],,CVE-2017-6922,Uncategorized,0 +1024,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2017-6922,Uncategorized,0 +1025,,T1091,Replication Through Removable Media,[],[],,CVE-2015-1769,Uncategorized,0 +1026,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-1769,Uncategorized,0 +1027,,T1091,Replication Through Removable Media,[],[],,CVE-2020-7456,Uncategorized,0 +1028,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-7456,Uncategorized,0 +1029,,T1091,Replication Through Removable Media,[],[],,CVE-2020-12464,Uncategorized,0 +1030,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-12464,Uncategorized,0 +1031,,T1091,Replication Through Removable Media,[],[],,CVE-2020-15393,Uncategorized,0 +1032,,T1499.001,OS Exhaustion Flood,[],[],,CVE-2020-15393,Uncategorized,0 +1033,,T1091,Replication Through Removable Media,[],[],,CVE-2020-9804,Uncategorized,0 +1034,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-9804,Uncategorized,0 +1035,,T1110,Brute Force,[],[],,CVE-2020-11957,Uncategorized,0 +1036,,T1110,Brute Force,[],[],,CVE-2019-19735,Uncategorized,0 +1037,,T1110,Brute Force,[],[],,CVE-2018-1956,Uncategorized,0 +1038,,T1110,Brute Force,[],[],,CVE-2018-12520,Uncategorized,0 +1039,,T1110,Brute Force,[],[],,CVE-2019-11219,Uncategorized,0 +1040,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-11219,Uncategorized,0 +1041,,T1110.001,Password Guessing,[],[],,CVE-2019-18872,Uncategorized,0 +1042,,T1114.001,Local Email Collection,[],[],,CVE-2020-9819,Uncategorized,0 +1043,,T1565.001,Stored Data Manipulation,[],[],,CVE-2020-9819,Uncategorized,0 +1044,,T1485,Data Destruction,[],[],,CVE-2020-9819,Uncategorized,0 +1045,,T11190,,[],[],,CVE-2015-7912,Uncategorized,0 +1046,,T1059,Command and Scripting Interpreter,[],[],,CVE-2015-7912,Uncategorized,0 +1047,,T1133,External Remote Services,[],[],,CVE-2015-7935,Uncategorized,0 +1048,,T1005,Data from Local System,[],[],,CVE-2015-7935,Uncategorized,0 +1049,,T1133,External Remote Services,[],[],,CVE-2014-9938,Uncategorized,0 +1050,,T1059.004,Unix Shell,[],[],,CVE-2014-9938,Uncategorized,0 +1051,,T1133,External Remote Services,[],[],,CVE-2016-6367,Uncategorized,0 +1052,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2016-6367,Uncategorized,0 +1053,,T1480,Execution Guardrails,[],[],,CVE-2016-6367,Uncategorized,0 +1054,,T1133,External Remote Services,[],[],,CVE-2010-2772,Uncategorized,0 +1055,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-2772,Uncategorized,0 +1056,,T1133,External Remote Services,[],[],,CVE-2012-5958,Uncategorized,0 +1057,,T1203,Exploitation for Client Execution,[],[],,CVE-2012-5958,Uncategorized,0 +1058,,T1133,External Remote Services,[],[],,CVE-2016-5180,Uncategorized,0 +1059,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-5180,Uncategorized,0 +1060,,T1499.004,Application or System Exploitation,[],[],,CVE-2016-5180,Uncategorized,0 +1061,,T1133,External Remote Services,[],[],,CVE-2019-11510,Uncategorized,0 +1062,,T1212,Exploitation for Credential Access,[],[],,CVE-2019-11510,Uncategorized,0 +1063,,T1083,File and Directory Discovery,[],[],,CVE-2019-11510,Uncategorized,0 +1064,,T1133,External Remote Services,[],[],,CVE-2018-7506,Uncategorized,0 +1065,,T1552.004.,,[],[],,CVE-2018-7506,Uncategorized,0 +1066,,T1134.001.,,[],[],,CVE-2015-1701,Uncategorized,0 +1067,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-1701,Uncategorized,0 +1068,,T1136,Create Account,[],[],,CVE-2013-6129,Uncategorized,0 +1069,,T1087,Account Discovery,[],[],,CVE-2013-6129,Uncategorized,0 +1070,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-6129,Uncategorized,0 +1071,,T1136,Create Account,[],[],,CVE-2015-4051,Uncategorized,0 +1072,,T1499.004,Application or System Exploitation,[],[],,CVE-2015-4051,Uncategorized,0 +1073,,T1185,Man in the Browser,[],[],,CVE-2011-3056,Uncategorized,0 +1074,,T1189,Drive-by Compromise,[],[],,CVE-2012-4681,Uncategorized,0 +1075,,T1059,Command and Scripting Interpreter,[],[],,CVE-2012-4681,Uncategorized,0 +1076,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2012-4681,Uncategorized,0 +1077,,T1057,Process Discovery,[],[],,CVE-2012-4681,Uncategorized,0 +1078,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2012-4681,Uncategorized,0 +1079,, T1480,Execution Guardrails,[],[],,CVE-2012-4681,Uncategorized,0 +1080,,T1189,Drive-by Compromise,[],[],,CVE-2012-0158,Uncategorized,0 +1081,,T1059,Command and Scripting Interpreter,[],[],,CVE-2012-0158,Uncategorized,0 +1082,,T1546,Event Triggered Execution,[],[],,CVE-2012-0158,Uncategorized,0 +1083,,T1554,Compromise Client Software Binary,[],[],,CVE-2012-0158,Uncategorized,0 +1084,,T1491,Defacement,[],[],,CVE-2012-0158,Uncategorized,0 +1085,,T1565,Data Manipulation,[],[],,CVE-2012-0158,Uncategorized,0 +1086,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-0158,Uncategorized,0 +1087,,T1189,Drive-by Compromise,[],[],,CVE-2020-6418,Uncategorized,0 +1088,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-6418,Uncategorized,0 +1089,,T1189,Drive-by Compromise,[],[],,CVE-2020-5902,Uncategorized,0 +1090,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-5902,Uncategorized,0 +1091,,T1189,Drive-by Compromise,[],[],,CVE-2019-7286,Uncategorized,0 +1092,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-7286,Uncategorized,0 +1093,,T1189,Drive-by Compromise,[],[],,CVE-2019-18935,Uncategorized,0 +1094,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-18935,Uncategorized,0 +1095,,T1189,Drive-by Compromise,[],[],,CVE-2019-17026,Uncategorized,0 +1096,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-17026,Uncategorized,0 +1097,,T1189,Drive-by Compromise,[],[],,CVE-2019-13720,Uncategorized,0 +1098,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-13720,Uncategorized,0 +1099,,T1189,Drive-by Compromise,[],[],,CVE-2019-11886,Uncategorized,0 +1100,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-11886,Uncategorized,0 +1101,,T1189,Drive-by Compromise,[],[],,CVE-2018-9206,Uncategorized,0 +1102,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-9206,Uncategorized,0 +1103,,T1189,Drive-by Compromise,[],[],,CVE-2018-8174,Uncategorized,0 +1104,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-8174,Uncategorized,0 +1105,,T1189,Drive-by Compromise,[],[],,CVE-2018-8120,Uncategorized,0 +1106,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-8120,Uncategorized,0 +1107,,T1189,Drive-by Compromise,[],[],,CVE-2018-0798,Uncategorized,0 +1108,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-0798,Uncategorized,0 +1109,,T1189,Drive-by Compromise,[],[],,CVE-2016-4656,Uncategorized,0 +1110,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-4656,Uncategorized,0 +1111,,T1189,Drive-by Compromise,[],[],,CVE-2016-1409,Uncategorized,0 +1112,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-1409,Uncategorized,0 +1113,,T1189,Drive-by Compromise,[],[],,CVE-2015-2590,Uncategorized,0 +1114,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-2590,Uncategorized,0 +1115,,T1189,Drive-by Compromise,[],[],,CVE-2015-2425,Uncategorized,0 +1116,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-2425,Uncategorized,0 +1117,,T1189,Drive-by Compromise,[],[],,CVE-2014-2817,Uncategorized,0 +1118,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-2817,Uncategorized,0 +1119,,T1189,Drive-by Compromise,[],[],,CVE-2014-0324,Uncategorized,0 +1120,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-0324,Uncategorized,0 +1121,,T1189,Drive-by Compromise,[],[],,CVE-2014-0307,Uncategorized,0 +1122,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-0307,Uncategorized,0 +1123,,T1189,Drive-by Compromise,[],[],,CVE-2013-5211,Uncategorized,0 +1124,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-5211,Uncategorized,0 +1125,,T1189,Drive-by Compromise,[],[],,CVE-2013-2471,Uncategorized,0 +1126,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-2471,Uncategorized,0 +1127,,T1189,Drive-by Compromise,[],[],,CVE-2013-1493,Uncategorized,0 +1128,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-1493,Uncategorized,0 +1129,,T1189,Drive-by Compromise,[],[],,CVE-2013-0625,Uncategorized,0 +1130,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-0625,Uncategorized,0 +1131,,T1189,Drive-by Compromise,[],[],,CVE-2013-0422,Uncategorized,0 +1132,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-0422,Uncategorized,0 +1133,,T1189,Drive-by Compromise,[],[],,CVE-2011-3402,Uncategorized,0 +1134,,T1203,Exploitation for Client Execution,[],[],,CVE-2011-3402,Uncategorized,0 +1135,,T1189,Drive-by Compromise,[],[],,CVE-2010-1423,Uncategorized,0 +1136,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-1423,Uncategorized,0 +1137,,T1189,Drive-by Compromise,[],[],,CVE-2010-1165,Uncategorized,0 +1138,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-1165,Uncategorized,0 +1139,,T1189,Drive-by Compromise,[],[],,CVE-2009-1862,Uncategorized,0 +1140,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-1862,Uncategorized,0 +1141,,T1189,Drive-by Compromise,[],[],,CVE-2009-1807,Uncategorized,0 +1142,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-1807,Uncategorized,0 +1143,,T1189,Drive-by Compromise,[],[],,CVE-2009-1151,Uncategorized,0 +1144,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-1151,Uncategorized,0 +1145,,T1189,Drive-by Compromise,[],[],,CVE-2015-1641,Uncategorized,0 +1146,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-1641,Uncategorized,0 +1147,,T1055,Process Injection,[],[],,CVE-2015-1641,Uncategorized,0 +1148,,T1189,Drive-by Compromise,[],[],,CVE-2020-11901,Uncategorized,0 +1149,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-11901,Uncategorized,0 +1150,,T1059.007,JavaScript,[],[],,CVE-2020-11901,Uncategorized,0 +1151,,T1189,Drive-by Compromise,[],[],,CVE-2016-7256,Uncategorized,0 +1152,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-7256,Uncategorized,0 +1153,,T1134.001.,,[],[],,CVE-2016-7256,Uncategorized,0 +1154,,T1189,Drive-by Compromise,[],[],,CVE-2016-3714,Uncategorized,0 +1155,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-3714,Uncategorized,0 +1156,,T1204.001,Malicious Link,[],[],,CVE-2016-3714,Uncategorized,0 +1157,,T1189,Drive-by Compromise,[],[],,CVE-2015-0071,Uncategorized,0 +1158,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-0071,Uncategorized,0 +1159,,T1204.001,Malicious Link,[],[],,CVE-2015-0071,Uncategorized,0 +1160,,T1189,Drive-by Compromise,[],[],,CVE-2014-4123,Uncategorized,0 +1161,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-4123,Uncategorized,0 +1162,,T1204.002,Malicious File,[],[],,CVE-2014-4123,Uncategorized,0 +1163,,T1189,Drive-by Compromise,[],[],,CVE-2014-0266,Uncategorized,0 +1164,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-0266,Uncategorized,0 +1165,,T1204.002,Malicious File,[],[],,CVE-2014-0266,Uncategorized,0 +1166,,T1189,Drive-by Compromise,[],[],,CVE-2010-1885,Uncategorized,0 +1167,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-1885,Uncategorized,0 +1168,,T1204.002,Malicious File,[],[],,CVE-2010-1885,Uncategorized,0 +1169,,T1189,Drive-by Compromise,[],[],,CVE-2009-3459,Uncategorized,0 +1170,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-3459,Uncategorized,0 +1171,,T1204.002,Malicious File,[],[],,CVE-2009-3459,Uncategorized,0 +1172,,T1189,Drive-by Compromise,[],[],,CVE-2020-13125,Uncategorized,0 +1173,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-13125,Uncategorized,0 +1174,,T1204.002,Malicious File,[],[],,CVE-2020-13125,Uncategorized,0 +1175,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-13125,Uncategorized,0 +1176,,T1189,Drive-by Compromise,[],[],,CVE-2014-7187,Uncategorized,0 +1177,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-7187,Uncategorized,0 +1178,,T1204.002,Malicious File,[],[],,CVE-2014-7187,Uncategorized,0 +1179,,T1499.004,Application or System Exploitation,[],[],,CVE-2014-7187,Uncategorized,0 +1180,,T1189,Drive-by Compromise,[],[],,CVE-2011-3544,Uncategorized,0 +1181,,T1203,Exploitation for Client Execution,[],[],,CVE-2011-3544,Uncategorized,0 +1182,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2011-3544,Uncategorized,0 +1183,,T1189,Drive-by Compromise,[],[],,CVE-2016-0034,Uncategorized,0 +1184,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-0034,Uncategorized,0 +1185,,T1499.004,Application or System Exploitation,[],[],,CVE-2016-0034,Uncategorized,0 +1186,,T1189,Drive-by Compromise,[],[],,CVE-2015-7756,Uncategorized,0 +1187,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-7756,Uncategorized,0 +1188,,T1499.004,Application or System Exploitation,[],[],,CVE-2015-7756,Uncategorized,0 +1189,,T1189,Drive-by Compromise,[],[],,CVE-2015-2426,Uncategorized,0 +1190,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-2426,Uncategorized,0 +1191,,T1499.004,Application or System Exploitation,[],[],,CVE-2015-2426,Uncategorized,0 +1192,,T1189,Drive-by Compromise,[],[],,CVE-2018-0802,Uncategorized,0 +1193,,T1189,Drive-by Compromise,[],[],,CVE-2015-2424,Uncategorized,0 +1194,,T1189,Drive-by Compromise,[],[],,CVE-2012-2539,Uncategorized,0 +1195,,T1189,Drive-by Compromise,[],[],,CVE-2017-0022,Uncategorized,0 +1196,,T1518.001,Security Software Discovery,[],[],,CVE-2017-0022,Uncategorized,0 +1197,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-6703,Uncategorized,0 +1198,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-16759,Uncategorized,0 +1199,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-15107,Uncategorized,0 +1200,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-1132,Uncategorized,0 +1201,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-10973,Uncategorized,0 +1202,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-0880,Uncategorized,0 +1203,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-8611,Uncategorized,0 +1204,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-7602,Uncategorized,0 +1205,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-7600,Uncategorized,0 +1206,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-2893,Uncategorized,0 +1207,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-2628,Uncategorized,0 +1208,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-1000861,Uncategorized,0 +1209,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-0101,Uncategorized,0 +1210,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-9841,Uncategorized,0 +1211,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-8291,Uncategorized,0 +1212,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-3881,Uncategorized,0 +1213,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-3066,Uncategorized,0 +1214,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-11774,Uncategorized,0 +1215,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-0199,Uncategorized,0 +1216,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-0005,Uncategorized,0 +1217,,T1190,Exploit Public-Facing Application,[],[],,CVE-2016-9192,Uncategorized,0 +1218,,T1190,Exploit Public-Facing Application,[],[],,CVE-2015-4902,Uncategorized,0 +1219,,T1190,Exploit Public-Facing Application,[],[],,CVE-2015-0072,Uncategorized,0 +1220,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-8551,Uncategorized,0 +1221,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-6287,Uncategorized,0 +1222,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-6120,Uncategorized,0 +1223,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-5279,Uncategorized,0 +1224,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-1809,Uncategorized,0 +1225,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-0050,Uncategorized,0 +1226,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-7372,Uncategorized,0 +1227,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-7102,Uncategorized,0 +1228,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-5057,Uncategorized,0 +1229,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-1289,Uncategorized,0 +1230,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-0641,Uncategorized,0 +1231,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-0632,Uncategorized,0 +1232,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-0631,Uncategorized,0 +1233,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-2520,Uncategorized,0 +1234,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-1723,Uncategorized,0 +1235,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-1557,Uncategorized,0 +1236,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-0874,Uncategorized,0 +1237,,T1190,Exploit Public-Facing Application,[],[],,CVE-2011-2900,Uncategorized,0 +1238,,T1190,Exploit Public-Facing Application,[],[],,CVE-2011-0096,Uncategorized,0 +1239,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-3916,Uncategorized,0 +1240,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-3653,Uncategorized,0 +1241,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-0817,Uncategorized,0 +1242,,T1190,Exploit Public-Facing Application,[],[],,CVE-2009-2265,Uncategorized,0 +1243,,T1190,Exploit Public-Facing Application,[],[],,CVE-2009-1308,Uncategorized,0 +1244,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-5910,Uncategorized,0 +1245,,T1005,Data from Local System,[],[],,CVE-2019-5910,Uncategorized,0 +1246,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-6974,Uncategorized,0 +1247,,T1005,Data from Local System,[],[],,CVE-2020-6974,Uncategorized,0 +1248,,T1565,Data Manipulation,[],[],,CVE-2020-6974,Uncategorized,0 +1249,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11738,Uncategorized,0 +1250,,T1055,Process Injection,[],[],,CVE-2020-11738,Uncategorized,0 +1251,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-9380,Uncategorized,0 +1252,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-9380,Uncategorized,0 +1253,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-10189,Uncategorized,0 +1254,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-10189,Uncategorized,0 +1255,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-2729,Uncategorized,0 +1256,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-2729,Uncategorized,0 +1257,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-2725,Uncategorized,0 +1258,,T1059,Command and Scripting Interpreter,[],[],,CVE-2019-2725,Uncategorized,0 +1259,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-10611,Uncategorized,0 +1260,,T1059,Command and Scripting Interpreter,[],[],,CVE-2018-10611,Uncategorized,0 +1261,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-18362,Uncategorized,0 +1262,,T1059,Command and Scripting Interpreter,[],[],,CVE-2017-18362,Uncategorized,0 +1263,,T1190,Exploit Public-Facing Application,[],[],,CVE-2016-5062,Uncategorized,0 +1264,,T1059,Command and Scripting Interpreter,[],[],,CVE-2016-5062,Uncategorized,0 +1265,,T1190,Exploit Public-Facing Application,[],[],,CVE-2015-6480,Uncategorized,0 +1266,,T1059,Command and Scripting Interpreter,[],[],,CVE-2015-6480,Uncategorized,0 +1267,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-6293,Uncategorized,0 +1268,,T1059,Command and Scripting Interpreter,[],[],,CVE-2014-6293,Uncategorized,0 +1269,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-6498,Uncategorized,0 +1270,,T1059,Command and Scripting Interpreter,[],[],,CVE-2012-6498,Uncategorized,0 +1271,,T1505.003.,,[],[],,CVE-2012-6498,Uncategorized,0 +1272,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-0295,Uncategorized,0 +1273,,T1059.001,PowerShell,[],[],,CVE-2014-0295,Uncategorized,0 +1274,,T1190,Exploit Public-Facing Application,[],[],,CVE-2016-9684,Uncategorized,0 +1275,,T1059.004,Unix Shell,[],[],,CVE-2016-9684,Uncategorized,0 +1276,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-7186,Uncategorized,0 +1277,,T1059.004,Unix Shell,[],[],,CVE-2014-7186,Uncategorized,0 +1278,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-6277,Uncategorized,0 +1279,,T1059.004,Unix Shell,[],[],,CVE-2014-6277,Uncategorized,0 +1280,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-6271,Uncategorized,0 +1281,,T1059.004,Unix Shell,[],[],,CVE-2014-6271,Uncategorized,0 +1282,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-1795,Uncategorized,0 +1283,,T1059.004,Unix Shell,[],[],,CVE-2012-1795,Uncategorized,0 +1284,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-9459,Uncategorized,0 +1285,,T1059.007,JavaScript,[],[],,CVE-2020-9459,Uncategorized,0 +1286,,T1539,Steal Web Session Cookie,[],[],,CVE-2020-9459,Uncategorized,0 +1287,,T1565,Data Manipulation,[],[],,CVE-2020-9459,Uncategorized,0 +1288,,T1491,Defacement,[],[],,CVE-2020-9459,Uncategorized,0 +1289,,T1190,Exploit Public-Facing Application,[],[],,CVE-2011-1331,Uncategorized,0 +1290,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2011-1331,Uncategorized,0 +1291,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-0640,Uncategorized,0 +1292,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2013-0640,Uncategorized,0 +1293,,T1078,Valid Accounts,[],[],,CVE-2013-0640,Uncategorized,0 +1294,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-12637,Uncategorized,0 +1295,,T1083,File and Directory Discovery,[],[],,CVE-2017-12637,Uncategorized,0 +1296,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-1904,Uncategorized,0 +1297,,T1083,File and Directory Discovery,[],[],,CVE-2013-1904,Uncategorized,0 +1298,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-11708,Uncategorized,0 +1299,,T1133,External Remote Services,[],[],,CVE-2019-11708,Uncategorized,0 +1300,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2019-11708,Uncategorized,0 +1301,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-13126,Uncategorized,0 +1302,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-13126,Uncategorized,0 +1303,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-10271,Uncategorized,0 +1304,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-10271,Uncategorized,0 +1305,,T1190,Exploit Public-Facing Application,[],[],,CVE-2016-6909,Uncategorized,0 +1306,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-6909,Uncategorized,0 +1307,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-6278,Uncategorized,0 +1308,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-6278,Uncategorized,0 +1309,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-5326,Uncategorized,0 +1310,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-5326,Uncategorized,0 +1311,,T1190,Exploit Public-Facing Application,[],[],,CVE-2009-3041,Uncategorized,0 +1312,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-3041,Uncategorized,0 +1313,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11897,Uncategorized,0 +1314,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-11897,Uncategorized,0 +1315,,T1499,Endpoint Denial of Service,[],[],,CVE-2020-11897,Uncategorized,0 +1316,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-11896,Uncategorized,0 +1317,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-11896,Uncategorized,0 +1318,,T1499,Endpoint Denial of Service,[],[],,CVE-2020-11896,Uncategorized,0 +1319,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-7496,Uncategorized,0 +1320,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2018-7496,Uncategorized,0 +1321,,T1190,Exploit Public-Facing Application,[],[],,CVE-2017-1001000,Uncategorized,0 +1322,,T1491.002,External Defacement,[],[],,CVE-2017-1001000,Uncategorized,0 +1323,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-8540,Uncategorized,0 +1324,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-8540,Uncategorized,0 +1325,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-0604,Uncategorized,0 +1326,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-0604,Uncategorized,0 +1327,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-19207,Uncategorized,0 +1328,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-19207,Uncategorized,0 +1329,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-3413,Uncategorized,0 +1330,,T1499.004,Application or System Exploitation,[],[],,CVE-2014-3413,Uncategorized,0 +1331,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-1675,Uncategorized,0 +1332,,T1499.004,Application or System Exploitation,[],[],,CVE-2012-1675,Uncategorized,0 +1333,,T1190,Exploit Public-Facing Application,[],[],,CVE-2011-4862,Uncategorized,0 +1334,,T1499.004,Application or System Exploitation,[],[],,CVE-2011-4862,Uncategorized,0 +1335,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-2894,Uncategorized,0 +1336,,T1505.003,Web Shell,[],[],,CVE-2018-2894,Uncategorized,0 +1337,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-6081,Uncategorized,0 +1338,,T1505.003,Web Shell,[],[],,CVE-2012-6081,Uncategorized,0 +1339,,T1190,Exploit Public-Facing Application,[],[],,CVE-2011-4106,Uncategorized,0 +1340,,T1505.003,Web Shell,[],[],,CVE-2011-4106,Uncategorized,0 +1341,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-15961,Uncategorized,0 +1342,,T1505.003,Web Shell,[],[],,CVE-2018-15961,Uncategorized,0 +1343,,T1491,Defacement,[],[],,CVE-2018-15961,Uncategorized,0 +1344,,T1190,Exploit Public-Facing Application,[],[],,CVE-2015-8562,Uncategorized,0 +1345,,T1528,Steal Application Access Token,[],[],,CVE-2015-8562,Uncategorized,0 +1346,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2015-8562,Uncategorized,0 +1347,,T1552,Unsecured Credentials,[],[],,CVE-2015-8562,Uncategorized,0 +1348,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-3900,Uncategorized,0 +1349,,T1539,Steal Web Session Cookie,[],[],,CVE-2013-3900,Uncategorized,0 +1350,,T1190,Exploit Public-Facing Application,[],[],,CVE-2015-1539,Uncategorized,0 +1351,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2015-1539,Uncategorized,0 +1352,,T1190,Exploit Public-Facing Application,[],[],,CVE-2010-3765,Uncategorized,0 +1353,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2010-3765,Uncategorized,0 +1354,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-7235,Uncategorized,0 +1355,,T1550,Use Alternate Authentication Material,[],[],,CVE-2014-7235,Uncategorized,0 +1356,,T1190,Exploit Public-Facing Application,[],[],,CVE-2012-3015,Uncategorized,0 +1357,,T1557,Man-in-the-Middle,[],[],,CVE-2012-3015,Uncategorized,0 +1358,,T1213,Data from Information Repositories,[],[],,CVE-2012-3015,Uncategorized,0 +1359,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-1761,Uncategorized,0 +1360,,T1569,System Services,[],[],,CVE-2014-1761,Uncategorized,0 +1361,,T1190. T1005,,[],[],,CVE-2013-4335,Uncategorized,0 +1362,,T1565,Data Manipulation,[],[],,CVE-2013-4335,Uncategorized,0 +1363,,T1499.004,Application or System Exploitation,[],[],,CVE-2013-4335,Uncategorized,0 +1364,,T1200,Hardware Additions,[],[],,CVE-2019-9019,Uncategorized,0 +1365,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-9019,Uncategorized,0 +1366,,T1202,Indirect Command Execution,[],[],,CVE-2013-3893,Uncategorized,0 +1367,,T1059,Command and Scripting Interpreter,[],[],,CVE-2013-3893,Uncategorized,0 +1368,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-3893,Uncategorized,0 +1369,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-9818,Uncategorized,0 +1370,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-1631,Uncategorized,0 +1371,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-1350,Uncategorized,0 +1372,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-0938,Uncategorized,0 +1373,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-9791,Uncategorized,0 +1374,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-1579,Uncategorized,0 +1375,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-11932,Uncategorized,0 +1376,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-0903,Uncategorized,0 +1377,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-0803,Uncategorized,0 +1378,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-8833,Uncategorized,0 +1379,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-8589,Uncategorized,0 +1380,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-7513,Uncategorized,0 +1381,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-20838,Uncategorized,0 +1382,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-18956,Uncategorized,0 +1383,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-10376,Uncategorized,0 +1384,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-5613,Uncategorized,0 +1385,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-2404,Uncategorized,0 +1386,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-12824,Uncategorized,0 +1387,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-9299,Uncategorized,0 +1388,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-2208,Uncategorized,0 +1389,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-3864,Uncategorized,0 +1390,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-7169,Uncategorized,0 +1391,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-5334,Uncategorized,0 +1392,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-0593,Uncategorized,0 +1393,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-3897,Uncategorized,0 +1394,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-3163,Uncategorized,0 +1395,,T1203,Exploitation for Client Execution,[],[],,CVE-2012-2311,Uncategorized,0 +1396,,T1203,Exploitation for Client Execution,[],[],,CVE-2012-1856,Uncategorized,0 +1397,,T1203,Exploitation for Client Execution,[],[],,CVE-2011-3192,Uncategorized,0 +1398,,T1203,Exploitation for Client Execution,[],[],,CVE-2011-2005,Uncategorized,0 +1399,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-4398,Uncategorized,0 +1400,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-2568,Uncategorized,0 +1401,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-2152,Uncategorized,0 +1402,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-1297,Uncategorized,0 +1403,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-0842,Uncategorized,0 +1404,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-0480,Uncategorized,0 +1405,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-1800,Uncategorized,0 +1406,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-1671,Uncategorized,0 +1407,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-0824,Uncategorized,0 +1408,,T1203,Exploitation for Client Execution,[],[],,CVE-2008-2992,Uncategorized,0 +1409,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-5638,Uncategorized,0 +1410,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2017-5638,Uncategorized,0 +1411,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-1494,Uncategorized,0 +1412,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-1494,Uncategorized,0 +1413,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2015-1494,Uncategorized,0 +1414,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2015-1494,Uncategorized,0 +1415,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-6819,Uncategorized,0 +1416,,T1189,Drive-by Compromise,[],[],,CVE-2020-6819,Uncategorized,0 +1417,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-10257,Uncategorized,0 +1418,,T1189,Drive-by Compromise,[],[],,CVE-2020-10257,Uncategorized,0 +1419,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-15919,Uncategorized,0 +1420,,T1189,Drive-by Compromise,[],[],,CVE-2017-15919,Uncategorized,0 +1421,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-0222,Uncategorized,0 +1422,,T1189,Drive-by Compromise,[],[],,CVE-2017-0222,Uncategorized,0 +1423,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-0149,Uncategorized,0 +1424,,T1189,Drive-by Compromise,[],[],,CVE-2017-0149,Uncategorized,0 +1425,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-9079,Uncategorized,0 +1426,,T1189,Drive-by Compromise,[],[],,CVE-2016-9079,Uncategorized,0 +1427,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-7189,Uncategorized,0 +1428,,T1189,Drive-by Compromise,[],[],,CVE-2016-7189,Uncategorized,0 +1429,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-3393,Uncategorized,0 +1430,,T1189,Drive-by Compromise,[],[],,CVE-2016-3393,Uncategorized,0 +1431,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-5123,Uncategorized,0 +1432,,T1189,Drive-by Compromise,[],[],,CVE-2015-5123,Uncategorized,0 +1433,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-2502,Uncategorized,0 +1434,,T1189,Drive-by Compromise,[],[],,CVE-2015-2502,Uncategorized,0 +1435,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-2419,Uncategorized,0 +1436,,T1189,Drive-by Compromise,[],[],,CVE-2015-2419,Uncategorized,0 +1437,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-6332,Uncategorized,0 +1438,,T1189,Drive-by Compromise,[],[],,CVE-2014-6332,Uncategorized,0 +1439,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-1815,Uncategorized,0 +1440,,T1189,Drive-by Compromise,[],[],,CVE-2014-1815,Uncategorized,0 +1441,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-2465,Uncategorized,0 +1442,,T1189,Drive-by Compromise,[],[],,CVE-2013-2465,Uncategorized,0 +1443,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-2423,Uncategorized,0 +1444,,T1189,Drive-by Compromise,[],[],,CVE-2013-2423,Uncategorized,0 +1445,,T1203,Exploitation for Client Execution,[],[],,CVE-2012-3213,Uncategorized,0 +1446,,T1189,Drive-by Compromise,[],[],,CVE-2012-3213,Uncategorized,0 +1447,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-3971,Uncategorized,0 +1448,,T1189,Drive-by Compromise,[],[],,CVE-2010-3971,Uncategorized,0 +1449,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-1136,Uncategorized,0 +1450,,T1189,Drive-by Compromise,[],[],,CVE-2009-1136,Uncategorized,0 +1451,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-1776,Uncategorized,0 +1452,,T1189,Drive-by Compromise,[],[],,CVE-2014-1776,Uncategorized,0 +1453,,T1499,Endpoint Denial of Service,[],[],,CVE-2014-1776,Uncategorized,0 +1454,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-3918,Uncategorized,0 +1455,,T1189,Drive-by Compromise,[],[],,CVE-2013-3918,Uncategorized,0 +1456,,T1499,Endpoint Denial of Service,[],[],,CVE-2013-3918,Uncategorized,0 +1457,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-2883,Uncategorized,0 +1458,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-2883,Uncategorized,0 +1459,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-0601,Uncategorized,0 +1460,,T1190,Exploit Public-Facing Application,[],[],,CVE-2020-0601,Uncategorized,0 +1461,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-10149,Uncategorized,0 +1462,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-10149,Uncategorized,0 +1463,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-20062,Uncategorized,0 +1464,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-20062,Uncategorized,0 +1465,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-6366,Uncategorized,0 +1466,,T1190,Exploit Public-Facing Application,[],[],,CVE-2016-6366,Uncategorized,0 +1467,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-3396,Uncategorized,0 +1468,,T1190,Exploit Public-Facing Application,[],[],,CVE-2019-3396,Uncategorized,0 +1469,,T1083,File and Directory Discovery,[],[],,CVE-2019-3396,Uncategorized,0 +1470,,T1203,Exploitation for Client Execution,[],[],,CVE-2018-20250,Uncategorized,0 +1471,,T1204.002,Malicious File,[],[],,CVE-2018-20250,Uncategorized,0 +1472,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-8464,Uncategorized,0 +1473,,T1204.002,Malicious File,[],[],,CVE-2017-8464,Uncategorized,0 +1474,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-11882,Uncategorized,0 +1475,,T1204.002,Malicious File,[],[],,CVE-2017-11882,Uncategorized,0 +1476,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-11826,Uncategorized,0 +1477,,T1204.002,Malicious File,[],[],,CVE-2017-11826,Uncategorized,0 +1478,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-0261,Uncategorized,0 +1479,,T1204.002,Malicious File,[],[],,CVE-2017-0261,Uncategorized,0 +1480,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-6585,Uncategorized,0 +1481,,T1204.002,Malicious File,[],[],,CVE-2015-6585,Uncategorized,0 +1482,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-1642,Uncategorized,0 +1483,,T1204.002,Malicious File,[],[],,CVE-2015-1642,Uncategorized,0 +1484,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-0096,Uncategorized,0 +1485,,T1204.002,Malicious File,[],[],,CVE-2015-0096,Uncategorized,0 +1486,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-7247,Uncategorized,0 +1487,,T1204.002,Malicious File,[],[],,CVE-2014-7247,Uncategorized,0 +1488,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-6352,Uncategorized,0 +1489,,T1204.002,Malicious File,[],[],,CVE-2014-6352,Uncategorized,0 +1490,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-1331,Uncategorized,0 +1491,,T1204.002,Malicious File,[],[],,CVE-2013-1331,Uncategorized,0 +1492,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-1424,Uncategorized,0 +1493,,T1204.002,Malicious File,[],[],,CVE-2010-1424,Uncategorized,0 +1494,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-0840,Uncategorized,0 +1495,,T1204.002,Malicious File,[],[],,CVE-2010-0840,Uncategorized,0 +1496,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-4324,Uncategorized,0 +1497,,T1204.002,Malicious File,[],[],,CVE-2009-4324,Uncategorized,0 +1498,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-0556,Uncategorized,0 +1499,,T1204.002,Malicious File,[],[],,CVE-2009-0556,Uncategorized,0 +1500,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-13510,Uncategorized,0 +1501,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-13510,Uncategorized,0 +1502,,T1204.001.,,[],[],,CVE-2015-7925,Uncategorized,0 +1503,,T1529,System Shutdown/Reboot,[],[],,CVE-2015-7925,Uncategorized,0 +1504,,T1542.001,System Firmware,[],[],,CVE-2015-7925,Uncategorized,0 +1505,, T1565.001,Stored Data Manipulation,[],[],,CVE-2015-7925,Uncategorized,0 +1506,,T1204.002,Malicious File,[],[],,CVE-2019-13541,Uncategorized,0 +1507,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-13541,Uncategorized,0 +1508,,T1204.002,Malicious File,[],[],,CVE-2019-13527,Uncategorized,0 +1509,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-13527,Uncategorized,0 +1510,,T1204.002,Malicious File,[],[],,CVE-2017-8570,Uncategorized,0 +1511,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-8570,Uncategorized,0 +1512,,T1204.002,Malicious File,[],[],,CVE-2017-0262,Uncategorized,0 +1513,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-0262,Uncategorized,0 +1514,,T1204.002,Malicious File,[],[],,CVE-2016-7193,Uncategorized,0 +1515,,T1203,Exploitation for Client Execution,[],[],,CVE-2016-7193,Uncategorized,0 +1516,,T1204.002,Malicious File,[],[],,CVE-2015-2509,Uncategorized,0 +1517,,T1203,Exploitation for Client Execution,[],[],,CVE-2015-2509,Uncategorized,0 +1518,,T1204.002,Malicious File,[],[],,CVE-2014-0810,Uncategorized,0 +1519,,T1203,Exploitation for Client Execution,[],[],,CVE-2014-0810,Uncategorized,0 +1520,,T1204.002,Malicious File,[],[],,CVE-2013-3644,Uncategorized,0 +1521,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-3644,Uncategorized,0 +1522,,T1204.002,Malicious File,[],[],,CVE-2010-3915,Uncategorized,0 +1523,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-3915,Uncategorized,0 +1524,,T1204.002,Malicious File,[],[],,CVE-2010-3333,Uncategorized,0 +1525,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-3333,Uncategorized,0 +1526,,T1204.002,Malicious File,[],[],,CVE-2010-2862,Uncategorized,0 +1527,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-2862,Uncategorized,0 +1528,,T1204.002,Malicious File,[],[],,CVE-2010-0028,Uncategorized,0 +1529,,T1203,Exploitation for Client Execution,[],[],,CVE-2010-0028,Uncategorized,0 +1530,,T1204.002,Malicious File,[],[],,CVE-2009-3129,Uncategorized,0 +1531,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-3129,Uncategorized,0 +1532,,T1204.002,Malicious File,[],[],,CVE-2009-0927,Uncategorized,0 +1533,,T1203,Exploitation for Client Execution,[],[],,CVE-2009-0927,Uncategorized,0 +1534,,T1210,Exploitation of Remote Services,[],[],,CVE-2020-1206,Uncategorized,0 +1535,,T1210,Exploitation of Remote Services,[],[],,CVE-2017-8543,Uncategorized,0 +1536,,T1210,Exploitation of Remote Services,[],[],,CVE-2017-0176,Uncategorized,0 +1537,,T1210,Exploitation of Remote Services,[],[],,CVE-2010-2729,Uncategorized,0 +1538,,T1210,Exploitation of Remote Services,[],[],,CVE-2008-4250,Uncategorized,0 +1539,,T1210,Exploitation of Remote Services,[],[],,CVE-2017-14323,Uncategorized,0 +1540,,T1046,Network Service Scanning,[],[],,CVE-2017-14323,Uncategorized,0 +1541,,T1059,Command and Scripting Interpreter,[],[],,CVE-2017-14323,Uncategorized,0 +1542,,T1210,Exploitation of Remote Services,[],[],,CVE-2014-0751,Uncategorized,0 +1543,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-0751,Uncategorized,0 +1544,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2014-0751,Uncategorized,0 +1545,,T1005,Data from Local System,[],[],,CVE-2014-0751,Uncategorized,0 +1546,,T1212,Exploitation for Credential Access,[],[],,CVE-2014-0751,Uncategorized,0 +1547,,T1552,Unsecured Credentials,[],[],,CVE-2014-0751,Uncategorized,0 +1548,,T1133,External Remote Services,[],[],,CVE-2014-0751,Uncategorized,0 +1549,,T1210,Exploitation of Remote Services,[],[],,CVE-2018-8414,Uncategorized,0 +1550,,T1190,Exploit Public-Facing Application,[],[],,CVE-2018-8414,Uncategorized,0 +1551,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-8414,Uncategorized,0 +1552,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2020-8468,Uncategorized,0 +1553,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2018-6112,Uncategorized,0 +1554,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2015-7755,Uncategorized,0 +1555,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2018-0560,Uncategorized,0 +1556,,T1036,Masquerading,[],[],,CVE-2018-0560,Uncategorized,0 +1557,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2018-8337,Uncategorized,0 +1558,,TT1565,,[],[],,CVE-2018-8337,Uncategorized,0 +1559,,T1485,Data Destruction,[],[],,CVE-2018-8337,Uncategorized,0 +1560,,T1212,Exploitation for Credential Access,[],[],,CVE-2018-20753,Uncategorized,0 +1561,,T1212,Exploitation for Credential Access,[],[],,CVE-2018-13379,Uncategorized,0 +1562,,T1212,Exploitation for Credential Access,[],[],,CVE-2016-6415,Uncategorized,0 +1563,,T1404,Exploit OS Vulnerability,[],[],,CVE-2019-7287,Uncategorized,0 +1564,,T1404,Exploit OS Vulnerability,[],[],,CVE-2015-1805,Uncategorized,0 +1565,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2015-1805,Uncategorized,0 +1566,,T1409,Access Stored Application Data,[],[],,CVE-2017-12817,Uncategorized,0 +1567,,T1456,Drive-by Compromise,[],[],,CVE-2016-4655,Uncategorized,0 +1568,,T1461,Lockscreen Bypass,[],[],,CVE-2017-0493,Uncategorized,0 +1569,,T1533,Data from Local System,[],[],,CVE-2017-0493,Uncategorized,0 +1570,,T1477,Exploit via Radio Interfaces,[],[],,CVE-2019-3568,Uncategorized,0 +1571,,T1497,Virtualization/Sandbox Evasion,[],[],,CVE-2019-9081,Uncategorized,0 +1572,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-9081,Uncategorized,0 +1573,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-9081,Uncategorized,0 +1574,,T1499,Endpoint Denial of Service,[],[],,CVE-2019-11707,Uncategorized,0 +1575,,T1499,Endpoint Denial of Service,[],[],,CVE-2017-14934,Uncategorized,0 +1576,,T1499,Endpoint Denial of Service,[],[],,CVE-2009-2055,Uncategorized,0 +1577,,T1499.003,Application Exhaustion Flood,[],[],,CVE-2017-16115,Uncategorized,0 +1578,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-8648,Uncategorized,0 +1579,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-14059,Uncategorized,0 +1580,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-12888,Uncategorized,0 +1581,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-12655,Uncategorized,0 +1582,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11884,Uncategorized,0 +1583,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11668,Uncategorized,0 +1584,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-16302,Uncategorized,0 +1585,,T1499.004,Application or System Exploitation,[],[],,CVE-2019-11869,Uncategorized,0 +1586,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-21091,Uncategorized,0 +1587,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-15454,Uncategorized,0 +1588,,T1499.004,Application or System Exploitation,[],[],,CVE-2018-14679,Uncategorized,0 +1589,,T1499.004,Application or System Exploitation,[],[],,CVE-2017-9142,Uncategorized,0 +1590,,T1499.004,Application or System Exploitation,[],[],,CVE-2017-10910,Uncategorized,0 +1591,,T1499.004,Application or System Exploitation,[],[],,CVE-2017-10810,Uncategorized,0 +1592,,T1499.004,Application or System Exploitation,[],[],,CVE-2011-1752,Uncategorized,0 +1593,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-12653,Uncategorized,0 +1594,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-12653,Uncategorized,0 +1595,,T1499.004,Application or System Exploitation,[],[],,CVE-2020-11608,Uncategorized,0 +1596,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-11608,Uncategorized,0 +1597,,T1499.004.,,[],[],,CVE-2020-12769,Uncategorized,0 +1598,,T1499.004.,,[],[],,CVE-2013-4854,Uncategorized,0 +1599,,T1505,Server Software Component,[],[],,CVE-2014-4148,Uncategorized,0 +1600,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2014-4148,Uncategorized,0 +1601,,T1136,Create Account,[],[],,CVE-2014-4148,Uncategorized,0 +1602,,T1190,Exploit Public-Facing Application,[],[],,CVE-2014-4148,Uncategorized,0 +1603,,T1505.003,Web Shell,[],[],,CVE-2016-3088,Uncategorized,0 +1604,,T1190,Exploit Public-Facing Application,[],[],,CVE-2016-3088,Uncategorized,0 +1605,,T1505.003,Web Shell,[],[],,CVE-2013-5576,Uncategorized,0 +1606,,T1190,Exploit Public-Facing Application,[],[],,CVE-2013-5576,Uncategorized,0 +1607,,T1518,Software Discovery,[],[],,CVE-2016-3351,Uncategorized,0 +1608,,T1528,Steal Application Access Token,[],[],,CVE-2020-11651,Uncategorized,0 +1609,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-11651,Uncategorized,0 +1610,,T1059,Command and Scripting Interpreter,[],[],,CVE-2020-11651,Uncategorized,0 +1611,,T1528,Steal Application Access Token,[],[],,CVE-2020-5300,Uncategorized,0 +1612,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-5300,Uncategorized,0 +1613,,T1528,Steal Application Access Token,[],[],,CVE-2013-5054,Uncategorized,0 +1614,,T1212,Exploitation for Credential Access,[],[],,CVE-2013-5054,Uncategorized,0 +1615,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2013-7246,Uncategorized,0 +1616,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2013-7246,Uncategorized,0 +1617,,T1548,Abuse Elevation Control Mechanism,[],[],,CVE-2017-14486,Uncategorized,0 +1618,,T1499.004,Application or System Exploitation,[],[],,CVE-2017-14486,Uncategorized,0 +1619,,T1548.002,Bypass User Account Control,[],[],,CVE-2013-5065,Uncategorized,0 +1620,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2013-5065,Uncategorized,0 +1621,,T1548.002,Bypass User Account Control,[],[],,CVE-2008-0655,Uncategorized,0 +1622,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2008-0655,Uncategorized,0 +1623,,T1550.002,Pass the Hash,[],[],,CVE-2010-5290,Uncategorized,0 +1624,,T1552.001,Credentials In Files,[],[],,CVE-2010-5290,Uncategorized,0 +1625,,T1552,Unsecured Credentials,[],[],,CVE-2020-4408,Uncategorized,0 +1626,,T1552,Unsecured Credentials,[],[],,CVE-2019-13922,Uncategorized,0 +1627,,T1552,Unsecured Credentials,[],[],,CVE-2018-7259,Uncategorized,0 +1628,,T1040,Network Sniffing,[],[],,CVE-2018-7259,Uncategorized,0 +1629,,T1552,Unsecured Credentials,[],[],,CVE-2018-18641,Uncategorized,0 +1630,,T1528,Steal Application Access Token,[],[],,CVE-2018-18641,Uncategorized,0 +1631,,T1552,Unsecured Credentials,[],[],,CVE-2017-14487,Uncategorized,0 +1632,,T1566,Phishing,[],[],,CVE-2017-14487,Uncategorized,0 +1633,,T1204,User Execution,[],[],,CVE-2017-14487,Uncategorized,0 +1634,,T880,,[],[],,CVE-2017-14487,Uncategorized,0 +1635,,T1553,Subvert Trust Controls,[],[],,CVE-2014-4077,Uncategorized,0 +1636,,T1557,Man-in-the-Middle,[],[],,CVE-2014-4077,Uncategorized,0 +1637,,T1553.002,Code Signing,[],[],,CVE-2014-4077,Uncategorized,0 +1638,,T1557,Man-in-the-Middle,[],[],,CVE-2018-0622,Uncategorized,0 +1639,,T1557,Man-in-the-Middle,[],[],,CVE-2015-7931,Uncategorized,0 +1640,,T1557,Man-in-the-Middle,[],[],,CVE-2014-3566,Uncategorized,0 +1641,,T1557,Man-in-the-Middle,[],[],,CVE-2018-16179,Uncategorized,0 +1642,,T1211,Exploitation for Defense Evasion,[],[],,CVE-2018-16179,Uncategorized,0 +1643,,T1563,Remote Service Session Hijacking,[],[],,CVE-2019-12258,Uncategorized,0 +1644,,T1565.003,Runtime Data Manipulation,[],[],,CVE-2018-10299,Uncategorized,0 +1645,,T1566,Phishing,[],[],,CVE-2020-1020,Uncategorized,0 +1646,,T1203,Exploitation for Client Execution,[],[],,CVE-2020-1020,Uncategorized,0 +1647,,T1566,Phishing,[],[],,CVE-2017-8759,Uncategorized,0 +1648,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-8759,Uncategorized,0 +1649,,T1566,Phishing,[],[],,CVE-2017-11847,Uncategorized,0 +1650,,T1203,Exploitation for Client Execution,[],[],,CVE-2017-11847,Uncategorized,0 +1651,,T1566,Phishing,[],[],,CVE-2013-3906,Uncategorized,0 +1652,,T1203,Exploitation for Client Execution,[],[],,CVE-2013-3906,Uncategorized,0 +1653,,T1566,Phishing,[],[],,CVE-2012-6467,Uncategorized,0 +1654,,T1203,Exploitation for Client Execution,[],[],,CVE-2012-6467,Uncategorized,0 +1655,,T1566.001,Spearphishing Attachment,[],[],,CVE-2019-6340,Uncategorized,0 +1656,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-6340,Uncategorized,0 +1657,,T1574,Hijack Execution Flow,[],[],,CVE-2020-4100,Uncategorized,0 +1658,,T1574,Hijack Execution Flow,[],[],,CVE-2020-0688,Uncategorized,0 +1659,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2020-0688,Uncategorized,0 +1660,,T1574,Hijack Execution Flow,[],[],,CVE-2019-0708,Uncategorized,0 +1661,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2019-0708,Uncategorized,0 +1662,,T1574.001,DLL Search Order Hijacking,[],[],,CVE-2018-10657,Uncategorized,0 +1663,,T1574.001,DLL Search Order Hijacking,[],[],,CVE-2009-0238,Uncategorized,0 +1664,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CVE-2018-11049,Uncategorized,0 +1665,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CVE-2012-1854,Uncategorized,0 +1666,,T1608,Stage Capabilities,[],[],,CVE-2019-0797,Uncategorized,0 +1667,,T1608,Stage Capabilities,[],[],,CVE-2018-8453,Uncategorized,0 +1668,,T1608,Stage Capabilities,[],[],,CVE-2018-8440,Uncategorized,0 +1669,,T1608,Stage Capabilities,[],[],,CVE-2018-19320,Uncategorized,0 +1670,,T1608,Stage Capabilities,[],[],,CVE-2016-7255,Uncategorized,0 +1671,,T1608,Stage Capabilities,[],[],,CVE-2016-0728,Uncategorized,0 +1672,,T1608,Stage Capabilities,[],[],,CVE-2016-0167,Uncategorized,0 +1673,,T1608,Stage Capabilities,[],[],,CVE-2016-0165,Uncategorized,0 +1674,,T1608,Stage Capabilities,[],[],,CVE-2015-6175,Uncategorized,0 +1675,,T1608,Stage Capabilities,[],[],,CVE-2015-2546,Uncategorized,0 +1676,,T1608,Stage Capabilities,[],[],,CVE-2014-4076,Uncategorized,0 +1677,,T1608,Stage Capabilities,[],[],,CVE-2013-6282,Uncategorized,0 +1678,,T1608,Stage Capabilities,[],[],,CVE-2013-3660,Uncategorized,0 +1679,,T1608,Stage Capabilities,[],[],,CVE-2012-2319,Uncategorized,0 +1680,,T1608,Stage Capabilities,[],[],,CVE-2011-1249,Uncategorized,0 +1681,,T1608,Stage Capabilities,[],[],,CVE-2010-3081,Uncategorized,0 +1682,,T1608,Stage Capabilities,[],[],,CVE-2010-0232,Uncategorized,0 +1683,,T1608,Stage Capabilities,[],[],,CVE-2008-3431,Uncategorized,0 +1684,,T1608,Stage Capabilities,[],[],,CVE-2010-3338,Uncategorized,0 +1685,,T1053.005,Scheduled Task,[],[],,CVE-2010-3338,Uncategorized,0 +1686,,T812,,[],[],,CVE-2018-14847,Uncategorized,0 +1687,,T1078,Valid Accounts,[],[],,CVE-2018-14847,Uncategorized,0 +1688,,T828,,[],[],,CVE-2018-18665,Uncategorized,0 +1689,,T828,,[],[],,CVE-2018-18667,Uncategorized,0 +1690,,T1565,Data Manipulation,[],[],,CVE-2018-18667,Uncategorized,0 +1691,,T828,,[],[],,CVE-2018-17877,Uncategorized,0 +1692,,T1565,Data Manipulation,[],[],,CVE-2018-17877,Uncategorized,0 +1693,,T828,,[],[],,CVE-2018-19831,Uncategorized,0 +1694,,T1565,Data Manipulation,[],[],,CVE-2018-19831,Uncategorized,0 +1695,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-19831,Uncategorized,0 +1696,,T828,,[],[],,CVE-2018-19830,Uncategorized,0 +1697,,T1565,Data Manipulation,[],[],,CVE-2018-19830,Uncategorized,0 +1698,,T1068,Exploitation for Privilege Escalation,[],[],,CVE-2018-19830,Uncategorized,0 +1699,,T828,,[],[],,CVE-2018-19833,Uncategorized,0 +1700,,T1565.001,Stored Data Manipulation,[],[],,CVE-2018-19833,Uncategorized,0 +1701,,T855,,[],[],,CVE-2019-13533,Uncategorized,0 +1702,,T842,,[],[],,CVE-2019-13533,Uncategorized,0 +1703,,T873,,[],[],,CVE-2019-10980,Uncategorized,0 +1704,,T1203,Exploitation for Client Execution,[],[],,CVE-2019-10980,Uncategorized,0 diff --git a/src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_metadata.csv new file mode 100644 index 00000000..9f7a5a26 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/cve_files/parsed_cve_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,,9.0,enterprise,,,02/03/21,10/27/21,,CVE Vulnerability List,,0 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings.yaml index a71bd37b..5d2cef66 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification Or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Incident Monitoring + capability-id: IR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Trustworthiness + capability-id: SA-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SA-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Resource Availability + capability-id: SC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33529,7 +33529,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33537,7 +33537,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33545,7 +33545,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33553,7 +33553,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33561,7 +33561,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33569,7 +33569,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33577,7 +33577,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33585,7 +33585,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33593,7 +33593,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33601,7 +33601,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33609,7 +33609,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33617,7 +33617,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33625,7 +33625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33633,7 +33633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33641,7 +33641,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33649,7 +33649,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33657,7 +33657,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33665,7 +33665,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33673,7 +33673,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33681,7 +33681,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33689,7 +33689,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33697,7 +33697,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33705,7 +33705,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33713,7 +33713,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33721,7 +33721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33729,7 +33729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33737,7 +33737,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33745,7 +33745,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33753,7 +33753,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33761,7 +33761,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33769,7 +33769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33777,7 +33777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33785,7 +33785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33793,7 +33793,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33801,7 +33801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33809,7 +33809,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33817,7 +33817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33825,7 +33825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33833,7 +33833,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33841,7 +33841,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33849,7 +33849,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33857,7 +33857,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33865,7 +33865,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33873,7 +33873,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33881,7 +33881,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33889,7 +33889,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33897,7 +33897,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33905,7 +33905,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33913,7 +33913,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33921,7 +33921,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33929,7 +33929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33937,7 +33937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33945,7 +33945,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33953,7 +33953,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33961,7 +33961,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33969,7 +33969,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33977,7 +33977,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33985,7 +33985,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33993,7 +33993,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34001,7 +34001,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34009,7 +34009,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34017,7 +34017,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34025,7 +34025,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34033,7 +34033,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34041,7 +34041,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34049,7 +34049,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34057,7 +34057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34065,7 +34065,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34073,7 +34073,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34081,7 +34081,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34089,7 +34089,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34097,7 +34097,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34105,7 +34105,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34113,7 +34113,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34121,7 +34121,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34129,7 +34129,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34137,7 +34137,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34145,7 +34145,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34153,7 +34153,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34161,7 +34161,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34169,7 +34169,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34177,7 +34177,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34185,7 +34185,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34193,7 +34193,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34201,7 +34201,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34209,7 +34209,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34217,7 +34217,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34225,7 +34225,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34233,7 +34233,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34241,7 +34241,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34249,7 +34249,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34257,7 +34257,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34265,7 +34265,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34273,7 +34273,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34281,7 +34281,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34289,7 +34289,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34297,7 +34297,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34305,7 +34305,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34313,7 +34313,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34321,7 +34321,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34329,7 +34329,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34337,7 +34337,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34345,7 +34345,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34353,7 +34353,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34361,7 +34361,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34369,7 +34369,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34377,7 +34377,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34385,7 +34385,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34393,7 +34393,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34401,7 +34401,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34409,7 +34409,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34417,7 +34417,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34425,7 +34425,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34433,7 +34433,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34441,7 +34441,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34449,7 +34449,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34457,7 +34457,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34465,7 +34465,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34473,7 +34473,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34481,7 +34481,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34489,7 +34489,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34497,7 +34497,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34505,7 +34505,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34513,7 +34513,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34521,7 +34521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34529,7 +34529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34537,7 +34537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34545,7 +34545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34553,7 +34553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34561,7 +34561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34569,7 +34569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34577,7 +34577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34585,7 +34585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34593,7 +34593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34601,7 +34601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34609,7 +34609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34617,7 +34617,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34625,7 +34625,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34633,7 +34633,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34641,7 +34641,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34649,7 +34649,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34657,7 +34657,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34665,7 +34665,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34673,7 +34673,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34681,7 +34681,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34689,7 +34689,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34697,7 +34697,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34705,7 +34705,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34713,7 +34713,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34721,7 +34721,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34729,7 +34729,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34737,7 +34737,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34745,7 +34745,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34753,7 +34753,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34761,7 +34761,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34769,7 +34769,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34777,7 +34777,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34785,7 +34785,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34793,7 +34793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34801,7 +34801,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34809,7 +34809,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34817,7 +34817,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34825,7 +34825,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34833,7 +34833,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34841,7 +34841,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34849,7 +34849,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34857,7 +34857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34865,7 +34865,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34873,7 +34873,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34881,7 +34881,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34889,7 +34889,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34897,7 +34897,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34905,7 +34905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34913,7 +34913,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34921,7 +34921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34929,7 +34929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34937,7 +34937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34945,7 +34945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34953,7 +34953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34961,7 +34961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34969,7 +34969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34977,7 +34977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34985,7 +34985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34993,7 +34993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35001,7 +35001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35009,7 +35009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35017,7 +35017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35025,7 +35025,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35033,7 +35033,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35041,7 +35041,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35049,7 +35049,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35057,7 +35057,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35065,7 +35065,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35073,7 +35073,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35081,7 +35081,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35089,7 +35089,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35097,7 +35097,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35105,7 +35105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35113,7 +35113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35121,7 +35121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35129,7 +35129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35137,7 +35137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35145,7 +35145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35153,7 +35153,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35161,7 +35161,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35169,7 +35169,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35177,7 +35177,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35185,7 +35185,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35193,7 +35193,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35201,7 +35201,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35209,7 +35209,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35217,7 +35217,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35225,7 +35225,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35233,7 +35233,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35241,7 +35241,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35249,7 +35249,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35257,7 +35257,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35265,7 +35265,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35273,7 +35273,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35281,7 +35281,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35289,7 +35289,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35297,7 +35297,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35305,7 +35305,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35313,7 +35313,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35321,7 +35321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35329,7 +35329,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35337,7 +35337,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35345,7 +35345,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35353,7 +35353,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35361,7 +35361,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35369,7 +35369,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35377,7 +35377,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35385,7 +35385,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35393,7 +35393,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35401,7 +35401,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35409,7 +35409,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35417,7 +35417,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35425,7 +35425,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35433,7 +35433,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35441,7 +35441,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35449,7 +35449,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35457,7 +35457,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35465,7 +35465,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35473,7 +35473,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35481,7 +35481,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35489,7 +35489,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35497,7 +35497,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35505,7 +35505,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35513,7 +35513,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35521,7 +35521,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35529,7 +35529,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35537,7 +35537,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35545,7 +35545,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35553,7 +35553,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35561,7 +35561,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35569,7 +35569,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35577,7 +35577,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35585,7 +35585,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35593,7 +35593,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35601,7 +35601,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35609,7 +35609,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35617,7 +35617,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35625,7 +35625,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35633,7 +35633,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35641,7 +35641,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35649,7 +35649,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35657,7 +35657,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35665,7 +35665,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35673,7 +35673,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35681,7 +35681,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35689,7 +35689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35697,7 +35697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35705,7 +35705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35713,7 +35713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35721,7 +35721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35729,7 +35729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35737,7 +35737,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35745,7 +35745,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35753,7 +35753,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35761,7 +35761,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35769,7 +35769,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35777,7 +35777,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35785,7 +35785,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35793,7 +35793,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35801,7 +35801,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35809,7 +35809,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35817,7 +35817,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35825,7 +35825,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35833,7 +35833,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35841,7 +35841,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35849,7 +35849,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35857,7 +35857,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35865,7 +35865,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35873,7 +35873,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35881,7 +35881,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35889,7 +35889,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35897,7 +35897,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -35905,7 +35905,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -35913,7 +35913,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -35921,7 +35921,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -35929,7 +35929,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35937,7 +35937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35945,7 +35945,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35953,7 +35953,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35961,7 +35961,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35969,7 +35969,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35977,7 +35977,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35985,7 +35985,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -35993,7 +35993,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36001,7 +36001,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36009,7 +36009,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36017,7 +36017,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36025,7 +36025,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36033,7 +36033,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36041,7 +36041,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36049,7 +36049,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36057,7 +36057,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36065,7 +36065,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36073,7 +36073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36081,7 +36081,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36089,7 +36089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36097,7 +36097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36105,7 +36105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36113,7 +36113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36121,7 +36121,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36129,7 +36129,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36137,7 +36137,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36145,7 +36145,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36153,7 +36153,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36161,7 +36161,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36169,7 +36169,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36177,7 +36177,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36185,7 +36185,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36193,7 +36193,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36201,7 +36201,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36209,7 +36209,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36217,7 +36217,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36225,7 +36225,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36233,7 +36233,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36241,7 +36241,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36249,7 +36249,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36257,7 +36257,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36265,7 +36265,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36273,7 +36273,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36281,7 +36281,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36289,7 +36289,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36297,7 +36297,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36305,7 +36305,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36313,7 +36313,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36321,7 +36321,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36329,7 +36329,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36337,7 +36337,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36345,7 +36345,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36353,7 +36353,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36361,7 +36361,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36369,7 +36369,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36377,7 +36377,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36385,7 +36385,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36393,7 +36393,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36401,7 +36401,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36409,7 +36409,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36417,7 +36417,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36425,7 +36425,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36433,7 +36433,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36441,7 +36441,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36449,7 +36449,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36457,7 +36457,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36465,7 +36465,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36473,7 +36473,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36481,7 +36481,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36489,7 +36489,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36497,7 +36497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36505,7 +36505,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36513,7 +36513,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36521,7 +36521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36529,7 +36529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36537,7 +36537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36545,7 +36545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36553,7 +36553,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36561,7 +36561,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36569,7 +36569,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36577,7 +36577,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36585,7 +36585,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36593,7 +36593,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36601,7 +36601,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36609,7 +36609,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36617,7 +36617,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36625,7 +36625,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36633,7 +36633,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36641,7 +36641,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36649,7 +36649,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36657,7 +36657,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36665,7 +36665,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36673,7 +36673,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36681,7 +36681,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36689,7 +36689,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36697,7 +36697,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36705,7 +36705,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36713,7 +36713,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36721,7 +36721,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36729,7 +36729,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36737,7 +36737,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36745,7 +36745,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36753,7 +36753,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36761,7 +36761,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36769,7 +36769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36777,7 +36777,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36785,7 +36785,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36793,7 +36793,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36801,7 +36801,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36809,7 +36809,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36817,7 +36817,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36825,7 +36825,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36833,7 +36833,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36841,7 +36841,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36849,7 +36849,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36857,7 +36857,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36865,7 +36865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36873,7 +36873,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36881,7 +36881,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36889,7 +36889,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36897,7 +36897,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36905,7 +36905,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36913,7 +36913,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36921,7 +36921,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36929,7 +36929,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36937,7 +36937,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36945,7 +36945,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36953,7 +36953,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36961,7 +36961,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36969,7 +36969,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36977,7 +36977,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36985,7 +36985,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36993,7 +36993,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37001,7 +37001,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37009,7 +37009,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37017,7 +37017,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37025,7 +37025,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37033,7 +37033,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37041,7 +37041,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37049,7 +37049,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37057,7 +37057,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37065,7 +37065,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37073,7 +37073,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37081,7 +37081,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37089,7 +37089,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37097,7 +37097,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37105,7 +37105,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37113,7 +37113,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37121,7 +37121,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37129,7 +37129,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37137,7 +37137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37145,7 +37145,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37153,7 +37153,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37161,7 +37161,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37169,7 +37169,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37177,7 +37177,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37185,7 +37185,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37193,7 +37193,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37201,7 +37201,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37209,7 +37209,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37217,7 +37217,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37225,7 +37225,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37233,7 +37233,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37241,7 +37241,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37249,7 +37249,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37257,7 +37257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37265,7 +37265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37273,7 +37273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37281,7 +37281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37289,7 +37289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37297,7 +37297,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37305,7 +37305,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37313,7 +37313,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37321,7 +37321,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37329,7 +37329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37337,7 +37337,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37345,7 +37345,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37353,7 +37353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37361,7 +37361,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37369,7 +37369,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37377,7 +37377,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37385,7 +37385,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37393,7 +37393,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37401,7 +37401,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37409,7 +37409,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37417,7 +37417,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37425,7 +37425,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37433,7 +37433,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37441,7 +37441,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37449,7 +37449,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37457,7 +37457,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37465,7 +37465,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37473,7 +37473,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37481,7 +37481,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37489,7 +37489,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37497,7 +37497,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37505,7 +37505,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37513,7 +37513,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37521,7 +37521,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37529,7 +37529,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_attack_objects.csv new file mode 100644 index 00000000..594fafcd --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_attack_objects.csv @@ -0,0 +1,4693 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,0 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,0 +2,,T1185,Browser Session Hijacking,[],[],,AC-10,mitigates,0 +3,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,0 +4,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,0 +5,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,0 +6,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,0 +7,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,0 +8,,T1185,Browser Session Hijacking,[],[],,AC-12,mitigates,0 +9,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,0 +10,,T1137.002,Office Test,[],[],,AC-14,mitigates,0 +11,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,0 +12,,T1003.003,NTDS,[],[],,AC-16,mitigates,0 +13,,T1005,Data from Local System,[],[],,AC-16,mitigates,0 +14,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,0 +15,,T1025,Data from Removable Media,[],[],,AC-16,mitigates,0 +16,,T1040,Network Sniffing,[],[],,AC-16,mitigates,0 +17,,T1041,Exfiltration Over C2 Channel,[],[],,AC-16,mitigates,0 +18,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-16,mitigates,0 +19,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-16,mitigates,0 +20,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-16,mitigates,0 +21,,T1052,Exfiltration Over Physical Medium,[],[],,AC-16,mitigates,0 +22,,T1052.001,Exfiltration over USB,[],[],,AC-16,mitigates,0 +23,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,0 +24,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,0 +25,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,0 +26,,T1114,Email Collection,[],[],,AC-16,mitigates,0 +27,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,0 +28,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,0 +29,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,0 +30,,T1119,Automated Collection,[],[],,AC-16,mitigates,0 +31,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,0 +32,,T1213.001,Confluence,[],[],,AC-16,mitigates,0 +33,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,0 +34,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,0 +35,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,0 +36,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,0 +37,,T1505,Server Software Component,[],[],,AC-16,mitigates,0 +38,,T1505.002,Transport Agent,[],[],,AC-16,mitigates,0 +39,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,0 +40,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,0 +41,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,0 +42,,T1547.011,Plist Modification,[],[],,AC-16,mitigates,0 +43,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,0 +44,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,0 +45,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,0 +46,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,0 +47,,T1552.004,Private Keys,[],[],,AC-16,mitigates,0 +48,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,0 +49,,T1557,Adversary-in-the-Middle,[],[],,AC-16,mitigates,0 +50,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,0 +51,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,0 +52,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,0 +53,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,0 +54,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,0 +55,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,0 +56,,T1565,Data Manipulation,[],[],,AC-16,mitigates,0 +57,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,0 +58,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,0 +59,,T1567,Exfiltration Over Web Service,[],[],,AC-16,mitigates,0 +60,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,0 +61,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,0 +62,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,0 +63,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,0 +64,,T1021,Remote Services,[],[],,AC-17,mitigates,0 +65,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,0 +66,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,0 +67,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,0 +68,,T1021.004,SSH,[],[],,AC-17,mitigates,0 +69,,T1021.005,VNC,[],[],,AC-17,mitigates,0 +70,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,0 +71,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,0 +72,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,0 +73,,T1040,Network Sniffing,[],[],,AC-17,mitigates,0 +74,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,0 +75,,T1059,Command and Scripting Interpreter,[],[],,AC-17,mitigates,0 +76,,T1059.001,PowerShell,[],[],,AC-17,mitigates,0 +77,,T1059.002,AppleScript,[],[],,AC-17,mitigates,0 +78,,T1059.003,Windows Command Shell,[],[],,AC-17,mitigates,0 +79,,T1059.004,Unix Shell,[],[],,AC-17,mitigates,0 +80,,T1059.005,Visual Basic,[],[],,AC-17,mitigates,0 +81,,T1059.006,Python,[],[],,AC-17,mitigates,0 +82,,T1059.007,JavaScript,[],[],,AC-17,mitigates,0 +83,,T1059.008,Network Device CLI,[],[],,AC-17,mitigates,0 +84,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,0 +85,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,0 +86,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,0 +87,,T1114,Email Collection,[],[],,AC-17,mitigates,0 +88,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,0 +89,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,0 +90,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,0 +91,,T1119,Automated Collection,[],[],,AC-17,mitigates,0 +92,,T1133,External Remote Services,[],[],,AC-17,mitigates,0 +93,,T1137,Office Application Startup,[],[],,AC-17,mitigates,0 +94,,T1137.002,Office Test,[],[],,AC-17,mitigates,0 +95,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,0 +96,,T1213.001,Confluence,[],[],,AC-17,mitigates,0 +97,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,0 +98,,T1219,Remote Access Software,[],[],,AC-17,mitigates,0 +99,,T1505.004,IIS Components,[],[],,AC-17,mitigates,0 +100,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,0 +101,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,0 +102,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,0 +103,,T1543.003,Windows Service,[],[],,AC-17,mitigates,0 +104,,T1543.004,Launch Daemon,[],[],,AC-17,mitigates,0 +105,,T1547.003,Time Providers,[],[],,AC-17,mitigates,0 +106,,T1547.004,Winlogon Helper DLL,[],[],,AC-17,mitigates,0 +107,,T1547.009,Shortcut Modification,[],[],,AC-17,mitigates,0 +108,,T1547.011,Plist Modification,[],[],,AC-17,mitigates,0 +109,,T1547.012,Print Processors,[],[],,AC-17,mitigates,0 +110,,T1547.013,XDG Autostart Entries,[],[],,AC-17,mitigates,0 +111,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,0 +112,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,0 +113,,T1552.002,Credentials in Registry,[],[],,AC-17,mitigates,0 +114,,T1552.004,Private Keys,[],[],,AC-17,mitigates,0 +115,,T1552.007,Container API,[],[],,AC-17,mitigates,0 +116,,T1557,Adversary-in-the-Middle,[],[],,AC-17,mitigates,0 +117,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,0 +118,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,0 +119,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,0 +120,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,0 +121,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,0 +122,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,0 +123,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,0 +124,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,0 +125,,T1565,Data Manipulation,[],[],,AC-17,mitigates,0 +126,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,0 +127,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,0 +128,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,0 +129,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,0 +130,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,0 +131,,T1609,Container Administration Command,[],[],,AC-17,mitigates,0 +132,,T1610,Deploy Container,[],[],,AC-17,mitigates,0 +133,,T1612,Build Image on Host,[],[],,AC-17,mitigates,0 +134,,T1613,Container and Resource Discovery,[],[],,AC-17,mitigates,0 +135,,T1619,Cloud Storage Object Discovery,[],[],,AC-17,mitigates,0 +136,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,0 +137,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,0 +138,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,0 +139,,T1040,Network Sniffing,[],[],,AC-18,mitigates,0 +140,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,0 +141,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,0 +142,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,0 +143,,T1119,Automated Collection,[],[],,AC-18,mitigates,0 +144,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,0 +145,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,0 +146,,T1552.004,Private Keys,[],[],,AC-18,mitigates,0 +147,,T1557,Adversary-in-the-Middle,[],[],,AC-18,mitigates,0 +148,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,0 +149,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,0 +150,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,0 +151,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,0 +152,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,0 +153,,T1565,Data Manipulation,[],[],,AC-18,mitigates,0 +154,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,0 +155,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,0 +156,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,0 +157,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,0 +158,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,0 +159,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,0 +160,,T1040,Network Sniffing,[],[],,AC-19,mitigates,0 +161,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,0 +162,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,0 +163,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,0 +164,,T1114,Email Collection,[],[],,AC-19,mitigates,0 +165,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,0 +166,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,0 +167,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,0 +168,,T1119,Automated Collection,[],[],,AC-19,mitigates,0 +169,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,0 +170,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,0 +171,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,0 +172,,T1552.004,Private Keys,[],[],,AC-19,mitigates,0 +173,,T1557,Adversary-in-the-Middle,[],[],,AC-19,mitigates,0 +174,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,0 +175,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,0 +176,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,0 +177,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,0 +178,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,0 +179,,T1565,Data Manipulation,[],[],,AC-19,mitigates,0 +180,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,0 +181,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,0 +182,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,0 +183,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,0 +184,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,0 +185,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,0 +186,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,0 +187,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,0 +188,,T1003.003,NTDS,[],[],,AC-2,mitigates,0 +189,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,0 +190,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,0 +191,,T1003.006,DCSync,[],[],,AC-2,mitigates,0 +192,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,0 +193,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,0 +194,,T1005,Data from Local System,[],[],,AC-2,mitigates,0 +195,,T1021,Remote Services,[],[],,AC-2,mitigates,0 +196,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,0 +197,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,0 +198,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,0 +199,,T1021.004,SSH,[],[],,AC-2,mitigates,0 +200,,T1021.005,VNC,[],[],,AC-2,mitigates,0 +201,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,0 +202,,T1025,Data from Removable Media,[],[],,AC-2,mitigates,0 +203,,T1036,Masquerading,[],[],,AC-2,mitigates,0 +204,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,0 +205,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,0 +206,,T1041,Exfiltration Over C2 Channel,[],[],,AC-2,mitigates,0 +207,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,0 +208,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-2,mitigates,0 +209,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-2,mitigates,0 +210,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-2,mitigates,0 +211,,T1052,Exfiltration Over Physical Medium,[],[],,AC-2,mitigates,0 +212,,T1052.001,Exfiltration over USB,[],[],,AC-2,mitigates,0 +213,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,0 +214,,T1053.001,At (Linux),[],[],,AC-2,mitigates,0 +215,,T1053.002,At (Windows),[],[],,AC-2,mitigates,0 +216,,T1053.003,Cron,[],[],,AC-2,mitigates,0 +217,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,0 +218,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,0 +219,,T1053.007,Container Orchestration Job,[],[],,AC-2,mitigates,0 +220,,T1055,Process Injection,[],[],,AC-2,mitigates,0 +221,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,0 +222,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,0 +223,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,0 +224,,T1059.001,PowerShell,[],[],,AC-2,mitigates,0 +225,,T1059.002,AppleScript,[],[],,AC-2,mitigates,0 +226,,T1059.003,Windows Command Shell,[],[],,AC-2,mitigates,0 +227,,T1059.004,Unix Shell,[],[],,AC-2,mitigates,0 +228,,T1059.005,Visual Basic,[],[],,AC-2,mitigates,0 +229,,T1059.006,Python,[],[],,AC-2,mitigates,0 +230,,T1059.007,JavaScript,[],[],,AC-2,mitigates,0 +231,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,0 +232,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,0 +233,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,0 +234,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,0 +235,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,0 +236,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,0 +237,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,0 +238,,T1078,Valid Accounts,[],[],,AC-2,mitigates,0 +239,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,0 +240,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,0 +241,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,0 +242,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,0 +243,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,0 +244,,T1098,Account Manipulation,[],[],,AC-2,mitigates,0 +245,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,0 +246,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,0 +247,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,0 +248,,T1110,Brute Force,[],[],,AC-2,mitigates,0 +249,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,0 +250,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,0 +251,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,0 +252,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,0 +253,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,0 +254,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,0 +255,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,0 +256,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,0 +257,,T1136,Create Account,[],[],,AC-2,mitigates,0 +258,,T1136.001,Local Account,[],[],,AC-2,mitigates,0 +259,,T1136.002,Domain Account,[],[],,AC-2,mitigates,0 +260,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,0 +261,,T1185,Browser Session Hijacking,[],[],,AC-2,mitigates,0 +262,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,0 +263,,T1197,BITS Jobs,[],[],,AC-2,mitigates,0 +264,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,0 +265,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,0 +266,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,0 +267,,T1213.001,Confluence,[],[],,AC-2,mitigates,0 +268,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,0 +269,,T1213.003,Code Repositories,[],[],,AC-2,mitigates,0 +270,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,0 +271,,T1218.007,Msiexec,[],[],,AC-2,mitigates,0 +272,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,0 +273,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,0 +274,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,0 +275,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,0 +276,,T1489,Service Stop,[],[],,AC-2,mitigates,0 +277,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,0 +278,,T1505,Server Software Component,[],[],,AC-2,mitigates,0 +279,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,0 +280,,T1505.003,Web Shell,[],[],,AC-2,mitigates,0 +281,,T1525,Implant Internal Image,[],[],,AC-2,mitigates,0 +282,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,0 +283,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,0 +284,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,0 +285,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,0 +286,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,0 +287,,T1542.001,System Firmware,[],[],,AC-2,mitigates,0 +288,,T1542.003,Bootkit,[],[],,AC-2,mitigates,0 +289,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,0 +290,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,0 +291,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,0 +292,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,0 +293,,T1543.003,Windows Service,[],[],,AC-2,mitigates,0 +294,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,0 +295,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,0 +296,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,0 +297,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,0 +298,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,0 +299,,T1547.012,Print Processors,[],[],,AC-2,mitigates,0 +300,,T1547.013,XDG Autostart Entries,[],[],,AC-2,mitigates,0 +301,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,0 +302,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,0 +303,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,0 +304,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,0 +305,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,0 +306,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,0 +307,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,0 +308,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,0 +309,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,0 +310,,T1552.004,Private Keys,[],[],,AC-2,mitigates,0 +311,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,0 +312,,T1552.007,Container API,[],[],,AC-2,mitigates,0 +313,,T1553,Subvert Trust Controls,[],[],,AC-2,mitigates,0 +314,,T1553.006,Code Signing Policy Modification,[],[],,AC-2,mitigates,0 +315,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,0 +316,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,0 +317,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,0 +318,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,0 +319,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,0 +320,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,0 +321,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,0 +322,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,0 +323,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,0 +324,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,0 +325,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,0 +326,,T1562,Impair Defenses,[],[],,AC-2,mitigates,0 +327,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,0 +328,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,0 +329,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,0 +330,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,0 +331,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,0 +332,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,0 +333,,T1562.009,Safe Mode Boot,[],[],,AC-2,mitigates,0 +334,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,0 +335,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,0 +336,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,0 +337,,T1567,Exfiltration Over Web Service,[],[],,AC-2,mitigates,0 +338,,T1569,System Services,[],[],,AC-2,mitigates,0 +339,,T1569.001,Launchctl,[],[],,AC-2,mitigates,0 +340,,T1569.002,Service Execution,[],[],,AC-2,mitigates,0 +341,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,0 +342,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,0 +343,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,0 +344,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,0 +345,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,0 +346,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,0 +347,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,0 +348,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,0 +349,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,0 +350,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,0 +351,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,0 +352,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,0 +353,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,0 +354,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,0 +355,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,0 +356,,T1601,Modify System Image,[],[],,AC-2,mitigates,0 +357,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,0 +358,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,0 +359,,T1606,Forge Web Credentials,[],[],,AC-2,mitigates,0 +360,,T1606.001,Web Cookies,[],[],,AC-2,mitigates,0 +361,,T1606.002,SAML Tokens,[],[],,AC-2,mitigates,0 +362,,T1609,Container Administration Command,[],[],,AC-2,mitigates,0 +363,,T1610,Deploy Container,[],[],,AC-2,mitigates,0 +364,,T1611,Escape to Host,[],[],,AC-2,mitigates,0 +365,,T1612,Build Image on Host,[],[],,AC-2,mitigates,0 +366,,T1613,Container and Resource Discovery,[],[],,AC-2,mitigates,0 +367,,T1619,Cloud Storage Object Discovery,[],[],,AC-2,mitigates,0 +368,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,0 +369,,T1021,Remote Services,[],[],,AC-20,mitigates,0 +370,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,0 +371,,T1021.004,SSH,[],[],,AC-20,mitigates,0 +372,,T1041,Exfiltration Over C2 Channel,[],[],,AC-20,mitigates,0 +373,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-20,mitigates,0 +374,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-20,mitigates,0 +375,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-20,mitigates,0 +376,,T1052,Exfiltration Over Physical Medium,[],[],,AC-20,mitigates,0 +377,,T1052.001,Exfiltration over USB,[],[],,AC-20,mitigates,0 +378,,T1053,Scheduled Task/Job,[],[],,AC-20,mitigates,0 +379,,T1053.002,At (Windows),[],[],,AC-20,mitigates,0 +380,,T1053.005,Scheduled Task,[],[],,AC-20,mitigates,0 +381,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,0 +382,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,0 +383,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,0 +384,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,0 +385,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,0 +386,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,0 +387,,T1110,Brute Force,[],[],,AC-20,mitigates,0 +388,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,0 +389,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,0 +390,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,0 +391,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,0 +392,,T1114,Email Collection,[],[],,AC-20,mitigates,0 +393,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,0 +394,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,0 +395,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,0 +396,,T1119,Automated Collection,[],[],,AC-20,mitigates,0 +397,,T1133,External Remote Services,[],[],,AC-20,mitigates,0 +398,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,0 +399,,T1136,Create Account,[],[],,AC-20,mitigates,0 +400,,T1136.001,Local Account,[],[],,AC-20,mitigates,0 +401,,T1136.002,Domain Account,[],[],,AC-20,mitigates,0 +402,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,0 +403,,T1200,Hardware Additions,[],[],,AC-20,mitigates,0 +404,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,0 +405,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,0 +406,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,0 +407,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,0 +408,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,0 +409,,T1552.004,Private Keys,[],[],,AC-20,mitigates,0 +410,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,0 +411,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,0 +412,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,0 +413,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,0 +414,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,0 +415,,T1557,Adversary-in-the-Middle,[],[],,AC-20,mitigates,0 +416,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,0 +417,,T1565,Data Manipulation,[],[],,AC-20,mitigates,0 +418,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,0 +419,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,0 +420,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,0 +421,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,0 +422,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,0 +423,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,0 +424,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,0 +425,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,0 +426,,T1053,Scheduled Task/Job,[],[],,AC-21,mitigates,0 +427,,T1053.002,At (Windows),[],[],,AC-21,mitigates,0 +428,,T1053.005,Scheduled Task,[],[],,AC-21,mitigates,0 +429,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,0 +430,,T1213.001,Confluence,[],[],,AC-21,mitigates,0 +431,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,0 +432,,T1053,Scheduled Task/Job,[],[],,AC-22,mitigates,0 +433,,T1053.002,At (Windows),[],[],,AC-22,mitigates,0 +434,,T1053.005,Scheduled Task,[],[],,AC-22,mitigates,0 +435,,T1005,Data from Local System,[],[],,AC-23,mitigates,0 +436,,T1025,Data from Removable Media,[],[],,AC-23,mitigates,0 +437,,T1041,Exfiltration Over C2 Channel,[],[],,AC-23,mitigates,0 +438,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-23,mitigates,0 +439,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-23,mitigates,0 +440,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-23,mitigates,0 +441,,T1052,Exfiltration Over Physical Medium,[],[],,AC-23,mitigates,0 +442,,T1052.001,Exfiltration over USB,[],[],,AC-23,mitigates,0 +443,,T1053,Scheduled Task/Job,[],[],,AC-23,mitigates,0 +444,,T1053.002,At (Windows),[],[],,AC-23,mitigates,0 +445,,T1053.005,Scheduled Task,[],[],,AC-23,mitigates,0 +446,,T1133,External Remote Services,[],[],,AC-23,mitigates,0 +447,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,0 +448,,T1213.001,Confluence,[],[],,AC-23,mitigates,0 +449,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,0 +450,,T1552.007,Container API,[],[],,AC-23,mitigates,0 +451,,T1567,Exfiltration Over Web Service,[],[],,AC-23,mitigates,0 +452,,T1053,Scheduled Task/Job,[],[],,AC-24,mitigates,0 +453,,T1053.002,At (Windows),[],[],,AC-24,mitigates,0 +454,,T1053.005,Scheduled Task,[],[],,AC-24,mitigates,0 +455,,T1053,Scheduled Task/Job,[],[],,AC-25,mitigates,0 +456,,T1053.002,At (Windows),[],[],,AC-25,mitigates,0 +457,,T1053.005,Scheduled Task,[],[],,AC-25,mitigates,0 +458,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,0 +459,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,0 +460,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,0 +461,,T1003.003,NTDS,[],[],,AC-3,mitigates,0 +462,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,0 +463,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,0 +464,,T1003.006,DCSync,[],[],,AC-3,mitigates,0 +465,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,0 +466,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,0 +467,,T1005,Data from Local System,[],[],,AC-3,mitigates,0 +468,,T1021,Remote Services,[],[],,AC-3,mitigates,0 +469,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,0 +470,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,0 +471,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,0 +472,,T1021.004,SSH,[],[],,AC-3,mitigates,0 +473,,T1021.005,VNC,[],[],,AC-3,mitigates,0 +474,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,0 +475,,T1025,Data from Removable Media,[],[],,AC-3,mitigates,0 +476,,T1036,Masquerading,[],[],,AC-3,mitigates,0 +477,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,0 +478,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,0 +479,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,0 +480,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,0 +481,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,0 +482,,T1037.004,RC Scripts,[],[],,AC-3,mitigates,0 +483,,T1037.005,Startup Items,[],[],,AC-3,mitigates,0 +484,,T1041,Exfiltration Over C2 Channel,[],[],,AC-3,mitigates,0 +485,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,0 +486,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,0 +487,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,0 +488,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,0 +489,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,0 +490,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,0 +491,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,0 +492,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,0 +493,,T1053.001,At (Linux),[],[],,AC-3,mitigates,0 +494,,T1053.002,At (Windows),[],[],,AC-3,mitigates,0 +495,,T1053.003,Cron,[],[],,AC-3,mitigates,0 +496,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,0 +497,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,0 +498,,T1053.007,Container Orchestration Job,[],[],,AC-3,mitigates,0 +499,,T1055,Process Injection,[],[],,AC-3,mitigates,0 +500,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,0 +501,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,0 +502,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,0 +503,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,0 +504,,T1059.001,PowerShell,[],[],,AC-3,mitigates,0 +505,,T1059.002,AppleScript,[],[],,AC-3,mitigates,0 +506,,T1059.003,Windows Command Shell,[],[],,AC-3,mitigates,0 +507,,T1059.004,Unix Shell,[],[],,AC-3,mitigates,0 +508,,T1059.005,Visual Basic,[],[],,AC-3,mitigates,0 +509,,T1059.006,Python,[],[],,AC-3,mitigates,0 +510,,T1059.007,JavaScript,[],[],,AC-3,mitigates,0 +511,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,0 +512,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,0 +513,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,0 +514,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,0 +515,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,0 +516,,T1071.004,DNS,[],[],,AC-3,mitigates,0 +517,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,0 +518,,T1078,Valid Accounts,[],[],,AC-3,mitigates,0 +519,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,0 +520,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,0 +521,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,0 +522,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,0 +523,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,0 +524,,T1090,Proxy,[],[],,AC-3,mitigates,0 +525,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,0 +526,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,0 +527,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,0 +528,,T1098,Account Manipulation,[],[],,AC-3,mitigates,0 +529,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,0 +530,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,0 +531,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,0 +532,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,0 +533,,T1110,Brute Force,[],[],,AC-3,mitigates,0 +534,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,0 +535,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,0 +536,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,0 +537,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,0 +538,,T1114,Email Collection,[],[],,AC-3,mitigates,0 +539,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,0 +540,,T1133,External Remote Services,[],[],,AC-3,mitigates,0 +541,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,0 +542,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,0 +543,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,0 +544,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,0 +545,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,0 +546,,T1136,Create Account,[],[],,AC-3,mitigates,0 +547,,T1136.001,Local Account,[],[],,AC-3,mitigates,0 +548,,T1136.002,Domain Account,[],[],,AC-3,mitigates,0 +549,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,0 +550,,T1185,Browser Session Hijacking,[],[],,AC-3,mitigates,0 +551,,T1187,Forced Authentication,[],[],,AC-3,mitigates,0 +552,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,0 +553,,T1197,BITS Jobs,[],[],,AC-3,mitigates,0 +554,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,0 +555,,T1200,Hardware Additions,[],[],,AC-3,mitigates,0 +556,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,0 +557,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,0 +558,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,0 +559,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,0 +560,,T1213.001,Confluence,[],[],,AC-3,mitigates,0 +561,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,0 +562,,T1213.003,Code Repositories,[],[],,AC-3,mitigates,0 +563,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,0 +564,,T1218.002,Control Panel,[],[],,AC-3,mitigates,0 +565,,T1218.007,Msiexec,[],[],,AC-3,mitigates,0 +566,,T1218.012,Verclsid,[],[],,AC-3,mitigates,0 +567,,T1219,Remote Access Software,[],[],,AC-3,mitigates,0 +568,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,0 +569,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,0 +570,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,0 +571,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,0 +572,,T1485,Data Destruction,[],[],,AC-3,mitigates,0 +573,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,0 +574,,T1489,Service Stop,[],[],,AC-3,mitigates,0 +575,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,0 +576,,T1491,Defacement,[],[],,AC-3,mitigates,0 +577,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,0 +578,,T1491.002,External Defacement,[],[],,AC-3,mitigates,0 +579,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,0 +580,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,0 +581,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,0 +582,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,0 +583,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,0 +584,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,0 +585,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,0 +586,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,0 +587,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,0 +588,,T1505,Server Software Component,[],[],,AC-3,mitigates,0 +589,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,0 +590,,T1505.003,Web Shell,[],[],,AC-3,mitigates,0 +591,,T1505.004,IIS Components,[],[],,AC-3,mitigates,0 +592,,T1525,Implant Internal Image,[],[],,AC-3,mitigates,0 +593,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,0 +594,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,0 +595,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,0 +596,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,0 +597,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,0 +598,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,0 +599,,T1542.001,System Firmware,[],[],,AC-3,mitigates,0 +600,,T1542.003,Bootkit,[],[],,AC-3,mitigates,0 +601,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,0 +602,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,0 +603,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,0 +604,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,0 +605,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,0 +606,,T1543.003,Windows Service,[],[],,AC-3,mitigates,0 +607,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,0 +608,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,0 +609,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-3,mitigates,0 +610,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,0 +611,,T1547.003,Time Providers,[],[],,AC-3,mitigates,0 +612,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,0 +613,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,0 +614,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,0 +615,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,0 +616,,T1547.011,Plist Modification,[],[],,AC-3,mitigates,0 +617,,T1547.012,Print Processors,[],[],,AC-3,mitigates,0 +618,,T1547.013,XDG Autostart Entries,[],[],,AC-3,mitigates,0 +619,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,0 +620,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,0 +621,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,0 +622,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,0 +623,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,0 +624,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,0 +625,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,0 +626,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,0 +627,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,0 +628,,T1552.007,Container API,[],[],,AC-3,mitigates,0 +629,,T1553,Subvert Trust Controls,[],[],,AC-3,mitigates,0 +630,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,0 +631,,T1553.006,Code Signing Policy Modification,[],[],,AC-3,mitigates,0 +632,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,0 +633,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,0 +634,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,0 +635,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,0 +636,,T1557,Adversary-in-the-Middle,[],[],,AC-3,mitigates,0 +637,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,0 +638,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,0 +639,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,0 +640,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,0 +641,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,0 +642,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,0 +643,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,0 +644,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,0 +645,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,0 +646,,T1561,Disk Wipe,[],[],,AC-3,mitigates,0 +647,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,0 +648,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,0 +649,,T1562,Impair Defenses,[],[],,AC-3,mitigates,0 +650,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,0 +651,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,0 +652,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,0 +653,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,0 +654,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,0 +655,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,0 +656,,T1562.009,Safe Mode Boot,[],[],,AC-3,mitigates,0 +657,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,0 +658,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,0 +659,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,0 +660,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,0 +661,,T1565,Data Manipulation,[],[],,AC-3,mitigates,0 +662,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,0 +663,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,0 +664,,T1567,Exfiltration Over Web Service,[],[],,AC-3,mitigates,0 +665,,T1569,System Services,[],[],,AC-3,mitigates,0 +666,,T1569.001,Launchctl,[],[],,AC-3,mitigates,0 +667,,T1569.002,Service Execution,[],[],,AC-3,mitigates,0 +668,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,0 +669,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,0 +670,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,0 +671,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,0 +672,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,0 +673,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,0 +674,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,0 +675,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,0 +676,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,0 +677,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,0 +678,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,0 +679,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,0 +680,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,0 +681,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,0 +682,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,0 +683,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,0 +684,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,0 +685,,T1601,Modify System Image,[],[],,AC-3,mitigates,0 +686,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,0 +687,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,0 +688,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,0 +689,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,0 +690,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,0 +691,,T1606,Forge Web Credentials,[],[],,AC-3,mitigates,0 +692,,T1606.001,Web Cookies,[],[],,AC-3,mitigates,0 +693,,T1606.002,SAML Tokens,[],[],,AC-3,mitigates,0 +694,,T1609,Container Administration Command,[],[],,AC-3,mitigates,0 +695,,T1610,Deploy Container,[],[],,AC-3,mitigates,0 +696,,T1611,Escape to Host,[],[],,AC-3,mitigates,0 +697,,T1612,Build Image on Host,[],[],,AC-3,mitigates,0 +698,,T1613,Container and Resource Discovery,[],[],,AC-3,mitigates,0 +699,,T1619,Cloud Storage Object Discovery,[],[],,AC-3,mitigates,0 +700,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,0 +701,,T1001.001,Junk Data,[],[],,AC-4,mitigates,0 +702,,T1001.002,Steganography,[],[],,AC-4,mitigates,0 +703,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,0 +704,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,0 +705,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,0 +706,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,0 +707,,T1003.006,DCSync,[],[],,AC-4,mitigates,0 +708,,T1008,Fallback Channels,[],[],,AC-4,mitigates,0 +709,,T1020.001,Traffic Duplication,[],[],,AC-4,mitigates,0 +710,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,0 +711,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,0 +712,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,0 +713,,T1021.005,VNC,[],[],,AC-4,mitigates,0 +714,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,0 +715,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,0 +716,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,0 +717,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,0 +718,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,0 +719,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,0 +720,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,0 +721,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,0 +722,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,0 +723,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,0 +724,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,0 +725,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,0 +726,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,0 +727,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,0 +728,,T1071.004,DNS,[],[],,AC-4,mitigates,0 +729,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,0 +730,,T1090,Proxy,[],[],,AC-4,mitigates,0 +731,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,0 +732,,T1090.002,External Proxy,[],[],,AC-4,mitigates,0 +733,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,0 +734,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,0 +735,,T1098,Account Manipulation,[],[],,AC-4,mitigates,0 +736,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,0 +737,,T1102,Web Service,[],[],,AC-4,mitigates,0 +738,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,0 +739,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,0 +740,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,0 +741,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,0 +742,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,0 +743,,T1114,Email Collection,[],[],,AC-4,mitigates,0 +744,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,0 +745,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,0 +746,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,0 +747,,T1132,Data Encoding,[],[],,AC-4,mitigates,0 +748,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,0 +749,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,0 +750,,T1133,External Remote Services,[],[],,AC-4,mitigates,0 +751,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,0 +752,,T1136,Create Account,[],[],,AC-4,mitigates,0 +753,,T1136.002,Domain Account,[],[],,AC-4,mitigates,0 +754,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,0 +755,,T1187,Forced Authentication,[],[],,AC-4,mitigates,0 +756,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,0 +757,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,0 +758,,T1197,BITS Jobs,[],[],,AC-4,mitigates,0 +759,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,0 +760,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,0 +761,,T1204,User Execution,[],[],,AC-4,mitigates,0 +762,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,0 +763,,T1204.002,Malicious File,[],[],,AC-4,mitigates,0 +764,,T1204.003,Malicious Image,[],[],,AC-4,mitigates,0 +765,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,0 +766,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,0 +767,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,0 +768,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,0 +769,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,0 +770,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,0 +771,,T1213.001,Confluence,[],[],,AC-4,mitigates,0 +772,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,0 +773,,T1218.012,Verclsid,[],[],,AC-4,mitigates,0 +774,,T1219,Remote Access Software,[],[],,AC-4,mitigates,0 +775,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,0 +776,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,0 +777,,T1489,Service Stop,[],[],,AC-4,mitigates,0 +778,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,0 +779,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,0 +780,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,0 +781,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,0 +782,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,0 +783,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,0 +784,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,0 +785,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,0 +786,,T1505.004,IIS Components,[],[],,AC-4,mitigates,0 +787,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,0 +788,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,0 +789,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,0 +790,,T1547.003,Time Providers,[],[],,AC-4,mitigates,0 +791,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,0 +792,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,0 +793,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,0 +794,,T1552.007,Container API,[],[],,AC-4,mitigates,0 +795,,T1557,Adversary-in-the-Middle,[],[],,AC-4,mitigates,0 +796,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,0 +797,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,0 +798,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,0 +799,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,0 +800,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,0 +801,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,0 +802,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,0 +803,,T1564.008,Email Hiding Rules,[],[],,AC-4,mitigates,0 +804,,T1565,Data Manipulation,[],[],,AC-4,mitigates,0 +805,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,0 +806,,T1566,Phishing,[],[],,AC-4,mitigates,0 +807,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,0 +808,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,0 +809,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,0 +810,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,0 +811,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,0 +812,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,0 +813,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,0 +814,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,0 +815,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,0 +816,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,0 +817,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,0 +818,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,0 +819,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,0 +820,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,0 +821,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,0 +822,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,0 +823,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,0 +824,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,0 +825,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,0 +826,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,0 +827,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,0 +828,,T1598,Phishing for Information,[],[],,AC-4,mitigates,0 +829,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,0 +830,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,0 +831,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,0 +832,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,0 +833,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,0 +834,,T1601,Modify System Image,[],[],,AC-4,mitigates,0 +835,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,0 +836,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,0 +837,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,0 +838,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,0 +839,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,0 +840,,T1611,Escape to Host,[],[],,AC-4,mitigates,0 +841,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,0 +842,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,0 +843,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,0 +844,,T1003.003,NTDS,[],[],,AC-5,mitigates,0 +845,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,0 +846,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,0 +847,,T1003.006,DCSync,[],[],,AC-5,mitigates,0 +848,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,0 +849,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,0 +850,,T1021,Remote Services,[],[],,AC-5,mitigates,0 +851,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,0 +852,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,0 +853,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,0 +854,,T1021.004,SSH,[],[],,AC-5,mitigates,0 +855,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,0 +856,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,0 +857,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,0 +858,,T1053.001,At (Linux),[],[],,AC-5,mitigates,0 +859,,T1053.002,At (Windows),[],[],,AC-5,mitigates,0 +860,,T1053.003,Cron,[],[],,AC-5,mitigates,0 +861,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,0 +862,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,0 +863,,T1053.007,Container Orchestration Job,[],[],,AC-5,mitigates,0 +864,,T1055,Process Injection,[],[],,AC-5,mitigates,0 +865,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,0 +866,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,0 +867,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,0 +868,,T1059.001,PowerShell,[],[],,AC-5,mitigates,0 +869,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,0 +870,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,0 +871,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,0 +872,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,0 +873,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,0 +874,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,0 +875,,T1078,Valid Accounts,[],[],,AC-5,mitigates,0 +876,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,0 +877,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,0 +878,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,0 +879,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,0 +880,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,0 +881,,T1098,Account Manipulation,[],[],,AC-5,mitigates,0 +882,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,0 +883,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,0 +884,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,0 +885,,T1110,Brute Force,[],[],,AC-5,mitigates,0 +886,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,0 +887,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,0 +888,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,0 +889,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,0 +890,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,0 +891,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,0 +892,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,0 +893,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,0 +894,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,0 +895,,T1136,Create Account,[],[],,AC-5,mitigates,0 +896,,T1136.001,Local Account,[],[],,AC-5,mitigates,0 +897,,T1136.002,Domain Account,[],[],,AC-5,mitigates,0 +898,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,0 +899,,T1185,Browser Session Hijacking,[],[],,AC-5,mitigates,0 +900,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,0 +901,,T1197,BITS Jobs,[],[],,AC-5,mitigates,0 +902,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,0 +903,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,0 +904,,T1213.001,Confluence,[],[],,AC-5,mitigates,0 +905,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,0 +906,,T1213.003,Code Repositories,[],[],,AC-5,mitigates,0 +907,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,0 +908,,T1218.007,Msiexec,[],[],,AC-5,mitigates,0 +909,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,0 +910,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,0 +911,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,0 +912,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,0 +913,,T1489,Service Stop,[],[],,AC-5,mitigates,0 +914,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,0 +915,,T1505,Server Software Component,[],[],,AC-5,mitigates,0 +916,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,0 +917,,T1505.003,Web Shell,[],[],,AC-5,mitigates,0 +918,,T1525,Implant Internal Image,[],[],,AC-5,mitigates,0 +919,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,0 +920,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,0 +921,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,0 +922,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,0 +923,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,0 +924,,T1542.001,System Firmware,[],[],,AC-5,mitigates,0 +925,,T1542.003,Bootkit,[],[],,AC-5,mitigates,0 +926,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,0 +927,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,0 +928,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,0 +929,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,0 +930,,T1543.003,Windows Service,[],[],,AC-5,mitigates,0 +931,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,0 +932,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,0 +933,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,0 +934,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,0 +935,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,0 +936,,T1547.012,Print Processors,[],[],,AC-5,mitigates,0 +937,,T1547.013,XDG Autostart Entries,[],[],,AC-5,mitigates,0 +938,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,0 +939,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,0 +940,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,0 +941,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,0 +942,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,0 +943,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,0 +944,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,0 +945,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,0 +946,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,0 +947,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,0 +948,,T1552.007,Container API,[],[],,AC-5,mitigates,0 +949,,T1553,Subvert Trust Controls,[],[],,AC-5,mitigates,0 +950,,T1553.006,Code Signing Policy Modification,[],[],,AC-5,mitigates,0 +951,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,0 +952,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,0 +953,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,0 +954,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,0 +955,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,0 +956,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,0 +957,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,0 +958,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,0 +959,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,0 +960,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,0 +961,,T1562,Impair Defenses,[],[],,AC-5,mitigates,0 +962,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,0 +963,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,0 +964,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,0 +965,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,0 +966,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,0 +967,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,0 +968,,T1562.009,Safe Mode Boot,[],[],,AC-5,mitigates,0 +969,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,0 +970,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,0 +971,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,0 +972,,T1569,System Services,[],[],,AC-5,mitigates,0 +973,,T1569.001,Launchctl,[],[],,AC-5,mitigates,0 +974,,T1569.002,Service Execution,[],[],,AC-5,mitigates,0 +975,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,0 +976,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,0 +977,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,0 +978,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,0 +979,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,0 +980,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,0 +981,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,0 +982,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,0 +983,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,0 +984,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,0 +985,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,0 +986,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,0 +987,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,0 +988,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,0 +989,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,0 +990,,T1601,Modify System Image,[],[],,AC-5,mitigates,0 +991,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,0 +992,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,0 +993,,T1606,Forge Web Credentials,[],[],,AC-5,mitigates,0 +994,,T1611,Escape to Host,[],[],,AC-5,mitigates,0 +995,,T1619,Cloud Storage Object Discovery,[],[],,AC-5,mitigates,0 +996,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,0 +997,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,0 +998,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,0 +999,,T1003.003,NTDS,[],[],,AC-6,mitigates,0 +1000,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,0 +1001,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,0 +1002,,T1003.006,DCSync,[],[],,AC-6,mitigates,0 +1003,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,0 +1004,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,0 +1005,,T1005,Data from Local System,[],[],,AC-6,mitigates,0 +1006,,T1021,Remote Services,[],[],,AC-6,mitigates,0 +1007,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,0 +1008,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,0 +1009,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,0 +1010,,T1021.004,SSH,[],[],,AC-6,mitigates,0 +1011,,T1021.005,VNC,[],[],,AC-6,mitigates,0 +1012,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,0 +1013,,T1025,Data from Removable Media,[],[],,AC-6,mitigates,0 +1014,,T1036,Masquerading,[],[],,AC-6,mitigates,0 +1015,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,0 +1016,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,0 +1017,,T1041,Exfiltration Over C2 Channel,[],[],,AC-6,mitigates,0 +1018,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,0 +1019,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-6,mitigates,0 +1020,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-6,mitigates,0 +1021,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-6,mitigates,0 +1022,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,0 +1023,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,0 +1024,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,0 +1025,,T1053.001,At (Linux),[],[],,AC-6,mitigates,0 +1026,,T1053.002,At (Windows),[],[],,AC-6,mitigates,0 +1027,,T1053.003,Cron,[],[],,AC-6,mitigates,0 +1028,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,0 +1029,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,0 +1030,,T1053.007,Container Orchestration Job,[],[],,AC-6,mitigates,0 +1031,,T1055,Process Injection,[],[],,AC-6,mitigates,0 +1032,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,0 +1033,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,0 +1034,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,0 +1035,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,0 +1036,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,0 +1037,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,0 +1038,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,0 +1039,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,0 +1040,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,0 +1041,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,0 +1042,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,0 +1043,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,0 +1044,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,0 +1045,,T1059.001,PowerShell,[],[],,AC-6,mitigates,0 +1046,,T1059.002,AppleScript,[],[],,AC-6,mitigates,0 +1047,,T1059.003,Windows Command Shell,[],[],,AC-6,mitigates,0 +1048,,T1059.004,Unix Shell,[],[],,AC-6,mitigates,0 +1049,,T1059.005,Visual Basic,[],[],,AC-6,mitigates,0 +1050,,T1059.006,Python,[],[],,AC-6,mitigates,0 +1051,,T1059.007,JavaScript,[],[],,AC-6,mitigates,0 +1052,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,0 +1053,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,0 +1054,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,0 +1055,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,0 +1056,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,0 +1057,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,0 +1058,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,0 +1059,,T1078,Valid Accounts,[],[],,AC-6,mitigates,0 +1060,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,0 +1061,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,0 +1062,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,0 +1063,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,0 +1064,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,0 +1065,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,0 +1066,,T1098,Account Manipulation,[],[],,AC-6,mitigates,0 +1067,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,0 +1068,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,0 +1069,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,0 +1070,,T1106,Native API,[],[],,AC-6,mitigates,0 +1071,,T1110,Brute Force,[],[],,AC-6,mitigates,0 +1072,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,0 +1073,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,0 +1074,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,0 +1075,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,0 +1076,,T1112,Modify Registry,[],[],,AC-6,mitigates,0 +1077,,T1133,External Remote Services,[],[],,AC-6,mitigates,0 +1078,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,0 +1079,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,0 +1080,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,0 +1081,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,0 +1082,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,0 +1083,,T1136,Create Account,[],[],,AC-6,mitigates,0 +1084,,T1136.001,Local Account,[],[],,AC-6,mitigates,0 +1085,,T1136.002,Domain Account,[],[],,AC-6,mitigates,0 +1086,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,0 +1087,,T1137,Office Application Startup,[],[],,AC-6,mitigates,0 +1088,,T1137.001,Office Template Macros,[],[],,AC-6,mitigates,0 +1089,,T1137.002,Office Test,[],[],,AC-6,mitigates,0 +1090,,T1137.003,Outlook Forms,[],[],,AC-6,mitigates,0 +1091,,T1137.004,Outlook Home Page,[],[],,AC-6,mitigates,0 +1092,,T1137.005,Outlook Rules,[],[],,AC-6,mitigates,0 +1093,,T1137.006,Add-ins,[],[],,AC-6,mitigates,0 +1094,,T1176,Browser Extensions,[],[],,AC-6,mitigates,0 +1095,,T1185,Browser Session Hijacking,[],[],,AC-6,mitigates,0 +1096,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,0 +1097,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,0 +1098,,T1197,BITS Jobs,[],[],,AC-6,mitigates,0 +1099,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,0 +1100,,T1200,Hardware Additions,[],[],,AC-6,mitigates,0 +1101,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,0 +1102,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,0 +1103,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,0 +1104,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,0 +1105,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,0 +1106,,T1213.001,Confluence,[],[],,AC-6,mitigates,0 +1107,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,0 +1108,,T1213.003,Code Repositories,[],[],,AC-6,mitigates,0 +1109,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,0 +1110,,T1218.007,Msiexec,[],[],,AC-6,mitigates,0 +1111,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,0 +1112,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,0 +1113,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,0 +1114,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,0 +1115,,T1485,Data Destruction,[],[],,AC-6,mitigates,0 +1116,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,0 +1117,,T1489,Service Stop,[],[],,AC-6,mitigates,0 +1118,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,0 +1119,,T1491,Defacement,[],[],,AC-6,mitigates,0 +1120,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,0 +1121,,T1491.002,External Defacement,[],[],,AC-6,mitigates,0 +1122,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,0 +1123,,T1505,Server Software Component,[],[],,AC-6,mitigates,0 +1124,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,0 +1125,,T1505.003,Web Shell,[],[],,AC-6,mitigates,0 +1126,,T1505.004,IIS Components,[],[],,AC-6,mitigates,0 +1127,,T1525,Implant Internal Image,[],[],,AC-6,mitigates,0 +1128,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,0 +1129,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,0 +1130,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,0 +1131,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,0 +1132,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,0 +1133,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,0 +1134,,T1542.001,System Firmware,[],[],,AC-6,mitigates,0 +1135,,T1542.003,Bootkit,[],[],,AC-6,mitigates,0 +1136,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,0 +1137,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,0 +1138,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,0 +1139,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,0 +1140,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,0 +1141,,T1543.003,Windows Service,[],[],,AC-6,mitigates,0 +1142,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,0 +1143,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,0 +1144,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-6,mitigates,0 +1145,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,0 +1146,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,0 +1147,,T1547.003,Time Providers,[],[],,AC-6,mitigates,0 +1148,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,0 +1149,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,0 +1150,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,0 +1151,,T1547.011,Plist Modification,[],[],,AC-6,mitigates,0 +1152,,T1547.012,Print Processors,[],[],,AC-6,mitigates,0 +1153,,T1547.013,XDG Autostart Entries,[],[],,AC-6,mitigates,0 +1154,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,0 +1155,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,0 +1156,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,0 +1157,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,0 +1158,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,0 +1159,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,0 +1160,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,0 +1161,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,0 +1162,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,0 +1163,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,0 +1164,,T1552.007,Container API,[],[],,AC-6,mitigates,0 +1165,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,0 +1166,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,0 +1167,,T1553.006,Code Signing Policy Modification,[],[],,AC-6,mitigates,0 +1168,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,0 +1169,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,0 +1170,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,0 +1171,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,0 +1172,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,0 +1173,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,0 +1174,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,0 +1175,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,0 +1176,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,0 +1177,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,0 +1178,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,0 +1179,,T1561,Disk Wipe,[],[],,AC-6,mitigates,0 +1180,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,0 +1181,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,0 +1182,,T1562,Impair Defenses,[],[],,AC-6,mitigates,0 +1183,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,0 +1184,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,0 +1185,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,0 +1186,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,0 +1187,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,0 +1188,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,0 +1189,,T1562.009,Safe Mode Boot,[],[],,AC-6,mitigates,0 +1190,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,0 +1191,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,0 +1192,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,0 +1193,,T1567,Exfiltration Over Web Service,[],[],,AC-6,mitigates,0 +1194,,T1569,System Services,[],[],,AC-6,mitigates,0 +1195,,T1569.001,Launchctl,[],[],,AC-6,mitigates,0 +1196,,T1569.002,Service Execution,[],[],,AC-6,mitigates,0 +1197,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,0 +1198,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,0 +1199,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,0 +1200,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,0 +1201,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,0 +1202,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,0 +1203,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,0 +1204,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,0 +1205,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,0 +1206,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,0 +1207,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,0 +1208,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,0 +1209,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,0 +1210,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,0 +1211,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,0 +1212,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,0 +1213,,T1601,Modify System Image,[],[],,AC-6,mitigates,0 +1214,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,0 +1215,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,0 +1216,,T1606,Forge Web Credentials,[],[],,AC-6,mitigates,0 +1217,,T1606.001,Web Cookies,[],[],,AC-6,mitigates,0 +1218,,T1606.002,SAML Tokens,[],[],,AC-6,mitigates,0 +1219,,T1609,Container Administration Command,[],[],,AC-6,mitigates,0 +1220,,T1610,Deploy Container,[],[],,AC-6,mitigates,0 +1221,,T1611,Escape to Host,[],[],,AC-6,mitigates,0 +1222,,T1612,Build Image on Host,[],[],,AC-6,mitigates,0 +1223,,T1613,Container and Resource Discovery,[],[],,AC-6,mitigates,0 +1224,,T1619,Cloud Storage Object Discovery,[],[],,AC-6,mitigates,0 +1225,,T1021,Remote Services,[],[],,AC-7,mitigates,0 +1226,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,0 +1227,,T1021.004,SSH,[],[],,AC-7,mitigates,0 +1228,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,0 +1229,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,0 +1230,,T1110,Brute Force,[],[],,AC-7,mitigates,0 +1231,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,0 +1232,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,0 +1233,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,0 +1234,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,0 +1235,,T1133,External Remote Services,[],[],,AC-7,mitigates,0 +1236,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,0 +1237,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,0 +1238,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,0 +1239,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,0 +1240,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,0 +1241,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,0 +1242,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,0 +1243,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,0 +1244,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,0 +1245,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,0 +1246,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,0 +1247,,T1020.001,Traffic Duplication,[],[],,CA-3,mitigates,0 +1248,,T1041,Exfiltration Over C2 Channel,[],[],,CA-3,mitigates,0 +1249,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-3,mitigates,0 +1250,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-3,mitigates,0 +1251,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-3,mitigates,0 +1252,,T1567,Exfiltration Over Web Service,[],[],,CA-3,mitigates,0 +1253,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,0 +1254,,T1001.001,Junk Data,[],[],,CA-7,mitigates,0 +1255,,T1001.002,Steganography,[],[],,CA-7,mitigates,0 +1256,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,0 +1257,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,0 +1258,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,0 +1259,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,0 +1260,,T1003.003,NTDS,[],[],,CA-7,mitigates,0 +1261,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,0 +1262,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,0 +1263,,T1003.006,DCSync,[],[],,CA-7,mitigates,0 +1264,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,0 +1265,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,0 +1266,,T1008,Fallback Channels,[],[],,CA-7,mitigates,0 +1267,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,0 +1268,,T1021.005,VNC,[],[],,CA-7,mitigates,0 +1269,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,0 +1270,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,0 +1271,,T1036,Masquerading,[],[],,CA-7,mitigates,0 +1272,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,0 +1273,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,0 +1274,,T1036.007,Double File Extension,[],[],,CA-7,mitigates,0 +1275,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,0 +1276,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,0 +1277,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,0 +1278,,T1037.004,RC Scripts,[],[],,CA-7,mitigates,0 +1279,,T1037.005,Startup Items,[],[],,CA-7,mitigates,0 +1280,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,0 +1281,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,0 +1282,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,0 +1283,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,0 +1284,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,0 +1285,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,0 +1286,,T1052,Exfiltration Over Physical Medium,[],[],,CA-7,mitigates,0 +1287,,T1052.001,Exfiltration over USB,[],[],,CA-7,mitigates,0 +1288,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,0 +1289,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,0 +1290,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,0 +1291,,T1059,Command and Scripting Interpreter,[],[],,CA-7,mitigates,0 +1292,,T1059.005,Visual Basic,[],[],,CA-7,mitigates,0 +1293,,T1059.007,JavaScript,[],[],,CA-7,mitigates,0 +1294,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,0 +1295,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,0 +1296,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,0 +1297,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,0 +1298,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,0 +1299,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,0 +1300,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,0 +1301,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,0 +1302,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,0 +1303,,T1071.004,DNS,[],[],,CA-7,mitigates,0 +1304,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,0 +1305,,T1078,Valid Accounts,[],[],,CA-7,mitigates,0 +1306,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,0 +1307,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,0 +1308,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,0 +1309,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,0 +1310,,T1090,Proxy,[],[],,CA-7,mitigates,0 +1311,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,0 +1312,,T1090.002,External Proxy,[],[],,CA-7,mitigates,0 +1313,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,0 +1314,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,0 +1315,,T1102,Web Service,[],[],,CA-7,mitigates,0 +1316,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,0 +1317,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,0 +1318,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,0 +1319,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,0 +1320,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,0 +1321,,T1110,Brute Force,[],[],,CA-7,mitigates,0 +1322,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,0 +1323,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,0 +1324,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,0 +1325,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,0 +1326,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,0 +1327,,T1132,Data Encoding,[],[],,CA-7,mitigates,0 +1328,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,0 +1329,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,0 +1330,,T1176,Browser Extensions,[],[],,CA-7,mitigates,0 +1331,,T1185,Browser Session Hijacking,[],[],,CA-7,mitigates,0 +1332,,T1187,Forced Authentication,[],[],,CA-7,mitigates,0 +1333,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,0 +1334,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,0 +1335,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,0 +1336,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,0 +1337,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,0 +1338,,T1197,BITS Jobs,[],[],,CA-7,mitigates,0 +1339,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,0 +1340,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,0 +1341,,T1204,User Execution,[],[],,CA-7,mitigates,0 +1342,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,0 +1343,,T1204.002,Malicious File,[],[],,CA-7,mitigates,0 +1344,,T1204.003,Malicious Image,[],[],,CA-7,mitigates,0 +1345,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,0 +1346,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,0 +1347,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,0 +1348,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,0 +1349,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,0 +1350,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,0 +1351,,T1213.001,Confluence,[],[],,CA-7,mitigates,0 +1352,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,0 +1353,,T1213.003,Code Repositories,[],[],,CA-7,mitigates,0 +1354,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,0 +1355,,T1218.002,Control Panel,[],[],,CA-7,mitigates,0 +1356,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,0 +1357,,T1218.011,Rundll32,[],[],,CA-7,mitigates,0 +1358,,T1218.012,Verclsid,[],[],,CA-7,mitigates,0 +1359,,T1219,Remote Access Software,[],[],,CA-7,mitigates,0 +1360,,T1221,Template Injection,[],[],,CA-7,mitigates,0 +1361,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,0 +1362,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,0 +1363,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,0 +1364,,T1489,Service Stop,[],[],,CA-7,mitigates,0 +1365,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,0 +1366,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,0 +1367,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,0 +1368,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,0 +1369,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,0 +1370,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,0 +1371,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,0 +1372,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,0 +1373,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,0 +1374,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,0 +1375,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,0 +1376,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,0 +1377,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,0 +1378,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,0 +1379,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,0 +1380,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,0 +1381,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CA-7,mitigates,0 +1382,,T1546.004,Unix Shell Configuration Modification,[],[],,CA-7,mitigates,0 +1383,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,0 +1384,,T1547.003,Time Providers,[],[],,CA-7,mitigates,0 +1385,,T1547.011,Plist Modification,[],[],,CA-7,mitigates,0 +1386,,T1547.013,XDG Autostart Entries,[],[],,CA-7,mitigates,0 +1387,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,0 +1388,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,0 +1389,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,0 +1390,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,0 +1391,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,0 +1392,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,0 +1393,,T1552.004,Private Keys,[],[],,CA-7,mitigates,0 +1394,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,0 +1395,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,0 +1396,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,0 +1397,,T1555.001,Keychain,[],[],,CA-7,mitigates,0 +1398,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,0 +1399,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,0 +1400,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,0 +1401,,T1557,Adversary-in-the-Middle,[],[],,CA-7,mitigates,0 +1402,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,0 +1403,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,0 +1404,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,0 +1405,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,0 +1406,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,0 +1407,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,0 +1408,,T1562,Impair Defenses,[],[],,CA-7,mitigates,0 +1409,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,0 +1410,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,0 +1411,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,0 +1412,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,0 +1413,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,0 +1414,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,0 +1415,,T1565,Data Manipulation,[],[],,CA-7,mitigates,0 +1416,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,0 +1417,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,0 +1418,,T1566,Phishing,[],[],,CA-7,mitigates,0 +1419,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,0 +1420,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,0 +1421,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,0 +1422,,T1567,Exfiltration Over Web Service,[],[],,CA-7,mitigates,0 +1423,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,0 +1424,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,0 +1425,,T1569,System Services,[],[],,CA-7,mitigates,0 +1426,,T1569.002,Service Execution,[],[],,CA-7,mitigates,0 +1427,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,0 +1428,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,0 +1429,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,0 +1430,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,0 +1431,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,0 +1432,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,0 +1433,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,0 +1434,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,0 +1435,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,0 +1436,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,0 +1437,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,0 +1438,,T1598,Phishing for Information,[],[],,CA-7,mitigates,0 +1439,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,0 +1440,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,0 +1441,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,0 +1442,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,0 +1443,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,0 +1444,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,0 +1445,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,0 +1446,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,0 +1447,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,0 +1448,,T1021.005,VNC,[],[],,CA-8,mitigates,0 +1449,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,0 +1450,,T1053.001,At (Linux),[],[],,CA-8,mitigates,0 +1451,,T1053.002,At (Windows),[],[],,CA-8,mitigates,0 +1452,,T1053.003,Cron,[],[],,CA-8,mitigates,0 +1453,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,0 +1454,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,0 +1455,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,0 +1456,,T1078,Valid Accounts,[],[],,CA-8,mitigates,0 +1457,,T1176,Browser Extensions,[],[],,CA-8,mitigates,0 +1458,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,0 +1459,,T1204.003,Malicious Image,[],[],,CA-8,mitigates,0 +1460,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,0 +1461,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,0 +1462,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,0 +1463,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,0 +1464,,T1213.001,Confluence,[],[],,CA-8,mitigates,0 +1465,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,0 +1466,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,0 +1467,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,0 +1468,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,0 +1469,,T1505,Server Software Component,[],[],,CA-8,mitigates,0 +1470,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,0 +1471,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,0 +1472,,T1505.004,IIS Components,[],[],,CA-8,mitigates,0 +1473,,T1525,Implant Internal Image,[],[],,CA-8,mitigates,0 +1474,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,0 +1475,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,0 +1476,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,0 +1477,,T1542.001,System Firmware,[],[],,CA-8,mitigates,0 +1478,,T1542.003,Bootkit,[],[],,CA-8,mitigates,0 +1479,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,0 +1480,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,0 +1481,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,0 +1482,,T1543.003,Windows Service,[],[],,CA-8,mitigates,0 +1483,,T1543.004,Launch Daemon,[],[],,CA-8,mitigates,0 +1484,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,0 +1485,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,0 +1486,,T1550.001,Application Access Token,[],[],,CA-8,mitigates,0 +1487,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,0 +1488,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,0 +1489,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,0 +1490,,T1552.004,Private Keys,[],[],,CA-8,mitigates,0 +1491,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,0 +1492,,T1553,Subvert Trust Controls,[],[],,CA-8,mitigates,0 +1493,,T1553.006,Code Signing Policy Modification,[],[],,CA-8,mitigates,0 +1494,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,0 +1495,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,0 +1496,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,0 +1497,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,0 +1498,,T1562,Impair Defenses,[],[],,CA-8,mitigates,0 +1499,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,0 +1500,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,0 +1501,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,0 +1502,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,0 +1503,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,0 +1504,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,0 +1505,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,0 +1506,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,0 +1507,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,0 +1508,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,0 +1509,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,0 +1510,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,0 +1511,,T1601,Modify System Image,[],[],,CA-8,mitigates,0 +1512,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,0 +1513,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,0 +1514,,T1612,Build Image on Host,[],[],,CA-8,mitigates,0 +1515,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,0 +1516,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,0 +1517,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,0 +1518,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,0 +1519,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,0 +1520,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,0 +1521,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,0 +1522,,T1562.006,Indicator Blocking,[],[],,CM-10,mitigates,0 +1523,,T1562.009,Safe Mode Boot,[],[],,CM-10,mitigates,0 +1524,,T1021.005,VNC,[],[],,CM-11,mitigates,0 +1525,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,0 +1526,,T1059.006,Python,[],[],,CM-11,mitigates,0 +1527,,T1176,Browser Extensions,[],[],,CM-11,mitigates,0 +1528,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,0 +1529,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,0 +1530,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,0 +1531,,T1218,Signed Binary Proxy Execution,[],[],,CM-11,mitigates,0 +1532,,T1218.001,Compiled HTML File,[],[],,CM-11,mitigates,0 +1533,,T1218.002,Control Panel,[],[],,CM-11,mitigates,0 +1534,,T1218.003,CMSTP,[],[],,CM-11,mitigates,0 +1535,,T1218.004,InstallUtil,[],[],,CM-11,mitigates,0 +1536,,T1218.005,Mshta,[],[],,CM-11,mitigates,0 +1537,,T1218.008,Odbcconf,[],[],,CM-11,mitigates,0 +1538,,T1218.009,Regsvcs/Regasm,[],[],,CM-11,mitigates,0 +1539,,T1218.012,Verclsid,[],[],,CM-11,mitigates,0 +1540,,T1218.013,Mavinject,[],[],,CM-11,mitigates,0 +1541,,T1218.014,MMC,[],[],,CM-11,mitigates,0 +1542,,T1505,Server Software Component,[],[],,CM-11,mitigates,0 +1543,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,0 +1544,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,0 +1545,,T1505.004,IIS Components,[],[],,CM-11,mitigates,0 +1546,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,0 +1547,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,0 +1548,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,0 +1549,,T1543.003,Windows Service,[],[],,CM-11,mitigates,0 +1550,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,0 +1551,,T1547.013,XDG Autostart Entries,[],[],,CM-11,mitigates,0 +1552,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,0 +1553,,T1564.009,Resource Forking,[],[],,CM-11,mitigates,0 +1554,,T1569,System Services,[],[],,CM-11,mitigates,0 +1555,,T1569.001,Launchctl,[],[],,CM-11,mitigates,0 +1556,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,0 +1557,,T1001.001,Junk Data,[],[],,CM-2,mitigates,0 +1558,,T1001.002,Steganography,[],[],,CM-2,mitigates,0 +1559,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,0 +1560,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,0 +1561,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,0 +1562,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,0 +1563,,T1003.003,NTDS,[],[],,CM-2,mitigates,0 +1564,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,0 +1565,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,0 +1566,,T1003.006,DCSync,[],[],,CM-2,mitigates,0 +1567,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,0 +1568,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,0 +1569,,T1008,Fallback Channels,[],[],,CM-2,mitigates,0 +1570,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,0 +1571,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,0 +1572,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,0 +1573,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,0 +1574,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,0 +1575,,T1021.004,SSH,[],[],,CM-2,mitigates,0 +1576,,T1021.005,VNC,[],[],,CM-2,mitigates,0 +1577,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,0 +1578,,T1027,Obfuscated Files or Information,[],[],,CM-2,mitigates,0 +1579,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,0 +1580,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,0 +1581,,T1036,Masquerading,[],[],,CM-2,mitigates,0 +1582,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,0 +1583,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,0 +1584,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,0 +1585,,T1036.007,Double File Extension,[],[],,CM-2,mitigates,0 +1586,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,0 +1587,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,0 +1588,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,0 +1589,,T1037.004,RC Scripts,[],[],,CM-2,mitigates,0 +1590,,T1037.005,Startup Items,[],[],,CM-2,mitigates,0 +1591,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,0 +1592,,T1047,Windows Management Instrumentation,[],[],,CM-2,mitigates,0 +1593,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,0 +1594,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,0 +1595,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,0 +1596,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,0 +1597,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,0 +1598,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,0 +1599,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,0 +1600,,T1053.002,At (Windows),[],[],,CM-2,mitigates,0 +1601,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,0 +1602,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,0 +1603,,T1059.001,PowerShell,[],[],,CM-2,mitigates,0 +1604,,T1059.002,AppleScript,[],[],,CM-2,mitigates,0 +1605,,T1059.003,Windows Command Shell,[],[],,CM-2,mitigates,0 +1606,,T1059.004,Unix Shell,[],[],,CM-2,mitigates,0 +1607,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,0 +1608,,T1059.006,Python,[],[],,CM-2,mitigates,0 +1609,,T1059.007,JavaScript,[],[],,CM-2,mitigates,0 +1610,,T1059.008,Network Device CLI,[],[],,CM-2,mitigates,0 +1611,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,0 +1612,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,0 +1613,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,0 +1614,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,0 +1615,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,0 +1616,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,0 +1617,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,0 +1618,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,0 +1619,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,0 +1620,,T1071.004,DNS,[],[],,CM-2,mitigates,0 +1621,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,0 +1622,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,0 +1623,,T1090,Proxy,[],[],,CM-2,mitigates,0 +1624,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,0 +1625,,T1090.002,External Proxy,[],[],,CM-2,mitigates,0 +1626,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,0 +1627,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,0 +1628,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,0 +1629,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,0 +1630,,T1102,Web Service,[],[],,CM-2,mitigates,0 +1631,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,0 +1632,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,0 +1633,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,0 +1634,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,0 +1635,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,0 +1636,,T1106,Native API,[],[],,CM-2,mitigates,0 +1637,,T1110,Brute Force,[],[],,CM-2,mitigates,0 +1638,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,0 +1639,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,0 +1640,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,0 +1641,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,0 +1642,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,0 +1643,,T1114,Email Collection,[],[],,CM-2,mitigates,0 +1644,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,0 +1645,,T1119,Automated Collection,[],[],,CM-2,mitigates,0 +1646,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,0 +1647,,T1127.001,MSBuild,[],[],,CM-2,mitigates,0 +1648,,T1129,Shared Modules,[],[],,CM-2,mitigates,0 +1649,,T1132,Data Encoding,[],[],,CM-2,mitigates,0 +1650,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,0 +1651,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,0 +1652,,T1133,External Remote Services,[],[],,CM-2,mitigates,0 +1653,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,0 +1654,,T1137,Office Application Startup,[],[],,CM-2,mitigates,0 +1655,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,0 +1656,,T1137.002,Office Test,[],[],,CM-2,mitigates,0 +1657,,T1137.003,Outlook Forms,[],[],,CM-2,mitigates,0 +1658,,T1137.004,Outlook Home Page,[],[],,CM-2,mitigates,0 +1659,,T1137.005,Outlook Rules,[],[],,CM-2,mitigates,0 +1660,,T1137.006,Add-ins,[],[],,CM-2,mitigates,0 +1661,,T1176,Browser Extensions,[],[],,CM-2,mitigates,0 +1662,,T1185,Browser Session Hijacking,[],[],,CM-2,mitigates,0 +1663,,T1187,Forced Authentication,[],[],,CM-2,mitigates,0 +1664,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,0 +1665,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,0 +1666,,T1204,User Execution,[],[],,CM-2,mitigates,0 +1667,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,0 +1668,,T1204.002,Malicious File,[],[],,CM-2,mitigates,0 +1669,,T1204.003,Malicious Image,[],[],,CM-2,mitigates,0 +1670,,T1205,Traffic Signaling,[],[],,CM-2,mitigates,0 +1671,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,0 +1672,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,0 +1673,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,0 +1674,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,0 +1675,,T1213.001,Confluence,[],[],,CM-2,mitigates,0 +1676,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,0 +1677,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,0 +1678,,T1216.001,PubPrn,[],[],,CM-2,mitigates,0 +1679,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,0 +1680,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,0 +1681,,T1218.002,Control Panel,[],[],,CM-2,mitigates,0 +1682,,T1218.003,CMSTP,[],[],,CM-2,mitigates,0 +1683,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,0 +1684,,T1218.005,Mshta,[],[],,CM-2,mitigates,0 +1685,,T1218.007,Msiexec,[],[],,CM-2,mitigates,0 +1686,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,0 +1687,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,0 +1688,,T1218.012,Verclsid,[],[],,CM-2,mitigates,0 +1689,,T1218.013,Mavinject,[],[],,CM-2,mitigates,0 +1690,,T1218.014,MMC,[],[],,CM-2,mitigates,0 +1691,,T1219,Remote Access Software,[],[],,CM-2,mitigates,0 +1692,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,0 +1693,,T1221,Template Injection,[],[],,CM-2,mitigates,0 +1694,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,0 +1695,,T1485,Data Destruction,[],[],,CM-2,mitigates,0 +1696,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,0 +1697,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,0 +1698,,T1491,Defacement,[],[],,CM-2,mitigates,0 +1699,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,0 +1700,,T1491.002,External Defacement,[],[],,CM-2,mitigates,0 +1701,,T1505,Server Software Component,[],[],,CM-2,mitigates,0 +1702,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,0 +1703,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,0 +1704,,T1505.003,Web Shell,[],[],,CM-2,mitigates,0 +1705,,T1505.004,IIS Components,[],[],,CM-2,mitigates,0 +1706,,T1525,Implant Internal Image,[],[],,CM-2,mitigates,0 +1707,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,0 +1708,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,0 +1709,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,0 +1710,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,0 +1711,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,0 +1712,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,0 +1713,,T1543.001,Launch Agent,[],[],,CM-2,mitigates,0 +1714,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,0 +1715,,T1543.003,Windows Service,[],[],,CM-2,mitigates,0 +1716,,T1543.004,Launch Daemon,[],[],,CM-2,mitigates,0 +1717,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,0 +1718,,T1546.002,Screensaver,[],[],,CM-2,mitigates,0 +1719,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-2,mitigates,0 +1720,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-2,mitigates,0 +1721,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,0 +1722,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,0 +1723,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,0 +1724,,T1546.014,Emond,[],[],,CM-2,mitigates,0 +1725,,T1547.003,Time Providers,[],[],,CM-2,mitigates,0 +1726,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,0 +1727,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,0 +1728,,T1547.011,Plist Modification,[],[],,CM-2,mitigates,0 +1729,,T1547.013,XDG Autostart Entries,[],[],,CM-2,mitigates,0 +1730,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,0 +1731,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,0 +1732,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,0 +1733,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,0 +1734,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,0 +1735,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,0 +1736,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,0 +1737,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,0 +1738,,T1552.004,Private Keys,[],[],,CM-2,mitigates,0 +1739,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,0 +1740,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,0 +1741,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,0 +1742,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,0 +1743,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-2,mitigates,0 +1744,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,0 +1745,,T1555.004,Windows Credential Manager,[],[],,CM-2,mitigates,0 +1746,,T1555.005,Password Managers,[],[],,CM-2,mitigates,0 +1747,,T1556,Modify Authentication Process,[],[],,CM-2,mitigates,0 +1748,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,0 +1749,,T1557,Adversary-in-the-Middle,[],[],,CM-2,mitigates,0 +1750,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,0 +1751,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,0 +1752,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,0 +1753,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,0 +1754,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,0 +1755,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,0 +1756,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,0 +1757,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,0 +1758,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,0 +1759,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,0 +1760,,T1561,Disk Wipe,[],[],,CM-2,mitigates,0 +1761,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,0 +1762,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,0 +1763,,T1562,Impair Defenses,[],[],,CM-2,mitigates,0 +1764,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,0 +1765,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,0 +1766,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,0 +1767,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,0 +1768,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,0 +1769,,T1562.010,Downgrade Attack,[],[],,CM-2,mitigates,0 +1770,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,0 +1771,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,0 +1772,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,0 +1773,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,0 +1774,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,0 +1775,,T1564.009,Resource Forking,[],[],,CM-2,mitigates,0 +1776,,T1565,Data Manipulation,[],[],,CM-2,mitigates,0 +1777,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,0 +1778,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,0 +1779,,T1566,Phishing,[],[],,CM-2,mitigates,0 +1780,,T1566.001,Spearphishing Attachment,[],[],,CM-2,mitigates,0 +1781,,T1566.002,Spearphishing Link,[],[],,CM-2,mitigates,0 +1782,,T1569,System Services,[],[],,CM-2,mitigates,0 +1783,,T1569.002,Service Execution,[],[],,CM-2,mitigates,0 +1784,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,0 +1785,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,0 +1786,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,0 +1787,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,0 +1788,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,0 +1789,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,0 +1790,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,0 +1791,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,0 +1792,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,0 +1793,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,0 +1794,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,0 +1795,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,0 +1796,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,0 +1797,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,0 +1798,,T1598,Phishing for Information,[],[],,CM-2,mitigates,0 +1799,,T1598.002,Spearphishing Attachment,[],[],,CM-2,mitigates,0 +1800,,T1598.003,Spearphishing Link,[],[],,CM-2,mitigates,0 +1801,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,0 +1802,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,0 +1803,,T1601,Modify System Image,[],[],,CM-2,mitigates,0 +1804,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,0 +1805,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,0 +1806,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,0 +1807,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,0 +1808,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,0 +1809,,T1021.005,VNC,[],[],,CM-3,mitigates,0 +1810,,T1059.006,Python,[],[],,CM-3,mitigates,0 +1811,,T1176,Browser Extensions,[],[],,CM-3,mitigates,0 +1812,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,0 +1813,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,0 +1814,,T1213.001,Confluence,[],[],,CM-3,mitigates,0 +1815,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,0 +1816,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,0 +1817,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,0 +1818,,T1542.001,System Firmware,[],[],,CM-3,mitigates,0 +1819,,T1542.003,Bootkit,[],[],,CM-3,mitigates,0 +1820,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,0 +1821,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,0 +1822,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,0 +1823,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,0 +1824,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,0 +1825,,T1547.011,Plist Modification,[],[],,CM-3,mitigates,0 +1826,,T1547.013,XDG Autostart Entries,[],[],,CM-3,mitigates,0 +1827,,T1553,Subvert Trust Controls,[],[],,CM-3,mitigates,0 +1828,,T1553.006,Code Signing Policy Modification,[],[],,CM-3,mitigates,0 +1829,,T1564.008,Email Hiding Rules,[],[],,CM-3,mitigates,0 +1830,,T1601,Modify System Image,[],[],,CM-3,mitigates,0 +1831,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,0 +1832,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,0 +1833,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,0 +1834,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,0 +1835,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,0 +1836,,T1003.003,NTDS,[],[],,CM-5,mitigates,0 +1837,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,0 +1838,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,0 +1839,,T1003.006,DCSync,[],[],,CM-5,mitigates,0 +1840,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,0 +1841,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,0 +1842,,T1021,Remote Services,[],[],,CM-5,mitigates,0 +1843,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,0 +1844,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,0 +1845,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,0 +1846,,T1021.004,SSH,[],[],,CM-5,mitigates,0 +1847,,T1021.005,VNC,[],[],,CM-5,mitigates,0 +1848,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,0 +1849,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,0 +1850,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,0 +1851,,T1053.001,At (Linux),[],[],,CM-5,mitigates,0 +1852,,T1053.002,At (Windows),[],[],,CM-5,mitigates,0 +1853,,T1053.003,Cron,[],[],,CM-5,mitigates,0 +1854,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,0 +1855,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,0 +1856,,T1053.007,Container Orchestration Job,[],[],,CM-5,mitigates,0 +1857,,T1055,Process Injection,[],[],,CM-5,mitigates,0 +1858,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,0 +1859,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,0 +1860,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,0 +1861,,T1059.001,PowerShell,[],[],,CM-5,mitigates,0 +1862,,T1059.006,Python,[],[],,CM-5,mitigates,0 +1863,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,0 +1864,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,0 +1865,,T1078,Valid Accounts,[],[],,CM-5,mitigates,0 +1866,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,0 +1867,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,0 +1868,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,0 +1869,,T1098,Account Manipulation,[],[],,CM-5,mitigates,0 +1870,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,0 +1871,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,0 +1872,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,0 +1873,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,0 +1874,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,0 +1875,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,0 +1876,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,0 +1877,,T1136,Create Account,[],[],,CM-5,mitigates,0 +1878,,T1136.001,Local Account,[],[],,CM-5,mitigates,0 +1879,,T1136.002,Domain Account,[],[],,CM-5,mitigates,0 +1880,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,0 +1881,,T1137.002,Office Test,[],[],,CM-5,mitigates,0 +1882,,T1176,Browser Extensions,[],[],,CM-5,mitigates,0 +1883,,T1185,Browser Session Hijacking,[],[],,CM-5,mitigates,0 +1884,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,0 +1885,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,0 +1886,,T1197,BITS Jobs,[],[],,CM-5,mitigates,0 +1887,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,0 +1888,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,0 +1889,,T1213.001,Confluence,[],[],,CM-5,mitigates,0 +1890,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,0 +1891,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,0 +1892,,T1218.007,Msiexec,[],[],,CM-5,mitigates,0 +1893,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,0 +1894,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,0 +1895,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,0 +1896,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,0 +1897,,T1489,Service Stop,[],[],,CM-5,mitigates,0 +1898,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,0 +1899,,T1505,Server Software Component,[],[],,CM-5,mitigates,0 +1900,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,0 +1901,,T1525,Implant Internal Image,[],[],,CM-5,mitigates,0 +1902,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,0 +1903,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,0 +1904,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,0 +1905,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,0 +1906,,T1542.001,System Firmware,[],[],,CM-5,mitigates,0 +1907,,T1542.003,Bootkit,[],[],,CM-5,mitigates,0 +1908,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,0 +1909,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,0 +1910,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,0 +1911,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,0 +1912,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,0 +1913,,T1543.003,Windows Service,[],[],,CM-5,mitigates,0 +1914,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,0 +1915,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,0 +1916,,T1547.003,Time Providers,[],[],,CM-5,mitigates,0 +1917,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,0 +1918,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,0 +1919,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,0 +1920,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,0 +1921,,T1547.011,Plist Modification,[],[],,CM-5,mitigates,0 +1922,,T1547.012,Print Processors,[],[],,CM-5,mitigates,0 +1923,,T1547.013,XDG Autostart Entries,[],[],,CM-5,mitigates,0 +1924,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,0 +1925,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,0 +1926,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,0 +1927,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,0 +1928,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,0 +1929,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,0 +1930,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,0 +1931,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,0 +1932,,T1552.007,Container API,[],[],,CM-5,mitigates,0 +1933,,T1553,Subvert Trust Controls,[],[],,CM-5,mitigates,0 +1934,,T1553.006,Code Signing Policy Modification,[],[],,CM-5,mitigates,0 +1935,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,0 +1936,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,0 +1937,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,0 +1938,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,0 +1939,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,0 +1940,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,0 +1941,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,0 +1942,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,0 +1943,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,0 +1944,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,0 +1945,,T1562,Impair Defenses,[],[],,CM-5,mitigates,0 +1946,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,0 +1947,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,0 +1948,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,0 +1949,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,0 +1950,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,0 +1951,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,0 +1952,,T1562.009,Safe Mode Boot,[],[],,CM-5,mitigates,0 +1953,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,0 +1954,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,0 +1955,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,0 +1956,,T1564.008,Email Hiding Rules,[],[],,CM-5,mitigates,0 +1957,,T1569,System Services,[],[],,CM-5,mitigates,0 +1958,,T1569.001,Launchctl,[],[],,CM-5,mitigates,0 +1959,,T1569.002,Service Execution,[],[],,CM-5,mitigates,0 +1960,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,0 +1961,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,0 +1962,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,0 +1963,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,0 +1964,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,0 +1965,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,0 +1966,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,0 +1967,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,0 +1968,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,0 +1969,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,0 +1970,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,0 +1971,,T1601,Modify System Image,[],[],,CM-5,mitigates,0 +1972,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,0 +1973,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,0 +1974,,T1611,Escape to Host,[],[],,CM-5,mitigates,0 +1975,,T1619,Cloud Storage Object Discovery,[],[],,CM-5,mitigates,0 +1976,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,0 +1977,,T1001.001,Junk Data,[],[],,CM-6,mitigates,0 +1978,,T1001.002,Steganography,[],[],,CM-6,mitigates,0 +1979,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,0 +1980,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,0 +1981,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,0 +1982,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,0 +1983,,T1003.003,NTDS,[],[],,CM-6,mitigates,0 +1984,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,0 +1985,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,0 +1986,,T1003.006,DCSync,[],[],,CM-6,mitigates,0 +1987,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,0 +1988,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,0 +1989,,T1008,Fallback Channels,[],[],,CM-6,mitigates,0 +1990,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,0 +1991,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,0 +1992,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,0 +1993,,T1021,Remote Services,[],[],,CM-6,mitigates,0 +1994,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,0 +1995,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,0 +1996,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,0 +1997,,T1021.004,SSH,[],[],,CM-6,mitigates,0 +1998,,T1021.005,VNC,[],[],,CM-6,mitigates,0 +1999,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,0 +2000,,T1027,Obfuscated Files or Information,[],[],,CM-6,mitigates,0 +2001,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,0 +2002,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,0 +2003,,T1036,Masquerading,[],[],,CM-6,mitigates,0 +2004,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,0 +2005,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,0 +2006,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,0 +2007,,T1036.007,Double File Extension,[],[],,CM-6,mitigates,0 +2008,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,0 +2009,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,0 +2010,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,0 +2011,,T1037.004,RC Scripts,[],[],,CM-6,mitigates,0 +2012,,T1037.005,Startup Items,[],[],,CM-6,mitigates,0 +2013,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,0 +2014,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,0 +2015,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,0 +2016,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,0 +2017,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,0 +2018,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,0 +2019,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,0 +2020,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,0 +2021,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,0 +2022,,T1053.002,At (Windows),[],[],,CM-6,mitigates,0 +2023,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,0 +2024,,T1053.006,Systemd Timers,[],[],,CM-6,mitigates,0 +2025,,T1053.007,Container Orchestration Job,[],[],,CM-6,mitigates,0 +2026,,T1055,Process Injection,[],[],,CM-6,mitigates,0 +2027,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,0 +2028,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,0 +2029,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,0 +2030,,T1059.001,PowerShell,[],[],,CM-6,mitigates,0 +2031,,T1059.002,AppleScript,[],[],,CM-6,mitigates,0 +2032,,T1059.003,Windows Command Shell,[],[],,CM-6,mitigates,0 +2033,,T1059.004,Unix Shell,[],[],,CM-6,mitigates,0 +2034,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,0 +2035,,T1059.006,Python,[],[],,CM-6,mitigates,0 +2036,,T1059.007,JavaScript,[],[],,CM-6,mitigates,0 +2037,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,0 +2038,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,0 +2039,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,0 +2040,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,0 +2041,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,0 +2042,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,0 +2043,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,0 +2044,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,0 +2045,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,0 +2046,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,0 +2047,,T1071.004,DNS,[],[],,CM-6,mitigates,0 +2048,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,0 +2049,,T1078,Valid Accounts,[],[],,CM-6,mitigates,0 +2050,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,0 +2051,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,0 +2052,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,0 +2053,,T1087,Account Discovery,[],[],,CM-6,mitigates,0 +2054,,T1087.001,Local Account,[],[],,CM-6,mitigates,0 +2055,,T1087.002,Domain Account,[],[],,CM-6,mitigates,0 +2056,,T1090,Proxy,[],[],,CM-6,mitigates,0 +2057,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,0 +2058,,T1090.002,External Proxy,[],[],,CM-6,mitigates,0 +2059,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,0 +2060,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,0 +2061,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,0 +2062,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,0 +2063,,T1098,Account Manipulation,[],[],,CM-6,mitigates,0 +2064,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,0 +2065,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,0 +2066,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,0 +2067,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,0 +2068,,T1102,Web Service,[],[],,CM-6,mitigates,0 +2069,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,0 +2070,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,0 +2071,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,0 +2072,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,0 +2073,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,0 +2074,,T1106,Native API,[],[],,CM-6,mitigates,0 +2075,,T1110,Brute Force,[],[],,CM-6,mitigates,0 +2076,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,0 +2077,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,0 +2078,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,0 +2079,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,0 +2080,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,0 +2081,,T1114,Email Collection,[],[],,CM-6,mitigates,0 +2082,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,0 +2083,,T1114.003,Email Forwarding Rule,[],[],,CM-6,mitigates,0 +2084,,T1119,Automated Collection,[],[],,CM-6,mitigates,0 +2085,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,0 +2086,,T1127.001,MSBuild,[],[],,CM-6,mitigates,0 +2087,,T1132,Data Encoding,[],[],,CM-6,mitigates,0 +2088,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,0 +2089,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,0 +2090,,T1133,External Remote Services,[],[],,CM-6,mitigates,0 +2091,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,0 +2092,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,0 +2093,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,0 +2094,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,0 +2095,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,0 +2096,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,0 +2097,,T1136,Create Account,[],[],,CM-6,mitigates,0 +2098,,T1136.001,Local Account,[],[],,CM-6,mitigates,0 +2099,,T1136.002,Domain Account,[],[],,CM-6,mitigates,0 +2100,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,0 +2101,,T1137,Office Application Startup,[],[],,CM-6,mitigates,0 +2102,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,0 +2103,,T1137.002,Office Test,[],[],,CM-6,mitigates,0 +2104,,T1137.003,Outlook Forms,[],[],,CM-6,mitigates,0 +2105,,T1137.004,Outlook Home Page,[],[],,CM-6,mitigates,0 +2106,,T1137.005,Outlook Rules,[],[],,CM-6,mitigates,0 +2107,,T1137.006,Add-ins,[],[],,CM-6,mitigates,0 +2108,,T1176,Browser Extensions,[],[],,CM-6,mitigates,0 +2109,,T1187,Forced Authentication,[],[],,CM-6,mitigates,0 +2110,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,0 +2111,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,0 +2112,,T1197,BITS Jobs,[],[],,CM-6,mitigates,0 +2113,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,0 +2114,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,0 +2115,,T1204,User Execution,[],[],,CM-6,mitigates,0 +2116,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,0 +2117,,T1204.002,Malicious File,[],[],,CM-6,mitigates,0 +2118,,T1204.003,Malicious Image,[],[],,CM-6,mitigates,0 +2119,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,0 +2120,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,0 +2121,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,0 +2122,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,0 +2123,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,0 +2124,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,0 +2125,,T1213.001,Confluence,[],[],,CM-6,mitigates,0 +2126,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,0 +2127,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,0 +2128,,T1216.001,PubPrn,[],[],,CM-6,mitigates,0 +2129,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,0 +2130,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,0 +2131,,T1218.002,Control Panel,[],[],,CM-6,mitigates,0 +2132,,T1218.003,CMSTP,[],[],,CM-6,mitigates,0 +2133,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,0 +2134,,T1218.005,Mshta,[],[],,CM-6,mitigates,0 +2135,,T1218.007,Msiexec,[],[],,CM-6,mitigates,0 +2136,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,0 +2137,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,0 +2138,,T1218.012,Verclsid,[],[],,CM-6,mitigates,0 +2139,,T1218.013,Mavinject,[],[],,CM-6,mitigates,0 +2140,,T1218.014,MMC,[],[],,CM-6,mitigates,0 +2141,,T1219,Remote Access Software,[],[],,CM-6,mitigates,0 +2142,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,0 +2143,,T1221,Template Injection,[],[],,CM-6,mitigates,0 +2144,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,0 +2145,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,0 +2146,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,0 +2147,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,0 +2148,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,0 +2149,,T1489,Service Stop,[],[],,CM-6,mitigates,0 +2150,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,0 +2151,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,0 +2152,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,0 +2153,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,0 +2154,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,0 +2155,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,0 +2156,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,0 +2157,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,0 +2158,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,0 +2159,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,0 +2160,,T1505,Server Software Component,[],[],,CM-6,mitigates,0 +2161,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,0 +2162,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,0 +2163,,T1505.003,Web Shell,[],[],,CM-6,mitigates,0 +2164,,T1505.004,IIS Components,[],[],,CM-6,mitigates,0 +2165,,T1525,Implant Internal Image,[],[],,CM-6,mitigates,0 +2166,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,0 +2167,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,0 +2168,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,0 +2169,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,0 +2170,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,0 +2171,,T1542.001,System Firmware,[],[],,CM-6,mitigates,0 +2172,,T1542.003,Bootkit,[],[],,CM-6,mitigates,0 +2173,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,0 +2174,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,0 +2175,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,0 +2176,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,0 +2177,,T1543.003,Windows Service,[],[],,CM-6,mitigates,0 +2178,,T1543.004,Launch Daemon,[],[],,CM-6,mitigates,0 +2179,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,0 +2180,,T1546.002,Screensaver,[],[],,CM-6,mitigates,0 +2181,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,0 +2182,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-6,mitigates,0 +2183,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,0 +2184,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,0 +2185,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,0 +2186,,T1546.014,Emond,[],[],,CM-6,mitigates,0 +2187,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,0 +2188,,T1547.003,Time Providers,[],[],,CM-6,mitigates,0 +2189,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,0 +2190,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,0 +2191,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,0 +2192,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,0 +2193,,T1547.011,Plist Modification,[],[],,CM-6,mitigates,0 +2194,,T1547.013,XDG Autostart Entries,[],[],,CM-6,mitigates,0 +2195,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,0 +2196,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,0 +2197,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,0 +2198,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,0 +2199,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,0 +2200,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,0 +2201,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,0 +2202,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,0 +2203,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,0 +2204,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,0 +2205,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,0 +2206,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,0 +2207,,T1552.003,Bash History,[],[],,CM-6,mitigates,0 +2208,,T1552.004,Private Keys,[],[],,CM-6,mitigates,0 +2209,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,0 +2210,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,0 +2211,,T1552.007,Container API,[],[],,CM-6,mitigates,0 +2212,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,0 +2213,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,0 +2214,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,0 +2215,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,0 +2216,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-6,mitigates,0 +2217,,T1553.006,Code Signing Policy Modification,[],[],,CM-6,mitigates,0 +2218,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,0 +2219,,T1555.004,Windows Credential Manager,[],[],,CM-6,mitigates,0 +2220,,T1555.005,Password Managers,[],[],,CM-6,mitigates,0 +2221,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,0 +2222,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,0 +2223,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,0 +2224,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,0 +2225,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,0 +2226,,T1557,Adversary-in-the-Middle,[],[],,CM-6,mitigates,0 +2227,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,0 +2228,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,0 +2229,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,0 +2230,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,0 +2231,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,0 +2232,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,0 +2233,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,0 +2234,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,0 +2235,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,0 +2236,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,0 +2237,,T1562,Impair Defenses,[],[],,CM-6,mitigates,0 +2238,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,0 +2239,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,0 +2240,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,0 +2241,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,0 +2242,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,0 +2243,,T1562.009,Safe Mode Boot,[],[],,CM-6,mitigates,0 +2244,,T1562.010,Downgrade Attack,[],[],,CM-6,mitigates,0 +2245,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,0 +2246,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,0 +2247,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,0 +2248,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,0 +2249,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,0 +2250,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,0 +2251,,T1564.009,Resource Forking,[],[],,CM-6,mitigates,0 +2252,,T1565,Data Manipulation,[],[],,CM-6,mitigates,0 +2253,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,0 +2254,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,0 +2255,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,0 +2256,,T1566,Phishing,[],[],,CM-6,mitigates,0 +2257,,T1566.001,Spearphishing Attachment,[],[],,CM-6,mitigates,0 +2258,,T1566.002,Spearphishing Link,[],[],,CM-6,mitigates,0 +2259,,T1569,System Services,[],[],,CM-6,mitigates,0 +2260,,T1569.002,Service Execution,[],[],,CM-6,mitigates,0 +2261,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,0 +2262,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,0 +2263,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,0 +2264,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,0 +2265,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,0 +2266,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,0 +2267,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,0 +2268,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,0 +2269,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,0 +2270,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,0 +2271,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-6,mitigates,0 +2272,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,0 +2273,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,0 +2274,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,0 +2275,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,0 +2276,,T1598,Phishing for Information,[],[],,CM-6,mitigates,0 +2277,,T1598.002,Spearphishing Attachment,[],[],,CM-6,mitigates,0 +2278,,T1598.003,Spearphishing Link,[],[],,CM-6,mitigates,0 +2279,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,0 +2280,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,0 +2281,,T1601,Modify System Image,[],[],,CM-6,mitigates,0 +2282,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,0 +2283,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,0 +2284,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,0 +2285,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,0 +2286,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,0 +2287,,T1609,Container Administration Command,[],[],,CM-6,mitigates,0 +2288,,T1610,Deploy Container,[],[],,CM-6,mitigates,0 +2289,,T1611,Escape to Host,[],[],,CM-6,mitigates,0 +2290,,T1612,Build Image on Host,[],[],,CM-6,mitigates,0 +2291,,T1613,Container and Resource Discovery,[],[],,CM-6,mitigates,0 +2292,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,0 +2293,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,0 +2294,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,0 +2295,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,0 +2296,,T1008,Fallback Channels,[],[],,CM-7,mitigates,0 +2297,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,0 +2298,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,0 +2299,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,0 +2300,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,0 +2301,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,0 +2302,,T1021.005,VNC,[],[],,CM-7,mitigates,0 +2303,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,0 +2304,,T1036,Masquerading,[],[],,CM-7,mitigates,0 +2305,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,0 +2306,,T1036.007,Double File Extension,[],[],,CM-7,mitigates,0 +2307,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,0 +2308,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,0 +2309,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,0 +2310,,T1047,Windows Management Instrumentation,[],[],,CM-7,mitigates,0 +2311,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,0 +2312,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,0 +2313,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,0 +2314,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,0 +2315,,T1052,Exfiltration Over Physical Medium,[],[],,CM-7,mitigates,0 +2316,,T1052.001,Exfiltration over USB,[],[],,CM-7,mitigates,0 +2317,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,0 +2318,,T1053.002,At (Windows),[],[],,CM-7,mitigates,0 +2319,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,0 +2320,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,0 +2321,,T1059.001,PowerShell,[],[],,CM-7,mitigates,0 +2322,,T1059.002,AppleScript,[],[],,CM-7,mitigates,0 +2323,,T1059.003,Windows Command Shell,[],[],,CM-7,mitigates,0 +2324,,T1059.004,Unix Shell,[],[],,CM-7,mitigates,0 +2325,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,0 +2326,,T1059.006,Python,[],[],,CM-7,mitigates,0 +2327,,T1059.007,JavaScript,[],[],,CM-7,mitigates,0 +2328,,T1059.008,Network Device CLI,[],[],,CM-7,mitigates,0 +2329,,T1068,Exploitation for Privilege Escalation,[],[],,CM-7,mitigates,0 +2330,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,0 +2331,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,0 +2332,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,0 +2333,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,0 +2334,,T1071.004,DNS,[],[],,CM-7,mitigates,0 +2335,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,0 +2336,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,0 +2337,,T1087,Account Discovery,[],[],,CM-7,mitigates,0 +2338,,T1087.001,Local Account,[],[],,CM-7,mitigates,0 +2339,,T1087.002,Domain Account,[],[],,CM-7,mitigates,0 +2340,,T1090,Proxy,[],[],,CM-7,mitigates,0 +2341,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,0 +2342,,T1090.002,External Proxy,[],[],,CM-7,mitigates,0 +2343,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,0 +2344,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,0 +2345,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,0 +2346,,T1098,Account Manipulation,[],[],,CM-7,mitigates,0 +2347,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,0 +2348,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,0 +2349,,T1102,Web Service,[],[],,CM-7,mitigates,0 +2350,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,0 +2351,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,0 +2352,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,0 +2353,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,0 +2354,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,0 +2355,,T1106,Native API,[],[],,CM-7,mitigates,0 +2356,,T1112,Modify Registry,[],[],,CM-7,mitigates,0 +2357,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,0 +2358,,T1129,Shared Modules,[],[],,CM-7,mitigates,0 +2359,,T1133,External Remote Services,[],[],,CM-7,mitigates,0 +2360,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,0 +2361,,T1136,Create Account,[],[],,CM-7,mitigates,0 +2362,,T1136.002,Domain Account,[],[],,CM-7,mitigates,0 +2363,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,0 +2364,,T1176,Browser Extensions,[],[],,CM-7,mitigates,0 +2365,,T1187,Forced Authentication,[],[],,CM-7,mitigates,0 +2366,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,0 +2367,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,0 +2368,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,0 +2369,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,0 +2370,,T1197,BITS Jobs,[],[],,CM-7,mitigates,0 +2371,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,0 +2372,,T1204,User Execution,[],[],,CM-7,mitigates,0 +2373,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,0 +2374,,T1204.002,Malicious File,[],[],,CM-7,mitigates,0 +2375,,T1204.003,Malicious Image,[],[],,CM-7,mitigates,0 +2376,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,0 +2377,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,0 +2378,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,0 +2379,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,0 +2380,,T1213.001,Confluence,[],[],,CM-7,mitigates,0 +2381,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,0 +2382,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,0 +2383,,T1216.001,PubPrn,[],[],,CM-7,mitigates,0 +2384,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,0 +2385,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,0 +2386,,T1218.002,Control Panel,[],[],,CM-7,mitigates,0 +2387,,T1218.003,CMSTP,[],[],,CM-7,mitigates,0 +2388,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,0 +2389,,T1218.005,Mshta,[],[],,CM-7,mitigates,0 +2390,,T1218.007,Msiexec,[],[],,CM-7,mitigates,0 +2391,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,0 +2392,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,0 +2393,,T1218.012,Verclsid,[],[],,CM-7,mitigates,0 +2394,,T1218.013,Mavinject,[],[],,CM-7,mitigates,0 +2395,,T1218.014,MMC,[],[],,CM-7,mitigates,0 +2396,,T1219,Remote Access Software,[],[],,CM-7,mitigates,0 +2397,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,0 +2398,,T1221,Template Injection,[],[],,CM-7,mitigates,0 +2399,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,0 +2400,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,0 +2401,,T1489,Service Stop,[],[],,CM-7,mitigates,0 +2402,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,0 +2403,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,0 +2404,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,0 +2405,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,0 +2406,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,0 +2407,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,0 +2408,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,0 +2409,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,0 +2410,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,0 +2411,,T1505.004,IIS Components,[],[],,CM-7,mitigates,0 +2412,,T1525,Implant Internal Image,[],[],,CM-7,mitigates,0 +2413,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,0 +2414,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,0 +2415,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,0 +2416,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,0 +2417,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,0 +2418,,T1543.003,Windows Service,[],[],,CM-7,mitigates,0 +2419,,T1543.004,Launch Daemon,[],[],,CM-7,mitigates,0 +2420,,T1546.002,Screensaver,[],[],,CM-7,mitigates,0 +2421,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,0 +2422,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,0 +2423,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,0 +2424,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,0 +2425,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,0 +2426,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,0 +2427,,T1547.011,Plist Modification,[],[],,CM-7,mitigates,0 +2428,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,0 +2429,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,0 +2430,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,0 +2431,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,0 +2432,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,0 +2433,,T1552.003,Bash History,[],[],,CM-7,mitigates,0 +2434,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,0 +2435,,T1552.007,Container API,[],[],,CM-7,mitigates,0 +2436,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,0 +2437,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,0 +2438,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,0 +2439,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,0 +2440,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-7,mitigates,0 +2441,,T1553.006,Code Signing Policy Modification,[],[],,CM-7,mitigates,0 +2442,,T1555.004,Windows Credential Manager,[],[],,CM-7,mitigates,0 +2443,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,0 +2444,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,0 +2445,,T1557,Adversary-in-the-Middle,[],[],,CM-7,mitigates,0 +2446,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,0 +2447,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,0 +2448,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,0 +2449,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,0 +2450,,T1562,Impair Defenses,[],[],,CM-7,mitigates,0 +2451,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,0 +2452,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,0 +2453,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,0 +2454,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,0 +2455,,T1562.006,Indicator Blocking,[],[],,CM-7,mitigates,0 +2456,,T1562.009,Safe Mode Boot,[],[],,CM-7,mitigates,0 +2457,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,0 +2458,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,0 +2459,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,0 +2460,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,0 +2461,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,0 +2462,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,0 +2463,,T1564.008,Email Hiding Rules,[],[],,CM-7,mitigates,0 +2464,,T1564.009,Resource Forking,[],[],,CM-7,mitigates,0 +2465,,T1565,Data Manipulation,[],[],,CM-7,mitigates,0 +2466,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,0 +2467,,T1569,System Services,[],[],,CM-7,mitigates,0 +2468,,T1569.002,Service Execution,[],[],,CM-7,mitigates,0 +2469,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,0 +2470,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,0 +2471,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,0 +2472,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,0 +2473,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,0 +2474,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,0 +2475,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,0 +2476,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,0 +2477,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-7,mitigates,0 +2478,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,0 +2479,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,0 +2480,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,0 +2481,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,0 +2482,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,0 +2483,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,0 +2484,,T1601,Modify System Image,[],[],,CM-7,mitigates,0 +2485,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,0 +2486,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,0 +2487,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,0 +2488,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,0 +2489,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,0 +2490,,T1609,Container Administration Command,[],[],,CM-7,mitigates,0 +2491,,T1610,Deploy Container,[],[],,CM-7,mitigates,0 +2492,,T1611,Escape to Host,[],[],,CM-7,mitigates,0 +2493,,T1612,Build Image on Host,[],[],,CM-7,mitigates,0 +2494,,T1613,Container and Resource Discovery,[],[],,CM-7,mitigates,0 +2495,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,0 +2496,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,0 +2497,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,0 +2498,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,0 +2499,,T1021.004,SSH,[],[],,CM-8,mitigates,0 +2500,,T1021.005,VNC,[],[],,CM-8,mitigates,0 +2501,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,0 +2502,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,0 +2503,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,0 +2504,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,0 +2505,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,0 +2506,,T1053.002,At (Windows),[],[],,CM-8,mitigates,0 +2507,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,0 +2508,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,0 +2509,,T1059.001,PowerShell,[],[],,CM-8,mitigates,0 +2510,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,0 +2511,,T1059.007,JavaScript,[],[],,CM-8,mitigates,0 +2512,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,0 +2513,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,0 +2514,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,0 +2515,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,0 +2516,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,0 +2517,,T1119,Automated Collection,[],[],,CM-8,mitigates,0 +2518,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,0 +2519,,T1127.001,MSBuild,[],[],,CM-8,mitigates,0 +2520,,T1133,External Remote Services,[],[],,CM-8,mitigates,0 +2521,,T1137,Office Application Startup,[],[],,CM-8,mitigates,0 +2522,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,0 +2523,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,0 +2524,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,0 +2525,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,0 +2526,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,0 +2527,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,0 +2528,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,0 +2529,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,0 +2530,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,0 +2531,,T1213.001,Confluence,[],[],,CM-8,mitigates,0 +2532,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,0 +2533,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,0 +2534,,T1218.003,CMSTP,[],[],,CM-8,mitigates,0 +2535,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,0 +2536,,T1218.005,Mshta,[],[],,CM-8,mitigates,0 +2537,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,0 +2538,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,0 +2539,,T1218.012,Verclsid,[],[],,CM-8,mitigates,0 +2540,,T1218.013,Mavinject,[],[],,CM-8,mitigates,0 +2541,,T1218.014,MMC,[],[],,CM-8,mitigates,0 +2542,,T1221,Template Injection,[],[],,CM-8,mitigates,0 +2543,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,0 +2544,,T1505,Server Software Component,[],[],,CM-8,mitigates,0 +2545,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,0 +2546,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,0 +2547,,T1505.004,IIS Components,[],[],,CM-8,mitigates,0 +2548,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,0 +2549,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,0 +2550,,T1542.001,System Firmware,[],[],,CM-8,mitigates,0 +2551,,T1542.003,Bootkit,[],[],,CM-8,mitigates,0 +2552,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,0 +2553,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,0 +2554,,T1546.002,Screensaver,[],[],,CM-8,mitigates,0 +2555,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,0 +2556,,T1546.014,Emond,[],[],,CM-8,mitigates,0 +2557,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,0 +2558,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,0 +2559,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,0 +2560,,T1553,Subvert Trust Controls,[],[],,CM-8,mitigates,0 +2561,,T1553.006,Code Signing Policy Modification,[],[],,CM-8,mitigates,0 +2562,,T1557,Adversary-in-the-Middle,[],[],,CM-8,mitigates,0 +2563,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,0 +2564,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,0 +2565,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,0 +2566,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,0 +2567,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,0 +2568,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,0 +2569,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,0 +2570,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,0 +2571,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,0 +2572,,T1565,Data Manipulation,[],[],,CM-8,mitigates,0 +2573,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,0 +2574,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,0 +2575,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,0 +2576,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,0 +2577,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,0 +2578,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,0 +2579,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,0 +2580,,T1601,Modify System Image,[],[],,CM-8,mitigates,0 +2581,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,0 +2582,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,0 +2583,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,0 +2584,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,0 +2585,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,0 +2586,,T1485,Data Destruction,[],[],,CP-10,mitigates,0 +2587,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,0 +2588,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,0 +2589,,T1491,Defacement,[],[],,CP-10,mitigates,0 +2590,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,0 +2591,,T1491.002,External Defacement,[],[],,CP-10,mitigates,0 +2592,,T1561,Disk Wipe,[],[],,CP-10,mitigates,0 +2593,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,0 +2594,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,0 +2595,,T1565,Data Manipulation,[],[],,CP-10,mitigates,0 +2596,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,0 +2597,,T1485,Data Destruction,[],[],,CP-2,mitigates,0 +2598,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,0 +2599,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,0 +2600,,T1491,Defacement,[],[],,CP-2,mitigates,0 +2601,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,0 +2602,,T1491.002,External Defacement,[],[],,CP-2,mitigates,0 +2603,,T1561,Disk Wipe,[],[],,CP-2,mitigates,0 +2604,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,0 +2605,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,0 +2606,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,0 +2607,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,0 +2608,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,0 +2609,,T1119,Automated Collection,[],[],,CP-6,mitigates,0 +2610,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,0 +2611,,T1565,Data Manipulation,[],[],,CP-6,mitigates,0 +2612,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,0 +2613,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,0 +2614,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,0 +2615,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,0 +2616,,T1119,Automated Collection,[],[],,CP-7,mitigates,0 +2617,,T1485,Data Destruction,[],[],,CP-7,mitigates,0 +2618,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,0 +2619,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,0 +2620,,T1491,Defacement,[],[],,CP-7,mitigates,0 +2621,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,0 +2622,,T1491.002,External Defacement,[],[],,CP-7,mitigates,0 +2623,,T1561,Disk Wipe,[],[],,CP-7,mitigates,0 +2624,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,0 +2625,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,0 +2626,,T1565,Data Manipulation,[],[],,CP-7,mitigates,0 +2627,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,0 +2628,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,0 +2629,,T1003.003,NTDS,[],[],,CP-9,mitigates,0 +2630,,T1005,Data from Local System,[],[],,CP-9,mitigates,0 +2631,,T1025,Data from Removable Media,[],[],,CP-9,mitigates,0 +2632,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,0 +2633,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,0 +2634,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,0 +2635,,T1119,Automated Collection,[],[],,CP-9,mitigates,0 +2636,,T1485,Data Destruction,[],[],,CP-9,mitigates,0 +2637,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,0 +2638,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,0 +2639,,T1491,Defacement,[],[],,CP-9,mitigates,0 +2640,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,0 +2641,,T1491.002,External Defacement,[],[],,CP-9,mitigates,0 +2642,,T1561,Disk Wipe,[],[],,CP-9,mitigates,0 +2643,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,0 +2644,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,0 +2645,,T1565,Data Manipulation,[],[],,CP-9,mitigates,0 +2646,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,0 +2647,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,0 +2648,,T1110,Brute Force,[],[],,IA-11,mitigates,0 +2649,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,0 +2650,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,0 +2651,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,0 +2652,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,0 +2653,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,0 +2654,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,0 +2655,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,0 +2656,,T1003.003,NTDS,[],[],,IA-2,mitigates,0 +2657,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,0 +2658,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,0 +2659,,T1003.006,DCSync,[],[],,IA-2,mitigates,0 +2660,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,0 +2661,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,0 +2662,,T1021,Remote Services,[],[],,IA-2,mitigates,0 +2663,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,0 +2664,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,0 +2665,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,0 +2666,,T1021.004,SSH,[],[],,IA-2,mitigates,0 +2667,,T1021.005,VNC,[],[],,IA-2,mitigates,0 +2668,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,0 +2669,,T1036.007,Double File Extension,[],[],,IA-2,mitigates,0 +2670,,T1040,Network Sniffing,[],[],,IA-2,mitigates,0 +2671,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,0 +2672,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,0 +2673,,T1053.001,At (Linux),[],[],,IA-2,mitigates,0 +2674,,T1053.002,At (Windows),[],[],,IA-2,mitigates,0 +2675,,T1053.003,Cron,[],[],,IA-2,mitigates,0 +2676,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,0 +2677,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,0 +2678,,T1053.007,Container Orchestration Job,[],[],,IA-2,mitigates,0 +2679,,T1055,Process Injection,[],[],,IA-2,mitigates,0 +2680,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,0 +2681,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,0 +2682,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,0 +2683,,T1059.001,PowerShell,[],[],,IA-2,mitigates,0 +2684,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,0 +2685,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,0 +2686,,T1078,Valid Accounts,[],[],,IA-2,mitigates,0 +2687,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,0 +2688,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,0 +2689,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,0 +2690,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,0 +2691,,T1098,Account Manipulation,[],[],,IA-2,mitigates,0 +2692,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,0 +2693,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,0 +2694,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,0 +2695,,T1110,Brute Force,[],[],,IA-2,mitigates,0 +2696,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,0 +2697,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,0 +2698,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,0 +2699,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,0 +2700,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,0 +2701,,T1114,Email Collection,[],[],,IA-2,mitigates,0 +2702,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,0 +2703,,T1133,External Remote Services,[],[],,IA-2,mitigates,0 +2704,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,0 +2705,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,0 +2706,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,0 +2707,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,0 +2708,,T1136,Create Account,[],[],,IA-2,mitigates,0 +2709,,T1136.001,Local Account,[],[],,IA-2,mitigates,0 +2710,,T1136.002,Domain Account,[],[],,IA-2,mitigates,0 +2711,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,0 +2712,,T1185,Browser Session Hijacking,[],[],,IA-2,mitigates,0 +2713,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,0 +2714,,T1197,BITS Jobs,[],[],,IA-2,mitigates,0 +2715,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,0 +2716,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,0 +2717,,T1213.001,Confluence,[],[],,IA-2,mitigates,0 +2718,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,0 +2719,,T1213.003,Code Repositories,[],[],,IA-2,mitigates,0 +2720,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,0 +2721,,T1218.007,Msiexec,[],[],,IA-2,mitigates,0 +2722,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,0 +2723,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,0 +2724,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,0 +2725,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,0 +2726,,T1489,Service Stop,[],[],,IA-2,mitigates,0 +2727,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,0 +2728,,T1505,Server Software Component,[],[],,IA-2,mitigates,0 +2729,,T1505.001,SQL Stored Procedures,[],[],,IA-2,mitigates,0 +2730,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,0 +2731,,T1505.004,IIS Components,[],[],,IA-2,mitigates,0 +2732,,T1525,Implant Internal Image,[],[],,IA-2,mitigates,0 +2733,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,0 +2734,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,0 +2735,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,0 +2736,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,0 +2737,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,0 +2738,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,0 +2739,,T1542.001,System Firmware,[],[],,IA-2,mitigates,0 +2740,,T1542.003,Bootkit,[],[],,IA-2,mitigates,0 +2741,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,0 +2742,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,0 +2743,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,0 +2744,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,0 +2745,,T1543.003,Windows Service,[],[],,IA-2,mitigates,0 +2746,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,0 +2747,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,0 +2748,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,0 +2749,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,0 +2750,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,0 +2751,,T1547.012,Print Processors,[],[],,IA-2,mitigates,0 +2752,,T1547.013,XDG Autostart Entries,[],[],,IA-2,mitigates,0 +2753,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,0 +2754,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,0 +2755,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,0 +2756,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,0 +2757,,T1550.001,Application Access Token,[],[],,IA-2,mitigates,0 +2758,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,0 +2759,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,0 +2760,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,0 +2761,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,0 +2762,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,0 +2763,,T1552.004,Private Keys,[],[],,IA-2,mitigates,0 +2764,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,0 +2765,,T1552.007,Container API,[],[],,IA-2,mitigates,0 +2766,,T1553,Subvert Trust Controls,[],[],,IA-2,mitigates,0 +2767,,T1553.006,Code Signing Policy Modification,[],[],,IA-2,mitigates,0 +2768,,T1555.005,Password Managers,[],[],,IA-2,mitigates,0 +2769,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,0 +2770,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,0 +2771,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,0 +2772,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,0 +2773,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,0 +2774,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,0 +2775,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,0 +2776,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,0 +2777,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,0 +2778,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,0 +2779,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,0 +2780,,T1562,Impair Defenses,[],[],,IA-2,mitigates,0 +2781,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,0 +2782,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,0 +2783,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,0 +2784,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,0 +2785,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,0 +2786,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,0 +2787,,T1562.009,Safe Mode Boot,[],[],,IA-2,mitigates,0 +2788,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,0 +2789,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,0 +2790,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,0 +2791,,T1569,System Services,[],[],,IA-2,mitigates,0 +2792,,T1569.001,Launchctl,[],[],,IA-2,mitigates,0 +2793,,T1569.002,Service Execution,[],[],,IA-2,mitigates,0 +2794,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,0 +2795,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,0 +2796,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,0 +2797,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,0 +2798,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,0 +2799,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,0 +2800,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,0 +2801,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,0 +2802,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,0 +2803,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,0 +2804,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,0 +2805,,T1601,Modify System Image,[],[],,IA-2,mitigates,0 +2806,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,0 +2807,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,0 +2808,,T1610,Deploy Container,[],[],,IA-2,mitigates,0 +2809,,T1611,Escape to Host,[],[],,IA-2,mitigates,0 +2810,,T1613,Container and Resource Discovery,[],[],,IA-2,mitigates,0 +2811,,T1619,Cloud Storage Object Discovery,[],[],,IA-2,mitigates,0 +2812,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,0 +2813,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,0 +2814,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,0 +2815,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,0 +2816,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,0 +2817,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,0 +2818,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,0 +2819,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,0 +2820,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,0 +2821,,T1003.006,DCSync,[],[],,IA-4,mitigates,0 +2822,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,0 +2823,,T1021.005,VNC,[],[],,IA-4,mitigates,0 +2824,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,0 +2825,,T1053.002,At (Windows),[],[],,IA-4,mitigates,0 +2826,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,0 +2827,,T1110,Brute Force,[],[],,IA-4,mitigates,0 +2828,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,0 +2829,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,0 +2830,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,0 +2831,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,0 +2832,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,0 +2833,,T1213.001,Confluence,[],[],,IA-4,mitigates,0 +2834,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,0 +2835,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,0 +2836,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,0 +2837,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,0 +2838,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,0 +2839,,T1543.003,Windows Service,[],[],,IA-4,mitigates,0 +2840,,T1543.004,Launch Daemon,[],[],,IA-4,mitigates,0 +2841,,T1547.006,Kernel Modules and Extensions,[],[],,IA-4,mitigates,0 +2842,,T1550.001,Application Access Token,[],[],,IA-4,mitigates,0 +2843,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,0 +2844,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,0 +2845,,T1562,Impair Defenses,[],[],,IA-4,mitigates,0 +2846,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,0 +2847,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,0 +2848,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,0 +2849,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,0 +2850,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,0 +2851,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,0 +2852,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,0 +2853,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,0 +2854,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,0 +2855,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,0 +2856,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,0 +2857,,T1003.003,NTDS,[],[],,IA-5,mitigates,0 +2858,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,0 +2859,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,0 +2860,,T1003.006,DCSync,[],[],,IA-5,mitigates,0 +2861,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,0 +2862,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,0 +2863,,T1021,Remote Services,[],[],,IA-5,mitigates,0 +2864,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,0 +2865,,T1021.004,SSH,[],[],,IA-5,mitigates,0 +2866,,T1040,Network Sniffing,[],[],,IA-5,mitigates,0 +2867,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,0 +2868,,T1078,Valid Accounts,[],[],,IA-5,mitigates,0 +2869,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,0 +2870,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,0 +2871,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,0 +2872,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,0 +2873,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,0 +2874,,T1110,Brute Force,[],[],,IA-5,mitigates,0 +2875,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,0 +2876,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,0 +2877,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,0 +2878,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,0 +2879,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,0 +2880,,T1114,Email Collection,[],[],,IA-5,mitigates,0 +2881,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,0 +2882,,T1133,External Remote Services,[],[],,IA-5,mitigates,0 +2883,,T1136,Create Account,[],[],,IA-5,mitigates,0 +2884,,T1136.001,Local Account,[],[],,IA-5,mitigates,0 +2885,,T1136.002,Domain Account,[],[],,IA-5,mitigates,0 +2886,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,0 +2887,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,0 +2888,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,0 +2889,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,0 +2890,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,0 +2891,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,0 +2892,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,0 +2893,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,0 +2894,,T1552.004,Private Keys,[],[],,IA-5,mitigates,0 +2895,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,0 +2896,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,0 +2897,,T1555.001,Keychain,[],[],,IA-5,mitigates,0 +2898,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,0 +2899,,T1555.004,Windows Credential Manager,[],[],,IA-5,mitigates,0 +2900,,T1555.005,Password Managers,[],[],,IA-5,mitigates,0 +2901,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,0 +2902,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,0 +2903,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,0 +2904,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,0 +2905,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,0 +2906,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,0 +2907,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,0 +2908,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,0 +2909,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,0 +2910,,T1559,Inter-Process Communication,[],[],,IA-5,mitigates,0 +2911,,T1559.001,Component Object Model,[],[],,IA-5,mitigates,0 +2912,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,0 +2913,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,0 +2914,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,0 +2915,,T1601,Modify System Image,[],[],,IA-5,mitigates,0 +2916,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,0 +2917,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,0 +2918,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,0 +2919,,T1021.005,VNC,[],[],,IA-6,mitigates,0 +2920,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,0 +2921,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,0 +2922,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,0 +2923,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,0 +2924,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,0 +2925,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,0 +2926,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,0 +2927,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,0 +2928,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,0 +2929,,T1542.001,System Firmware,[],[],,IA-7,mitigates,0 +2930,,T1542.003,Bootkit,[],[],,IA-7,mitigates,0 +2931,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,0 +2932,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,0 +2933,,T1553,Subvert Trust Controls,[],[],,IA-7,mitigates,0 +2934,,T1553.006,Code Signing Policy Modification,[],[],,IA-7,mitigates,0 +2935,,T1601,Modify System Image,[],[],,IA-7,mitigates,0 +2936,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,0 +2937,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,0 +2938,,T1053,Scheduled Task/Job,[],[],,IA-8,mitigates,0 +2939,,T1053.007,Container Orchestration Job,[],[],,IA-8,mitigates,0 +2940,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,0 +2941,,T1059.001,PowerShell,[],[],,IA-8,mitigates,0 +2942,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,0 +2943,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,0 +2944,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,0 +2945,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,0 +2946,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,0 +2947,,T1213.001,Confluence,[],[],,IA-8,mitigates,0 +2948,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,0 +2949,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,0 +2950,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,0 +2951,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,0 +2952,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,0 +2953,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,0 +2954,,T1542.001,System Firmware,[],[],,IA-8,mitigates,0 +2955,,T1542.003,Bootkit,[],[],,IA-8,mitigates,0 +2956,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,0 +2957,,T1547.006,Kernel Modules and Extensions,[],[],,IA-8,mitigates,0 +2958,,T1036,Masquerading,[],[],,IA-9,mitigates,0 +2959,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,0 +2960,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,0 +2961,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,0 +2962,,T1059.001,PowerShell,[],[],,IA-9,mitigates,0 +2963,,T1059.002,AppleScript,[],[],,IA-9,mitigates,0 +2964,,T1213.003,Code Repositories,[],[],,IA-9,mitigates,0 +2965,,T1505,Server Software Component,[],[],,IA-9,mitigates,0 +2966,,T1505.001,SQL Stored Procedures,[],[],,IA-9,mitigates,0 +2967,,T1505.002,Transport Agent,[],[],,IA-9,mitigates,0 +2968,,T1505.004,IIS Components,[],[],,IA-9,mitigates,0 +2969,,T1525,Implant Internal Image,[],[],,IA-9,mitigates,0 +2970,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,0 +2971,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,0 +2972,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,0 +2973,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,0 +2974,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,0 +2975,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,0 +2976,,T1562.006,Indicator Blocking,[],[],,IA-9,mitigates,0 +2977,,T1562.009,Safe Mode Boot,[],[],,IA-9,mitigates,0 +2978,,T1566,Phishing,[],[],,IA-9,mitigates,0 +2979,,T1566.001,Spearphishing Attachment,[],[],,IA-9,mitigates,0 +2980,,T1566.002,Spearphishing Link,[],[],,IA-9,mitigates,0 +2981,,T1598,Phishing for Information,[],[],,IA-9,mitigates,0 +2982,,T1598.002,Spearphishing Attachment,[],[],,IA-9,mitigates,0 +2983,,T1598.003,Spearphishing Link,[],[],,IA-9,mitigates,0 +2984,,T1564.008,Email Hiding Rules,[],[],,IR-5,mitigates,0 +2985,,T1025,Data from Removable Media,[],[],,MP-7,mitigates,0 +2986,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,0 +2987,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,0 +2988,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,0 +2989,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,0 +2990,,T1200,Hardware Additions,[],[],,MP-7,mitigates,0 +2991,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,0 +2992,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,0 +2993,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,0 +2994,,T1021.004,SSH,[],[],,RA-5,mitigates,0 +2995,,T1021.005,VNC,[],[],,RA-5,mitigates,0 +2996,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,0 +2997,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,0 +2998,,T1047,Windows Management Instrumentation,[],[],,RA-5,mitigates,0 +2999,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,0 +3000,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,0 +3001,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,0 +3002,,T1053.001,At (Linux),[],[],,RA-5,mitigates,0 +3003,,T1053.002,At (Windows),[],[],,RA-5,mitigates,0 +3004,,T1053.003,Cron,[],[],,RA-5,mitigates,0 +3005,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,0 +3006,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,0 +3007,,T1059.001,PowerShell,[],[],,RA-5,mitigates,0 +3008,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,0 +3009,,T1059.007,JavaScript,[],[],,RA-5,mitigates,0 +3010,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,0 +3011,,T1078,Valid Accounts,[],[],,RA-5,mitigates,0 +3012,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,0 +3013,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,0 +3014,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,0 +3015,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,0 +3016,,T1127.001,MSBuild,[],[],,RA-5,mitigates,0 +3017,,T1133,External Remote Services,[],[],,RA-5,mitigates,0 +3018,,T1137,Office Application Startup,[],[],,RA-5,mitigates,0 +3019,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,0 +3020,,T1176,Browser Extensions,[],[],,RA-5,mitigates,0 +3021,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,0 +3022,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,0 +3023,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,0 +3024,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,0 +3025,,T1204.003,Malicious Image,[],[],,RA-5,mitigates,0 +3026,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,0 +3027,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,0 +3028,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,0 +3029,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,0 +3030,,T1213.001,Confluence,[],[],,RA-5,mitigates,0 +3031,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,0 +3032,,T1213.003,Code Repositories,[],[],,RA-5,mitigates,0 +3033,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,0 +3034,,T1218.003,CMSTP,[],[],,RA-5,mitigates,0 +3035,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,0 +3036,,T1218.005,Mshta,[],[],,RA-5,mitigates,0 +3037,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,0 +3038,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,0 +3039,,T1218.012,Verclsid,[],[],,RA-5,mitigates,0 +3040,,T1218.013,Mavinject,[],[],,RA-5,mitigates,0 +3041,,T1218.014,MMC,[],[],,RA-5,mitigates,0 +3042,,T1221,Template Injection,[],[],,RA-5,mitigates,0 +3043,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,0 +3044,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,0 +3045,,T1505,Server Software Component,[],[],,RA-5,mitigates,0 +3046,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,0 +3047,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,0 +3048,,T1505.003,Web Shell,[],[],,RA-5,mitigates,0 +3049,,T1505.004,IIS Components,[],[],,RA-5,mitigates,0 +3050,,T1525,Implant Internal Image,[],[],,RA-5,mitigates,0 +3051,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,0 +3052,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,0 +3053,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,0 +3054,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,0 +3055,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,0 +3056,,T1543.003,Windows Service,[],[],,RA-5,mitigates,0 +3057,,T1543.004,Launch Daemon,[],[],,RA-5,mitigates,0 +3058,,T1546.002,Screensaver,[],[],,RA-5,mitigates,0 +3059,,T1546.014,Emond,[],[],,RA-5,mitigates,0 +3060,,T1547.006,Kernel Modules and Extensions,[],[],,RA-5,mitigates,0 +3061,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,0 +3062,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,0 +3063,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,0 +3064,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,0 +3065,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,0 +3066,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,0 +3067,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,0 +3068,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,0 +3069,,T1552.004,Private Keys,[],[],,RA-5,mitigates,0 +3070,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,0 +3071,,T1557,Adversary-in-the-Middle,[],[],,RA-5,mitigates,0 +3072,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,RA-5,mitigates,0 +3073,,T1557.002,ARP Cache Poisoning,[],[],,RA-5,mitigates,0 +3074,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,0 +3075,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,0 +3076,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,0 +3077,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,0 +3078,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,0 +3079,,T1562,Impair Defenses,[],[],,RA-5,mitigates,0 +3080,,T1562.010,Downgrade Attack,[],[],,RA-5,mitigates,0 +3081,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,0 +3082,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,0 +3083,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,0 +3084,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,0 +3085,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,0 +3086,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,0 +3087,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,0 +3088,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,0 +3089,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,0 +3090,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,0 +3091,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,0 +3092,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,0 +3093,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,0 +3094,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,0 +3095,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,0 +3096,,T1612,Build Image on Host,[],[],,RA-5,mitigates,0 +3097,,T1078,Valid Accounts,[],[],,SA-10,mitigates,0 +3098,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,0 +3099,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,0 +3100,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,0 +3101,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,0 +3102,,T1213.003,Code Repositories,[],[],,SA-10,mitigates,0 +3103,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,0 +3104,,T1505,Server Software Component,[],[],,SA-10,mitigates,0 +3105,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,0 +3106,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,0 +3107,,T1505.004,IIS Components,[],[],,SA-10,mitigates,0 +3108,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,0 +3109,,T1542.001,System Firmware,[],[],,SA-10,mitigates,0 +3110,,T1542.003,Bootkit,[],[],,SA-10,mitigates,0 +3111,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,0 +3112,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,0 +3113,,T1547.011,Plist Modification,[],[],,SA-10,mitigates,0 +3114,,T1553,Subvert Trust Controls,[],[],,SA-10,mitigates,0 +3115,,T1553.006,Code Signing Policy Modification,[],[],,SA-10,mitigates,0 +3116,,T1564.009,Resource Forking,[],[],,SA-10,mitigates,0 +3117,,T1574.002,DLL Side-Loading,[],[],,SA-10,mitigates,0 +3118,,T1601,Modify System Image,[],[],,SA-10,mitigates,0 +3119,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,0 +3120,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,0 +3121,,T1078,Valid Accounts,[],[],,SA-11,mitigates,0 +3122,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,0 +3123,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,0 +3124,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,0 +3125,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,0 +3126,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,0 +3127,,T1213.003,Code Repositories,[],[],,SA-11,mitigates,0 +3128,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,0 +3129,,T1505,Server Software Component,[],[],,SA-11,mitigates,0 +3130,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,0 +3131,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,0 +3132,,T1505.004,IIS Components,[],[],,SA-11,mitigates,0 +3133,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,0 +3134,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,0 +3135,,T1542.001,System Firmware,[],[],,SA-11,mitigates,0 +3136,,T1542.003,Bootkit,[],[],,SA-11,mitigates,0 +3137,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,0 +3138,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,0 +3139,,T1547.011,Plist Modification,[],[],,SA-11,mitigates,0 +3140,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,0 +3141,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,0 +3142,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,0 +3143,,T1552.004,Private Keys,[],[],,SA-11,mitigates,0 +3144,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,0 +3145,,T1553,Subvert Trust Controls,[],[],,SA-11,mitigates,0 +3146,,T1553.006,Code Signing Policy Modification,[],[],,SA-11,mitigates,0 +3147,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,0 +3148,,T1574.002,DLL Side-Loading,[],[],,SA-11,mitigates,0 +3149,,T1601,Modify System Image,[],[],,SA-11,mitigates,0 +3150,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,0 +3151,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,0 +3152,,T1612,Build Image on Host,[],[],,SA-11,mitigates,0 +3153,,T1059.002,AppleScript,[],[],,SA-12,mitigates,0 +3154,,T1078,Valid Accounts,[],[],,SA-12,mitigates,0 +3155,,T1204.003,Malicious Image,[],[],,SA-12,mitigates,0 +3156,,T1505,Server Software Component,[],[],,SA-12,mitigates,0 +3157,,T1505.001,SQL Stored Procedures,[],[],,SA-12,mitigates,0 +3158,,T1505.002,Transport Agent,[],[],,SA-12,mitigates,0 +3159,,T1505.004,IIS Components,[],[],,SA-12,mitigates,0 +3160,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SA-12,mitigates,0 +3161,,T1554,Compromise Client Software Binary,[],[],,SA-12,mitigates,0 +3162,,T1601,Modify System Image,[],[],,SA-12,mitigates,0 +3163,,T1601.001,Patch System Image,[],[],,SA-12,mitigates,0 +3164,,T1601.002,Downgrade System Image,[],[],,SA-12,mitigates,0 +3165,,T1482,Domain Trust Discovery,[],[],,SA-13,mitigates,0 +3166,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-14,mitigates,0 +3167,,T1495,Firmware Corruption,[],[],,SA-14,mitigates,0 +3168,,T1542,Pre-OS Boot,[],[],,SA-14,mitigates,0 +3169,,T1542.001,System Firmware,[],[],,SA-14,mitigates,0 +3170,,T1542.003,Bootkit,[],[],,SA-14,mitigates,0 +3171,,T1542.004,ROMMONkit,[],[],,SA-14,mitigates,0 +3172,,T1542.005,TFTP Boot,[],[],,SA-14,mitigates,0 +3173,,T1553,Subvert Trust Controls,[],[],,SA-14,mitigates,0 +3174,,T1553.006,Code Signing Policy Modification,[],[],,SA-14,mitigates,0 +3175,,T1601,Modify System Image,[],[],,SA-14,mitigates,0 +3176,,T1601.001,Patch System Image,[],[],,SA-14,mitigates,0 +3177,,T1601.002,Downgrade System Image,[],[],,SA-14,mitigates,0 +3178,,T1078,Valid Accounts,[],[],,SA-15,mitigates,0 +3179,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,0 +3180,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,0 +3181,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,0 +3182,,T1213.003,Code Repositories,[],[],,SA-15,mitigates,0 +3183,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,0 +3184,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,0 +3185,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,0 +3186,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,0 +3187,,T1552.004,Private Keys,[],[],,SA-15,mitigates,0 +3188,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,0 +3189,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,0 +3190,,T1574.002,DLL Side-Loading,[],[],,SA-15,mitigates,0 +3191,,T1078,Valid Accounts,[],[],,SA-16,mitigates,0 +3192,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,0 +3193,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,0 +3194,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,0 +3195,,T1574.002,DLL Side-Loading,[],[],,SA-16,mitigates,0 +3196,,T1078,Valid Accounts,[],[],,SA-17,mitigates,0 +3197,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,0 +3198,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,0 +3199,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,0 +3200,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,0 +3201,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,0 +3202,,T1574.002,DLL Side-Loading,[],[],,SA-17,mitigates,0 +3203,,T1554,Compromise Client Software Binary,[],[],,SA-19,mitigates,0 +3204,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,0 +3205,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,0 +3206,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,0 +3207,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,0 +3208,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,0 +3209,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,0 +3210,,T1078,Valid Accounts,[],[],,SA-3,mitigates,0 +3211,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,0 +3212,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,0 +3213,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,0 +3214,,T1213.003,Code Repositories,[],[],,SA-3,mitigates,0 +3215,,T1574.002,DLL Side-Loading,[],[],,SA-3,mitigates,0 +3216,,T1078,Valid Accounts,[],[],,SA-4,mitigates,0 +3217,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,0 +3218,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,0 +3219,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,0 +3220,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,0 +3221,,T1574.002,DLL Side-Loading,[],[],,SA-4,mitigates,0 +3222,,T1005,Data from Local System,[],[],,SA-8,mitigates,0 +3223,,T1025,Data from Removable Media,[],[],,SA-8,mitigates,0 +3224,,T1041,Exfiltration Over C2 Channel,[],[],,SA-8,mitigates,0 +3225,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-8,mitigates,0 +3226,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-8,mitigates,0 +3227,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-8,mitigates,0 +3228,,T1052,Exfiltration Over Physical Medium,[],[],,SA-8,mitigates,0 +3229,,T1052.001,Exfiltration over USB,[],[],,SA-8,mitigates,0 +3230,,T1078,Valid Accounts,[],[],,SA-8,mitigates,0 +3231,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,0 +3232,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,0 +3233,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,0 +3234,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,0 +3235,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,0 +3236,,T1213.003,Code Repositories,[],[],,SA-8,mitigates,0 +3237,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,0 +3238,,T1547.011,Plist Modification,[],[],,SA-8,mitigates,0 +3239,,T1567,Exfiltration Over Web Service,[],[],,SA-8,mitigates,0 +3240,,T1574.002,DLL Side-Loading,[],[],,SA-8,mitigates,0 +3241,,T1041,Exfiltration Over C2 Channel,[],[],,SA-9,mitigates,0 +3242,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-9,mitigates,0 +3243,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-9,mitigates,0 +3244,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-9,mitigates,0 +3245,,T1567,Exfiltration Over Web Service,[],[],,SA-9,mitigates,0 +3246,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,0 +3247,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,0 +3248,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,0 +3249,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,0 +3250,,T1071.004,DNS,[],[],,SC-10,mitigates,0 +3251,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,0 +3252,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,0 +3253,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,0 +3254,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,0 +3255,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,0 +3256,,T1552.004,Private Keys,[],[],,SC-12,mitigates,0 +3257,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,0 +3258,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,0 +3259,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,0 +3260,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,0 +3261,,T1005,Data from Local System,[],[],,SC-13,mitigates,0 +3262,,T1025,Data from Removable Media,[],[],,SC-13,mitigates,0 +3263,,T1041,Exfiltration Over C2 Channel,[],[],,SC-13,mitigates,0 +3264,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-13,mitigates,0 +3265,,T1505,Server Software Component,[],[],,SC-16,mitigates,0 +3266,,T1505.002,Transport Agent,[],[],,SC-16,mitigates,0 +3267,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,0 +3268,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,0 +3269,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,0 +3270,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,0 +3271,,T1606,Forge Web Credentials,[],[],,SC-17,mitigates,0 +3272,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,0 +3273,,T1055,Process Injection,[],[],,SC-18,mitigates,0 +3274,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,0 +3275,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,0 +3276,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,0 +3277,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,0 +3278,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,0 +3279,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,0 +3280,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,0 +3281,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,0 +3282,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,0 +3283,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,0 +3284,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,0 +3285,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,0 +3286,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,0 +3287,,T1059.007,JavaScript,[],[],,SC-18,mitigates,0 +3288,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,0 +3289,,T1137,Office Application Startup,[],[],,SC-18,mitigates,0 +3290,,T1137.001,Office Template Macros,[],[],,SC-18,mitigates,0 +3291,,T1137.002,Office Test,[],[],,SC-18,mitigates,0 +3292,,T1137.003,Outlook Forms,[],[],,SC-18,mitigates,0 +3293,,T1137.004,Outlook Home Page,[],[],,SC-18,mitigates,0 +3294,,T1137.005,Outlook Rules,[],[],,SC-18,mitigates,0 +3295,,T1137.006,Add-ins,[],[],,SC-18,mitigates,0 +3296,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,0 +3297,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,0 +3298,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,0 +3299,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,0 +3300,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,0 +3301,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,0 +3302,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,0 +3303,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,0 +3304,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,0 +3305,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,0 +3306,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,0 +3307,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,0 +3308,,T1611,Escape to Host,[],[],,SC-18,mitigates,0 +3309,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,0 +3310,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,0 +3311,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,0 +3312,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,0 +3313,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,0 +3314,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,0 +3315,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,0 +3316,,T1611,Escape to Host,[],[],,SC-2,mitigates,0 +3317,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,0 +3318,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,0 +3319,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,0 +3320,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,0 +3321,,T1071.004,DNS,[],[],,SC-20,mitigates,0 +3322,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,0 +3323,,T1566,Phishing,[],[],,SC-20,mitigates,0 +3324,,T1566.001,Spearphishing Attachment,[],[],,SC-20,mitigates,0 +3325,,T1566.002,Spearphishing Link,[],[],,SC-20,mitigates,0 +3326,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,0 +3327,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,0 +3328,,T1598,Phishing for Information,[],[],,SC-20,mitigates,0 +3329,,T1598.002,Spearphishing Attachment,[],[],,SC-20,mitigates,0 +3330,,T1598.003,Spearphishing Link,[],[],,SC-20,mitigates,0 +3331,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,0 +3332,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,0 +3333,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,0 +3334,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,0 +3335,,T1071.004,DNS,[],[],,SC-21,mitigates,0 +3336,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,0 +3337,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,0 +3338,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,0 +3339,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,0 +3340,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,0 +3341,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,0 +3342,,T1071.004,DNS,[],[],,SC-22,mitigates,0 +3343,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,0 +3344,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,0 +3345,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,0 +3346,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,0 +3347,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,0 +3348,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,0 +3349,,T1071.004,DNS,[],[],,SC-23,mitigates,0 +3350,,T1185,Browser Session Hijacking,[],[],,SC-23,mitigates,0 +3351,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,0 +3352,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,0 +3353,,T1557,Adversary-in-the-Middle,[],[],,SC-23,mitigates,0 +3354,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,0 +3355,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,0 +3356,,T1562.006,Indicator Blocking,[],[],,SC-23,mitigates,0 +3357,,T1562.009,Safe Mode Boot,[],[],,SC-23,mitigates,0 +3358,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,0 +3359,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,0 +3360,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,0 +3361,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,0 +3362,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,0 +3363,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,0 +3364,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,0 +3365,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,0 +3366,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,0 +3367,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,0 +3368,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,0 +3369,,T1003.003,NTDS,[],[],,SC-28,mitigates,0 +3370,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,0 +3371,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,0 +3372,,T1003.006,DCSync,[],[],,SC-28,mitigates,0 +3373,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,0 +3374,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,0 +3375,,T1005,Data from Local System,[],[],,SC-28,mitigates,0 +3376,,T1025,Data from Removable Media,[],[],,SC-28,mitigates,0 +3377,,T1041,Exfiltration Over C2 Channel,[],[],,SC-28,mitigates,0 +3378,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-28,mitigates,0 +3379,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-28,mitigates,0 +3380,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-28,mitigates,0 +3381,,T1052,Exfiltration Over Physical Medium,[],[],,SC-28,mitigates,0 +3382,,T1052.001,Exfiltration over USB,[],[],,SC-28,mitigates,0 +3383,,T1078,Valid Accounts,[],[],,SC-28,mitigates,0 +3384,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,0 +3385,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,0 +3386,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,0 +3387,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,0 +3388,,T1213.001,Confluence,[],[],,SC-28,mitigates,0 +3389,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,0 +3390,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,0 +3391,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,0 +3392,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,0 +3393,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,0 +3394,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,0 +3395,,T1552.003,Bash History,[],[],,SC-28,mitigates,0 +3396,,T1552.004,Private Keys,[],[],,SC-28,mitigates,0 +3397,,T1565,Data Manipulation,[],[],,SC-28,mitigates,0 +3398,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,0 +3399,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,0 +3400,,T1567,Exfiltration Over Web Service,[],[],,SC-28,mitigates,0 +3401,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,0 +3402,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,0 +3403,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,0 +3404,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,0 +3405,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,0 +3406,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,0 +3407,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,0 +3408,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,0 +3409,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,0 +3410,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,0 +3411,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,0 +3412,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,0 +3413,,T1003,OS Credential Dumping,[],[],,SC-3,mitigates,0 +3414,,T1003.001,LSASS Memory,[],[],,SC-3,mitigates,0 +3415,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,0 +3416,,T1047,Windows Management Instrumentation,[],[],,SC-3,mitigates,0 +3417,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,0 +3418,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,0 +3419,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,0 +3420,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,0 +3421,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,0 +3422,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,0 +3423,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,0 +3424,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,0 +3425,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,0 +3426,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,0 +3427,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,0 +3428,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,0 +3429,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,0 +3430,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,0 +3431,,T1611,Escape to Host,[],[],,SC-3,mitigates,0 +3432,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,0 +3433,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,0 +3434,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,0 +3435,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,0 +3436,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,0 +3437,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,0 +3438,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,0 +3439,,T1041,Exfiltration Over C2 Channel,[],[],,SC-31,mitigates,0 +3440,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-31,mitigates,0 +3441,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-31,mitigates,0 +3442,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-31,mitigates,0 +3443,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,0 +3444,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,0 +3445,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,0 +3446,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,0 +3447,,T1071.004,DNS,[],[],,SC-31,mitigates,0 +3448,,T1567,Exfiltration Over Web Service,[],[],,SC-31,mitigates,0 +3449,,T1047,Windows Management Instrumentation,[],[],,SC-34,mitigates,0 +3450,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,0 +3451,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,0 +3452,,T1542.001,System Firmware,[],[],,SC-34,mitigates,0 +3453,,T1542.003,Bootkit,[],[],,SC-34,mitigates,0 +3454,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,0 +3455,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,0 +3456,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,0 +3457,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,0 +3458,,T1553,Subvert Trust Controls,[],[],,SC-34,mitigates,0 +3459,,T1553.006,Code Signing Policy Modification,[],[],,SC-34,mitigates,0 +3460,,T1601,Modify System Image,[],[],,SC-34,mitigates,0 +3461,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,0 +3462,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,0 +3463,,T1611,Escape to Host,[],[],,SC-34,mitigates,0 +3464,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,0 +3465,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,0 +3466,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,0 +3467,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,0 +3468,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,0 +3469,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,0 +3470,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,0 +3471,,T1119,Automated Collection,[],[],,SC-36,mitigates,0 +3472,,T1565,Data Manipulation,[],[],,SC-36,mitigates,0 +3473,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,0 +3474,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,0 +3475,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,0 +3476,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,0 +3477,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,0 +3478,,T1071.004,DNS,[],[],,SC-37,mitigates,0 +3479,,T1005,Data from Local System,[],[],,SC-38,mitigates,0 +3480,,T1025,Data from Removable Media,[],[],,SC-38,mitigates,0 +3481,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,0 +3482,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,0 +3483,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,0 +3484,,T1003.003,NTDS,[],[],,SC-39,mitigates,0 +3485,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,0 +3486,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,0 +3487,,T1003.006,DCSync,[],[],,SC-39,mitigates,0 +3488,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,0 +3489,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,0 +3490,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,0 +3491,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,0 +3492,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,0 +3493,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,0 +3494,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,0 +3495,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,0 +3496,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,0 +3497,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,0 +3498,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,0 +3499,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,0 +3500,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,0 +3501,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,0 +3502,,T1611,Escape to Host,[],[],,SC-39,mitigates,0 +3503,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,0 +3504,,T1040,Network Sniffing,[],[],,SC-4,mitigates,0 +3505,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,0 +3506,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,0 +3507,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,0 +3508,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,0 +3509,,T1119,Automated Collection,[],[],,SC-4,mitigates,0 +3510,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,0 +3511,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,0 +3512,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,0 +3513,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,0 +3514,,T1552.004,Private Keys,[],[],,SC-4,mitigates,0 +3515,,T1557,Adversary-in-the-Middle,[],[],,SC-4,mitigates,0 +3516,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,0 +3517,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,0 +3518,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,0 +3519,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,0 +3520,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,0 +3521,,T1564.009,Resource Forking,[],[],,SC-4,mitigates,0 +3522,,T1565,Data Manipulation,[],[],,SC-4,mitigates,0 +3523,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,0 +3524,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,0 +3525,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,0 +3526,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,0 +3527,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,0 +3528,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,0 +3529,,T1025,Data from Removable Media,[],[],,SC-41,mitigates,0 +3530,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,0 +3531,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,0 +3532,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,0 +3533,,T1200,Hardware Additions,[],[],,SC-41,mitigates,0 +3534,,T1204,User Execution,[],[],,SC-44,mitigates,0 +3535,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,0 +3536,,T1204.002,Malicious File,[],[],,SC-44,mitigates,0 +3537,,T1204.003,Malicious Image,[],[],,SC-44,mitigates,0 +3538,,T1221,Template Injection,[],[],,SC-44,mitigates,0 +3539,,T1564.009,Resource Forking,[],[],,SC-44,mitigates,0 +3540,,T1566,Phishing,[],[],,SC-44,mitigates,0 +3541,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,0 +3542,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,0 +3543,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,0 +3544,,T1598,Phishing for Information,[],[],,SC-44,mitigates,0 +3545,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,0 +3546,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,0 +3547,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,0 +3548,,T1564.009,Resource Forking,[],[],,SC-6,mitigates,0 +3549,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,0 +3550,,T1001.001,Junk Data,[],[],,SC-7,mitigates,0 +3551,,T1001.002,Steganography,[],[],,SC-7,mitigates,0 +3552,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,0 +3553,,T1008,Fallback Channels,[],[],,SC-7,mitigates,0 +3554,,T1020.001,Traffic Duplication,[],[],,SC-7,mitigates,0 +3555,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,0 +3556,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,0 +3557,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,0 +3558,,T1021.005,VNC,[],[],,SC-7,mitigates,0 +3559,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,0 +3560,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,0 +3561,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,0 +3562,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,0 +3563,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,0 +3564,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,0 +3565,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,0 +3566,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,0 +3567,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,0 +3568,,T1055,Process Injection,[],[],,SC-7,mitigates,0 +3569,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,0 +3570,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,0 +3571,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,0 +3572,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,0 +3573,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,0 +3574,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,0 +3575,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,0 +3576,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,0 +3577,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,0 +3578,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,0 +3579,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,0 +3580,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,0 +3581,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,0 +3582,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,0 +3583,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,0 +3584,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,0 +3585,,T1071.004,DNS,[],[],,SC-7,mitigates,0 +3586,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,0 +3587,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,0 +3588,,T1090,Proxy,[],[],,SC-7,mitigates,0 +3589,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,0 +3590,,T1090.002,External Proxy,[],[],,SC-7,mitigates,0 +3591,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,0 +3592,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,0 +3593,,T1098,Account Manipulation,[],[],,SC-7,mitigates,0 +3594,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,0 +3595,,T1102,Web Service,[],[],,SC-7,mitigates,0 +3596,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,0 +3597,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,0 +3598,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,0 +3599,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,0 +3600,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,0 +3601,,T1114,Email Collection,[],[],,SC-7,mitigates,0 +3602,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,0 +3603,,T1132,Data Encoding,[],[],,SC-7,mitigates,0 +3604,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,0 +3605,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,0 +3606,,T1133,External Remote Services,[],[],,SC-7,mitigates,0 +3607,,T1136,Create Account,[],[],,SC-7,mitigates,0 +3608,,T1136.002,Domain Account,[],[],,SC-7,mitigates,0 +3609,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,0 +3610,,T1176,Browser Extensions,[],[],,SC-7,mitigates,0 +3611,,T1187,Forced Authentication,[],[],,SC-7,mitigates,0 +3612,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,0 +3613,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,0 +3614,,T1197,BITS Jobs,[],[],,SC-7,mitigates,0 +3615,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,0 +3616,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,0 +3617,,T1204,User Execution,[],[],,SC-7,mitigates,0 +3618,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,0 +3619,,T1204.002,Malicious File,[],[],,SC-7,mitigates,0 +3620,,T1204.003,Malicious Image,[],[],,SC-7,mitigates,0 +3621,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,0 +3622,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,0 +3623,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,0 +3624,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,0 +3625,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,0 +3626,,T1218.012,Verclsid,[],[],,SC-7,mitigates,0 +3627,,T1219,Remote Access Software,[],[],,SC-7,mitigates,0 +3628,,T1221,Template Injection,[],[],,SC-7,mitigates,0 +3629,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,0 +3630,,T1489,Service Stop,[],[],,SC-7,mitigates,0 +3631,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,0 +3632,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,0 +3633,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,0 +3634,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,0 +3635,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,0 +3636,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,0 +3637,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,0 +3638,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,0 +3639,,T1505.004,IIS Components,[],[],,SC-7,mitigates,0 +3640,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,0 +3641,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,0 +3642,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,0 +3643,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,0 +3644,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,0 +3645,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,0 +3646,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,0 +3647,,T1552.004,Private Keys,[],[],,SC-7,mitigates,0 +3648,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,0 +3649,,T1552.007,Container API,[],[],,SC-7,mitigates,0 +3650,,T1557,Adversary-in-the-Middle,[],[],,SC-7,mitigates,0 +3651,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,0 +3652,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,0 +3653,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,0 +3654,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,0 +3655,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,0 +3656,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,0 +3657,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,0 +3658,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,0 +3659,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,0 +3660,,T1565,Data Manipulation,[],[],,SC-7,mitigates,0 +3661,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,0 +3662,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,0 +3663,,T1566,Phishing,[],[],,SC-7,mitigates,0 +3664,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,0 +3665,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,0 +3666,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,0 +3667,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,0 +3668,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,0 +3669,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,0 +3670,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,0 +3671,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,0 +3672,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,0 +3673,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,0 +3674,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,0 +3675,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,0 +3676,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,0 +3677,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,0 +3678,,T1598,Phishing for Information,[],[],,SC-7,mitigates,0 +3679,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,0 +3680,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,0 +3681,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,0 +3682,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,0 +3683,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,0 +3684,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,0 +3685,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,0 +3686,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,0 +3687,,T1609,Container Administration Command,[],[],,SC-7,mitigates,0 +3688,,T1610,Deploy Container,[],[],,SC-7,mitigates,0 +3689,,T1611,Escape to Host,[],[],,SC-7,mitigates,0 +3690,,T1612,Build Image on Host,[],[],,SC-7,mitigates,0 +3691,,T1613,Container and Resource Discovery,[],[],,SC-7,mitigates,0 +3692,,T1020.001,Traffic Duplication,[],[],,SC-8,mitigates,0 +3693,,T1040,Network Sniffing,[],[],,SC-8,mitigates,0 +3694,,T1090,Proxy,[],[],,SC-8,mitigates,0 +3695,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,0 +3696,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,0 +3697,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,0 +3698,,T1552.007,Container API,[],[],,SC-8,mitigates,0 +3699,,T1557,Adversary-in-the-Middle,[],[],,SC-8,mitigates,0 +3700,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,0 +3701,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,0 +3702,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,0 +3703,,T1562.009,Safe Mode Boot,[],[],,SC-8,mitigates,0 +3704,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,0 +3705,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,0 +3706,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,0 +3707,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,0 +3708,,T1021.005,VNC,[],[],,SI-10,mitigates,0 +3709,,T1036,Masquerading,[],[],,SI-10,mitigates,0 +3710,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,0 +3711,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,0 +3712,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,0 +3713,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,0 +3714,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,0 +3715,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,0 +3716,,T1059.001,PowerShell,[],[],,SI-10,mitigates,0 +3717,,T1059.002,AppleScript,[],[],,SI-10,mitigates,0 +3718,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,0 +3719,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,0 +3720,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,0 +3721,,T1059.006,Python,[],[],,SI-10,mitigates,0 +3722,,T1059.007,JavaScript,[],[],,SI-10,mitigates,0 +3723,,T1059.008,Network Device CLI,[],[],,SI-10,mitigates,0 +3724,,T1071.004,DNS,[],[],,SI-10,mitigates,0 +3725,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,0 +3726,,T1090,Proxy,[],[],,SI-10,mitigates,0 +3727,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,0 +3728,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,0 +3729,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,0 +3730,,T1129,Shared Modules,[],[],,SI-10,mitigates,0 +3731,,T1176,Browser Extensions,[],[],,SI-10,mitigates,0 +3732,,T1187,Forced Authentication,[],[],,SI-10,mitigates,0 +3733,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,0 +3734,,T1197,BITS Jobs,[],[],,SI-10,mitigates,0 +3735,,T1204,User Execution,[],[],,SI-10,mitigates,0 +3736,,T1204.002,Malicious File,[],[],,SI-10,mitigates,0 +3737,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,0 +3738,,T1216.001,PubPrn,[],[],,SI-10,mitigates,0 +3739,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,0 +3740,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,0 +3741,,T1218.002,Control Panel,[],[],,SI-10,mitigates,0 +3742,,T1218.003,CMSTP,[],[],,SI-10,mitigates,0 +3743,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,0 +3744,,T1218.005,Mshta,[],[],,SI-10,mitigates,0 +3745,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,0 +3746,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,0 +3747,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,0 +3748,,T1218.011,Rundll32,[],[],,SI-10,mitigates,0 +3749,,T1218.012,Verclsid,[],[],,SI-10,mitigates,0 +3750,,T1218.013,Mavinject,[],[],,SI-10,mitigates,0 +3751,,T1218.014,MMC,[],[],,SI-10,mitigates,0 +3752,,T1219,Remote Access Software,[],[],,SI-10,mitigates,0 +3753,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,0 +3754,,T1221,Template Injection,[],[],,SI-10,mitigates,0 +3755,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,0 +3756,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,0 +3757,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,0 +3758,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,0 +3759,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,0 +3760,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,0 +3761,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,0 +3762,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,0 +3763,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,0 +3764,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,0 +3765,,T1546.002,Screensaver,[],[],,SI-10,mitigates,0 +3766,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,0 +3767,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,0 +3768,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,0 +3769,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,0 +3770,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,0 +3771,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,0 +3772,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,0 +3773,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,0 +3774,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,0 +3775,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,0 +3776,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-10,mitigates,0 +3777,,T1557,Adversary-in-the-Middle,[],[],,SI-10,mitigates,0 +3778,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,0 +3779,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,0 +3780,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,0 +3781,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,0 +3782,,T1564.009,Resource Forking,[],[],,SI-10,mitigates,0 +3783,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,0 +3784,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,0 +3785,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,0 +3786,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,0 +3787,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-10,mitigates,0 +3788,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,0 +3789,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,0 +3790,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,0 +3791,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,0 +3792,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,0 +3793,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,0 +3794,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,0 +3795,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,0 +3796,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,0 +3797,,T1609,Container Administration Command,[],[],,SI-10,mitigates,0 +3798,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,0 +3799,,T1003.003,NTDS,[],[],,SI-12,mitigates,0 +3800,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,0 +3801,,T1040,Network Sniffing,[],[],,SI-12,mitigates,0 +3802,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,0 +3803,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,0 +3804,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,0 +3805,,T1114,Email Collection,[],[],,SI-12,mitigates,0 +3806,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,0 +3807,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,0 +3808,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,0 +3809,,T1119,Automated Collection,[],[],,SI-12,mitigates,0 +3810,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,0 +3811,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,0 +3812,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,0 +3813,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,0 +3814,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,0 +3815,,T1552.004,Private Keys,[],[],,SI-12,mitigates,0 +3816,,T1557,Adversary-in-the-Middle,[],[],,SI-12,mitigates,0 +3817,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,0 +3818,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,0 +3819,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,0 +3820,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,0 +3821,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,0 +3822,,T1565,Data Manipulation,[],[],,SI-12,mitigates,0 +3823,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,0 +3824,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,0 +3825,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,0 +3826,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,0 +3827,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,0 +3828,,T1505,Server Software Component,[],[],,SI-14,mitigates,0 +3829,,T1505.001,SQL Stored Procedures,[],[],,SI-14,mitigates,0 +3830,,T1505.002,Transport Agent,[],[],,SI-14,mitigates,0 +3831,,T1505.004,IIS Components,[],[],,SI-14,mitigates,0 +3832,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-14,mitigates,0 +3833,,T1547.004,Winlogon Helper DLL,[],[],,SI-14,mitigates,0 +3834,,T1547.006,Kernel Modules and Extensions,[],[],,SI-14,mitigates,0 +3835,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,0 +3836,,T1021.005,VNC,[],[],,SI-15,mitigates,0 +3837,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,0 +3838,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,0 +3839,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,0 +3840,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,0 +3841,,T1071.004,DNS,[],[],,SI-15,mitigates,0 +3842,,T1090,Proxy,[],[],,SI-15,mitigates,0 +3843,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,0 +3844,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,0 +3845,,T1187,Forced Authentication,[],[],,SI-15,mitigates,0 +3846,,T1197,BITS Jobs,[],[],,SI-15,mitigates,0 +3847,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,0 +3848,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,0 +3849,,T1218.012,Verclsid,[],[],,SI-15,mitigates,0 +3850,,T1219,Remote Access Software,[],[],,SI-15,mitigates,0 +3851,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,0 +3852,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,0 +3853,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,0 +3854,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,0 +3855,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,0 +3856,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,0 +3857,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,0 +3858,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,0 +3859,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,0 +3860,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,0 +3861,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,0 +3862,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,0 +3863,,T1557,Adversary-in-the-Middle,[],[],,SI-15,mitigates,0 +3864,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,0 +3865,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,0 +3866,,T1564.009,Resource Forking,[],[],,SI-15,mitigates,0 +3867,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,0 +3868,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,0 +3869,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,0 +3870,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,0 +3871,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,0 +3872,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,0 +3873,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,0 +3874,,T1047,Windows Management Instrumentation,[],[],,SI-16,mitigates,0 +3875,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,0 +3876,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,0 +3877,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,0 +3878,,T1565,Data Manipulation,[],[],,SI-16,mitigates,0 +3879,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,0 +3880,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,0 +3881,,T1611,Escape to Host,[],[],,SI-16,mitigates,0 +3882,,T1003,OS Credential Dumping,[],[],,SI-2,mitigates,0 +3883,,T1003.001,LSASS Memory,[],[],,SI-2,mitigates,0 +3884,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,0 +3885,,T1027.002,Software Packing,[],[],,SI-2,mitigates,0 +3886,,T1047,Windows Management Instrumentation,[],[],,SI-2,mitigates,0 +3887,,T1055,Process Injection,[],[],,SI-2,mitigates,0 +3888,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,0 +3889,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,0 +3890,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,0 +3891,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,0 +3892,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,0 +3893,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,0 +3894,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,0 +3895,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,0 +3896,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,0 +3897,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,0 +3898,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,0 +3899,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,0 +3900,,T1059.001,PowerShell,[],[],,SI-2,mitigates,0 +3901,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,0 +3902,,T1059.006,Python,[],[],,SI-2,mitigates,0 +3903,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,0 +3904,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,0 +3905,,T1106,Native API,[],[],,SI-2,mitigates,0 +3906,,T1137,Office Application Startup,[],[],,SI-2,mitigates,0 +3907,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,0 +3908,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,0 +3909,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,0 +3910,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,0 +3911,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,0 +3912,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,0 +3913,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,0 +3914,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,0 +3915,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,0 +3916,,T1204,User Execution,[],[],,SI-2,mitigates,0 +3917,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,0 +3918,,T1204.003,Malicious Image,[],[],,SI-2,mitigates,0 +3919,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,0 +3920,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,0 +3921,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,0 +3922,,T1213.003,Code Repositories,[],[],,SI-2,mitigates,0 +3923,,T1221,Template Injection,[],[],,SI-2,mitigates,0 +3924,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,0 +3925,,T1525,Implant Internal Image,[],[],,SI-2,mitigates,0 +3926,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,0 +3927,,T1542.001,System Firmware,[],[],,SI-2,mitigates,0 +3928,,T1542.003,Bootkit,[],[],,SI-2,mitigates,0 +3929,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,0 +3930,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,0 +3931,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,0 +3932,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,0 +3933,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,0 +3934,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,0 +3935,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,0 +3936,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,0 +3937,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,0 +3938,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,0 +3939,,T1553,Subvert Trust Controls,[],[],,SI-2,mitigates,0 +3940,,T1553.006,Code Signing Policy Modification,[],[],,SI-2,mitigates,0 +3941,,T1555.005,Password Managers,[],[],,SI-2,mitigates,0 +3942,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,0 +3943,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,0 +3944,,T1566,Phishing,[],[],,SI-2,mitigates,0 +3945,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,0 +3946,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,0 +3947,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,0 +3948,,T1601,Modify System Image,[],[],,SI-2,mitigates,0 +3949,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,0 +3950,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,0 +3951,,T1606,Forge Web Credentials,[],[],,SI-2,mitigates,0 +3952,,T1606.001,Web Cookies,[],[],,SI-2,mitigates,0 +3953,,T1611,Escape to Host,[],[],,SI-2,mitigates,0 +3954,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,0 +3955,,T1001.001,Junk Data,[],[],,SI-3,mitigates,0 +3956,,T1001.002,Steganography,[],[],,SI-3,mitigates,0 +3957,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,0 +3958,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,0 +3959,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,0 +3960,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,0 +3961,,T1003.003,NTDS,[],[],,SI-3,mitigates,0 +3962,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,0 +3963,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,0 +3964,,T1003.006,DCSync,[],[],,SI-3,mitigates,0 +3965,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,0 +3966,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,0 +3967,,T1005,Data from Local System,[],[],,SI-3,mitigates,0 +3968,,T1008,Fallback Channels,[],[],,SI-3,mitigates,0 +3969,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,0 +3970,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,0 +3971,,T1021.005,VNC,[],[],,SI-3,mitigates,0 +3972,,T1025,Data from Removable Media,[],[],,SI-3,mitigates,0 +3973,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,0 +3974,,T1027.002,Software Packing,[],[],,SI-3,mitigates,0 +3975,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,0 +3976,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,0 +3977,,T1036,Masquerading,[],[],,SI-3,mitigates,0 +3978,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,0 +3979,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,0 +3980,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,0 +3981,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,0 +3982,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,0 +3983,,T1037.004,RC Scripts,[],[],,SI-3,mitigates,0 +3984,,T1037.005,Startup Items,[],[],,SI-3,mitigates,0 +3985,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,0 +3986,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,0 +3987,,T1047,Windows Management Instrumentation,[],[],,SI-3,mitigates,0 +3988,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,0 +3989,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,0 +3990,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,0 +3991,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,0 +3992,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,0 +3993,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,0 +3994,,T1055,Process Injection,[],[],,SI-3,mitigates,0 +3995,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,0 +3996,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,0 +3997,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,0 +3998,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,0 +3999,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,0 +4000,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,0 +4001,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,0 +4002,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,0 +4003,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,0 +4004,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,0 +4005,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,0 +4006,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,0 +4007,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,0 +4008,,T1059.001,PowerShell,[],[],,SI-3,mitigates,0 +4009,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,0 +4010,,T1059.006,Python,[],[],,SI-3,mitigates,0 +4011,,T1059.007,JavaScript,[],[],,SI-3,mitigates,0 +4012,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,0 +4013,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,0 +4014,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,0 +4015,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,0 +4016,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,0 +4017,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,0 +4018,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,0 +4019,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,0 +4020,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,0 +4021,,T1071.004,DNS,[],[],,SI-3,mitigates,0 +4022,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,0 +4023,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,0 +4024,,T1090,Proxy,[],[],,SI-3,mitigates,0 +4025,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,0 +4026,,T1090.002,External Proxy,[],[],,SI-3,mitigates,0 +4027,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,0 +4028,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,0 +4029,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,0 +4030,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,0 +4031,,T1102,Web Service,[],[],,SI-3,mitigates,0 +4032,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,0 +4033,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,0 +4034,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,0 +4035,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,0 +4036,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,0 +4037,,T1106,Native API,[],[],,SI-3,mitigates,0 +4038,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,0 +4039,,T1132,Data Encoding,[],[],,SI-3,mitigates,0 +4040,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,0 +4041,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,0 +4042,,T1137,Office Application Startup,[],[],,SI-3,mitigates,0 +4043,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,0 +4044,,T1176,Browser Extensions,[],[],,SI-3,mitigates,0 +4045,,T1185,Browser Session Hijacking,[],[],,SI-3,mitigates,0 +4046,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,0 +4047,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,0 +4048,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,0 +4049,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,0 +4050,,T1204,User Execution,[],[],,SI-3,mitigates,0 +4051,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,0 +4052,,T1204.002,Malicious File,[],[],,SI-3,mitigates,0 +4053,,T1204.003,Malicious Image,[],[],,SI-3,mitigates,0 +4054,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,0 +4055,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,0 +4056,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,0 +4057,,T1218,Signed Binary Proxy Execution,[],[],,SI-3,mitigates,0 +4058,,T1218.001,Compiled HTML File,[],[],,SI-3,mitigates,0 +4059,,T1218.002,Control Panel,[],[],,SI-3,mitigates,0 +4060,,T1218.003,CMSTP,[],[],,SI-3,mitigates,0 +4061,,T1218.004,InstallUtil,[],[],,SI-3,mitigates,0 +4062,,T1218.005,Mshta,[],[],,SI-3,mitigates,0 +4063,,T1218.008,Odbcconf,[],[],,SI-3,mitigates,0 +4064,,T1218.009,Regsvcs/Regasm,[],[],,SI-3,mitigates,0 +4065,,T1218.012,Verclsid,[],[],,SI-3,mitigates,0 +4066,,T1218.013,Mavinject,[],[],,SI-3,mitigates,0 +4067,,T1218.014,MMC,[],[],,SI-3,mitigates,0 +4068,,T1219,Remote Access Software,[],[],,SI-3,mitigates,0 +4069,,T1221,Template Injection,[],[],,SI-3,mitigates,0 +4070,,T1485,Data Destruction,[],[],,SI-3,mitigates,0 +4071,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,0 +4072,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,0 +4073,,T1491,Defacement,[],[],,SI-3,mitigates,0 +4074,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,0 +4075,,T1491.002,External Defacement,[],[],,SI-3,mitigates,0 +4076,,T1505,Server Software Component,[],[],,SI-3,mitigates,0 +4077,,T1505.001,SQL Stored Procedures,[],[],,SI-3,mitigates,0 +4078,,T1505.002,Transport Agent,[],[],,SI-3,mitigates,0 +4079,,T1505.004,IIS Components,[],[],,SI-3,mitigates,0 +4080,,T1525,Implant Internal Image,[],[],,SI-3,mitigates,0 +4081,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,0 +4082,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,0 +4083,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,0 +4084,,T1546.002,Screensaver,[],[],,SI-3,mitigates,0 +4085,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-3,mitigates,0 +4086,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-3,mitigates,0 +4087,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,0 +4088,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,0 +4089,,T1546.014,Emond,[],[],,SI-3,mitigates,0 +4090,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,0 +4091,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,0 +4092,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,0 +4093,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,0 +4094,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,0 +4095,,T1547.013,XDG Autostart Entries,[],[],,SI-3,mitigates,0 +4096,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,0 +4097,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,0 +4098,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,0 +4099,,T1557,Adversary-in-the-Middle,[],[],,SI-3,mitigates,0 +4100,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,0 +4101,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,0 +4102,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,0 +4103,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,0 +4104,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,0 +4105,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,0 +4106,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,0 +4107,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,0 +4108,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,0 +4109,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,0 +4110,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,0 +4111,,T1561,Disk Wipe,[],[],,SI-3,mitigates,0 +4112,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,0 +4113,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,0 +4114,,T1562,Impair Defenses,[],[],,SI-3,mitigates,0 +4115,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,0 +4116,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,0 +4117,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,0 +4118,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,0 +4119,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,0 +4120,,T1564.008,Email Hiding Rules,[],[],,SI-3,mitigates,0 +4121,,T1564.009,Resource Forking,[],[],,SI-3,mitigates,0 +4122,,T1566,Phishing,[],[],,SI-3,mitigates,0 +4123,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,0 +4124,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,0 +4125,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,0 +4126,,T1567,Exfiltration Over Web Service,[],[],,SI-3,mitigates,0 +4127,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,0 +4128,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,0 +4129,,T1569,System Services,[],[],,SI-3,mitigates,0 +4130,,T1569.002,Service Execution,[],[],,SI-3,mitigates,0 +4131,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,0 +4132,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,0 +4133,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,0 +4134,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,0 +4135,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,0 +4136,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,0 +4137,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,0 +4138,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,0 +4139,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,0 +4140,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,0 +4141,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,0 +4142,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,0 +4143,,T1598,Phishing for Information,[],[],,SI-3,mitigates,0 +4144,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,0 +4145,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,0 +4146,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,0 +4147,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,0 +4148,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,0 +4149,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,0 +4150,,T1611,Escape to Host,[],[],,SI-3,mitigates,0 +4151,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,0 +4152,,T1001.001,Junk Data,[],[],,SI-4,mitigates,0 +4153,,T1001.002,Steganography,[],[],,SI-4,mitigates,0 +4154,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,0 +4155,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,0 +4156,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,0 +4157,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,0 +4158,,T1003.003,NTDS,[],[],,SI-4,mitigates,0 +4159,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,0 +4160,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,0 +4161,,T1003.006,DCSync,[],[],,SI-4,mitigates,0 +4162,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,0 +4163,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,0 +4164,,T1005,Data from Local System,[],[],,SI-4,mitigates,0 +4165,,T1008,Fallback Channels,[],[],,SI-4,mitigates,0 +4166,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,0 +4167,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,0 +4168,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,0 +4169,,T1021,Remote Services,[],[],,SI-4,mitigates,0 +4170,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,0 +4171,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,0 +4172,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,0 +4173,,T1021.004,SSH,[],[],,SI-4,mitigates,0 +4174,,T1021.005,VNC,[],[],,SI-4,mitigates,0 +4175,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,0 +4176,,T1025,Data from Removable Media,[],[],,SI-4,mitigates,0 +4177,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,0 +4178,,T1027.002,Software Packing,[],[],,SI-4,mitigates,0 +4179,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,0 +4180,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,0 +4181,,T1036,Masquerading,[],[],,SI-4,mitigates,0 +4182,,T1036.001,Invalid Code Signature,[],[],,SI-4,mitigates,0 +4183,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,0 +4184,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,0 +4185,,T1036.007,Double File Extension,[],[],,SI-4,mitigates,0 +4186,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,0 +4187,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,0 +4188,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,0 +4189,,T1037.004,RC Scripts,[],[],,SI-4,mitigates,0 +4190,,T1037.005,Startup Items,[],[],,SI-4,mitigates,0 +4191,,T1040,Network Sniffing,[],[],,SI-4,mitigates,0 +4192,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,0 +4193,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,0 +4194,,T1047,Windows Management Instrumentation,[],[],,SI-4,mitigates,0 +4195,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,0 +4196,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,0 +4197,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,0 +4198,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,0 +4199,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,0 +4200,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,0 +4201,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,0 +4202,,T1053.001,At (Linux),[],[],,SI-4,mitigates,0 +4203,,T1053.002,At (Windows),[],[],,SI-4,mitigates,0 +4204,,T1053.003,Cron,[],[],,SI-4,mitigates,0 +4205,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,0 +4206,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,0 +4207,,T1055,Process Injection,[],[],,SI-4,mitigates,0 +4208,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,0 +4209,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,0 +4210,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,0 +4211,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,0 +4212,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,0 +4213,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,0 +4214,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,0 +4215,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,0 +4216,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,0 +4217,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,0 +4218,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,0 +4219,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,0 +4220,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,0 +4221,,T1059.001,PowerShell,[],[],,SI-4,mitigates,0 +4222,,T1059.002,AppleScript,[],[],,SI-4,mitigates,0 +4223,,T1059.003,Windows Command Shell,[],[],,SI-4,mitigates,0 +4224,,T1059.004,Unix Shell,[],[],,SI-4,mitigates,0 +4225,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,0 +4226,,T1059.006,Python,[],[],,SI-4,mitigates,0 +4227,,T1059.007,JavaScript,[],[],,SI-4,mitigates,0 +4228,,T1059.008,Network Device CLI,[],[],,SI-4,mitigates,0 +4229,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,0 +4230,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,0 +4231,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,0 +4232,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,0 +4233,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,0 +4234,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,0 +4235,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,0 +4236,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,0 +4237,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,0 +4238,,T1071.004,DNS,[],[],,SI-4,mitigates,0 +4239,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,0 +4240,,T1078,Valid Accounts,[],[],,SI-4,mitigates,0 +4241,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,0 +4242,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,0 +4243,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,0 +4244,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,0 +4245,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,0 +4246,,T1087,Account Discovery,[],[],,SI-4,mitigates,0 +4247,,T1087.001,Local Account,[],[],,SI-4,mitigates,0 +4248,,T1087.002,Domain Account,[],[],,SI-4,mitigates,0 +4249,,T1090,Proxy,[],[],,SI-4,mitigates,0 +4250,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,0 +4251,,T1090.002,External Proxy,[],[],,SI-4,mitigates,0 +4252,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,0 +4253,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,0 +4254,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,0 +4255,,T1098,Account Manipulation,[],[],,SI-4,mitigates,0 +4256,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,0 +4257,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,0 +4258,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,0 +4259,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,0 +4260,,T1102,Web Service,[],[],,SI-4,mitigates,0 +4261,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,0 +4262,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,0 +4263,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,0 +4264,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,0 +4265,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,0 +4266,,T1106,Native API,[],[],,SI-4,mitigates,0 +4267,,T1110,Brute Force,[],[],,SI-4,mitigates,0 +4268,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,0 +4269,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,0 +4270,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,0 +4271,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,0 +4272,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,0 +4273,,T1114,Email Collection,[],[],,SI-4,mitigates,0 +4274,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,0 +4275,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,0 +4276,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,0 +4277,,T1119,Automated Collection,[],[],,SI-4,mitigates,0 +4278,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,0 +4279,,T1127.001,MSBuild,[],[],,SI-4,mitigates,0 +4280,,T1129,Shared Modules,[],[],,SI-4,mitigates,0 +4281,,T1132,Data Encoding,[],[],,SI-4,mitigates,0 +4282,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,0 +4283,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,0 +4284,,T1133,External Remote Services,[],[],,SI-4,mitigates,0 +4285,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,0 +4286,,T1136,Create Account,[],[],,SI-4,mitigates,0 +4287,,T1136.001,Local Account,[],[],,SI-4,mitigates,0 +4288,,T1136.002,Domain Account,[],[],,SI-4,mitigates,0 +4289,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,0 +4290,,T1137,Office Application Startup,[],[],,SI-4,mitigates,0 +4291,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,0 +4292,,T1176,Browser Extensions,[],[],,SI-4,mitigates,0 +4293,,T1185,Browser Session Hijacking,[],[],,SI-4,mitigates,0 +4294,,T1187,Forced Authentication,[],[],,SI-4,mitigates,0 +4295,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,0 +4296,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,0 +4297,,T1197,BITS Jobs,[],[],,SI-4,mitigates,0 +4298,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,0 +4299,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,0 +4300,,T1204,User Execution,[],[],,SI-4,mitigates,0 +4301,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,0 +4302,,T1204.002,Malicious File,[],[],,SI-4,mitigates,0 +4303,,T1204.003,Malicious Image,[],[],,SI-4,mitigates,0 +4304,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,0 +4305,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,0 +4306,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,0 +4307,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,0 +4308,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,0 +4309,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,0 +4310,,T1213.001,Confluence,[],[],,SI-4,mitigates,0 +4311,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,0 +4312,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,0 +4313,,T1216.001,PubPrn,[],[],,SI-4,mitigates,0 +4314,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,0 +4315,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,0 +4316,,T1218.002,Control Panel,[],[],,SI-4,mitigates,0 +4317,,T1218.003,CMSTP,[],[],,SI-4,mitigates,0 +4318,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,0 +4319,,T1218.005,Mshta,[],[],,SI-4,mitigates,0 +4320,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,0 +4321,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,0 +4322,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,0 +4323,,T1218.011,Rundll32,[],[],,SI-4,mitigates,0 +4324,,T1218.012,Verclsid,[],[],,SI-4,mitigates,0 +4325,,T1218.013,Mavinject,[],[],,SI-4,mitigates,0 +4326,,T1218.014,MMC,[],[],,SI-4,mitigates,0 +4327,,T1219,Remote Access Software,[],[],,SI-4,mitigates,0 +4328,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,0 +4329,,T1221,Template Injection,[],[],,SI-4,mitigates,0 +4330,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,0 +4331,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,0 +4332,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,0 +4333,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,0 +4334,,T1485,Data Destruction,[],[],,SI-4,mitigates,0 +4335,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,0 +4336,,T1489,Service Stop,[],[],,SI-4,mitigates,0 +4337,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,0 +4338,,T1491,Defacement,[],[],,SI-4,mitigates,0 +4339,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,0 +4340,,T1491.002,External Defacement,[],[],,SI-4,mitigates,0 +4341,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,0 +4342,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,0 +4343,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,0 +4344,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,0 +4345,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,0 +4346,,T1505,Server Software Component,[],[],,SI-4,mitigates,0 +4347,,T1505.001,SQL Stored Procedures,[],[],,SI-4,mitigates,0 +4348,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,0 +4349,,T1505.003,Web Shell,[],[],,SI-4,mitigates,0 +4350,,T1505.004,IIS Components,[],[],,SI-4,mitigates,0 +4351,,T1525,Implant Internal Image,[],[],,SI-4,mitigates,0 +4352,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,0 +4353,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,0 +4354,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,0 +4355,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,0 +4356,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,0 +4357,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,0 +4358,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,0 +4359,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,0 +4360,,T1543.003,Windows Service,[],[],,SI-4,mitigates,0 +4361,,T1543.004,Launch Daemon,[],[],,SI-4,mitigates,0 +4362,,T1546.002,Screensaver,[],[],,SI-4,mitigates,0 +4363,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-4,mitigates,0 +4364,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-4,mitigates,0 +4365,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,0 +4366,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,0 +4367,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,0 +4368,,T1546.014,Emond,[],[],,SI-4,mitigates,0 +4369,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,0 +4370,,T1547.003,Time Providers,[],[],,SI-4,mitigates,0 +4371,,T1547.004,Winlogon Helper DLL,[],[],,SI-4,mitigates,0 +4372,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,0 +4373,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,0 +4374,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,0 +4375,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,0 +4376,,T1547.009,Shortcut Modification,[],[],,SI-4,mitigates,0 +4377,,T1547.011,Plist Modification,[],[],,SI-4,mitigates,0 +4378,,T1547.012,Print Processors,[],[],,SI-4,mitigates,0 +4379,,T1547.013,XDG Autostart Entries,[],[],,SI-4,mitigates,0 +4380,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,0 +4381,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,0 +4382,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,0 +4383,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,0 +4384,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,0 +4385,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,0 +4386,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,0 +4387,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,0 +4388,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,0 +4389,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,0 +4390,,T1552.003,Bash History,[],[],,SI-4,mitigates,0 +4391,,T1552.004,Private Keys,[],[],,SI-4,mitigates,0 +4392,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,0 +4393,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,0 +4394,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,0 +4395,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,0 +4396,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,0 +4397,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,0 +4398,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-4,mitigates,0 +4399,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,0 +4400,,T1555.001,Keychain,[],[],,SI-4,mitigates,0 +4401,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,0 +4402,,T1555.004,Windows Credential Manager,[],[],,SI-4,mitigates,0 +4403,,T1555.005,Password Managers,[],[],,SI-4,mitigates,0 +4404,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,0 +4405,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,0 +4406,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,0 +4407,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,0 +4408,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,0 +4409,,T1557,Adversary-in-the-Middle,[],[],,SI-4,mitigates,0 +4410,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,0 +4411,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,0 +4412,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,0 +4413,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,0 +4414,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,0 +4415,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,0 +4416,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,0 +4417,,T1559.001,Component Object Model,[],[],,SI-4,mitigates,0 +4418,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,0 +4419,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,0 +4420,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,0 +4421,,T1561,Disk Wipe,[],[],,SI-4,mitigates,0 +4422,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,0 +4423,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,0 +4424,,T1562,Impair Defenses,[],[],,SI-4,mitigates,0 +4425,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,0 +4426,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,0 +4427,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,0 +4428,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,0 +4429,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,0 +4430,,T1562.010,Downgrade Attack,[],[],,SI-4,mitigates,0 +4431,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,0 +4432,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,0 +4433,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,0 +4434,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,0 +4435,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,0 +4436,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,0 +4437,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,0 +4438,,T1564.008,Email Hiding Rules,[],[],,SI-4,mitigates,0 +4439,,T1564.009,Resource Forking,[],[],,SI-4,mitigates,0 +4440,,T1565,Data Manipulation,[],[],,SI-4,mitigates,0 +4441,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,0 +4442,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,0 +4443,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,0 +4444,,T1566,Phishing,[],[],,SI-4,mitigates,0 +4445,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,0 +4446,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,0 +4447,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,0 +4448,,T1567,Exfiltration Over Web Service,[],[],,SI-4,mitigates,0 +4449,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,0 +4450,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,0 +4451,,T1569,System Services,[],[],,SI-4,mitigates,0 +4452,,T1569.002,Service Execution,[],[],,SI-4,mitigates,0 +4453,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,0 +4454,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,0 +4455,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,0 +4456,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,0 +4457,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,0 +4458,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,0 +4459,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,0 +4460,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,0 +4461,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,0 +4462,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,0 +4463,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,0 +4464,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,0 +4465,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,0 +4466,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,0 +4467,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,0 +4468,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,0 +4469,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,0 +4470,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,0 +4471,,T1598,Phishing for Information,[],[],,SI-4,mitigates,0 +4472,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,0 +4473,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,0 +4474,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,0 +4475,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,0 +4476,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,0 +4477,,T1601,Modify System Image,[],[],,SI-4,mitigates,0 +4478,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,0 +4479,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,0 +4480,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,0 +4481,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,0 +4482,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,0 +4483,,T1610,Deploy Container,[],[],,SI-4,mitigates,0 +4484,,T1611,Escape to Host,[],[],,SI-4,mitigates,0 +4485,,T1612,Build Image on Host,[],[],,SI-4,mitigates,0 +4486,,T1613,Container and Resource Discovery,[],[],,SI-4,mitigates,0 +4487,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,0 +4488,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,0 +4489,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,0 +4490,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,0 +4491,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,0 +4492,,T1003.003,NTDS,[],[],,SI-7,mitigates,0 +4493,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,0 +4494,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,0 +4495,,T1027.002,Software Packing,[],[],,SI-7,mitigates,0 +4496,,T1036,Masquerading,[],[],,SI-7,mitigates,0 +4497,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,0 +4498,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,0 +4499,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,0 +4500,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,0 +4501,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,0 +4502,,T1037.004,RC Scripts,[],[],,SI-7,mitigates,0 +4503,,T1037.005,Startup Items,[],[],,SI-7,mitigates,0 +4504,,T1040,Network Sniffing,[],[],,SI-7,mitigates,0 +4505,,T1047,Windows Management Instrumentation,[],[],,SI-7,mitigates,0 +4506,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,0 +4507,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,0 +4508,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,0 +4509,,T1059.001,PowerShell,[],[],,SI-7,mitigates,0 +4510,,T1059.002,AppleScript,[],[],,SI-7,mitigates,0 +4511,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,0 +4512,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,0 +4513,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,0 +4514,,T1059.006,Python,[],[],,SI-7,mitigates,0 +4515,,T1059.007,JavaScript,[],[],,SI-7,mitigates,0 +4516,,T1059.008,Network Device CLI,[],[],,SI-7,mitigates,0 +4517,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,0 +4518,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,0 +4519,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,0 +4520,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,0 +4521,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,0 +4522,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,0 +4523,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,0 +4524,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,0 +4525,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,0 +4526,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,0 +4527,,T1114,Email Collection,[],[],,SI-7,mitigates,0 +4528,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,0 +4529,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,0 +4530,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,0 +4531,,T1119,Automated Collection,[],[],,SI-7,mitigates,0 +4532,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,0 +4533,,T1129,Shared Modules,[],[],,SI-7,mitigates,0 +4534,,T1133,External Remote Services,[],[],,SI-7,mitigates,0 +4535,,T1136,Create Account,[],[],,SI-7,mitigates,0 +4536,,T1136.001,Local Account,[],[],,SI-7,mitigates,0 +4537,,T1136.002,Domain Account,[],[],,SI-7,mitigates,0 +4538,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,0 +4539,,T1176,Browser Extensions,[],[],,SI-7,mitigates,0 +4540,,T1185,Browser Session Hijacking,[],[],,SI-7,mitigates,0 +4541,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,0 +4542,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,0 +4543,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,0 +4544,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,0 +4545,,T1204,User Execution,[],[],,SI-7,mitigates,0 +4546,,T1204.002,Malicious File,[],[],,SI-7,mitigates,0 +4547,,T1204.003,Malicious Image,[],[],,SI-7,mitigates,0 +4548,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,0 +4549,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,0 +4550,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,0 +4551,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,0 +4552,,T1213.001,Confluence,[],[],,SI-7,mitigates,0 +4553,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,0 +4554,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,0 +4555,,T1216.001,PubPrn,[],[],,SI-7,mitigates,0 +4556,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,0 +4557,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,0 +4558,,T1218.002,Control Panel,[],[],,SI-7,mitigates,0 +4559,,T1218.003,CMSTP,[],[],,SI-7,mitigates,0 +4560,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,0 +4561,,T1218.005,Mshta,[],[],,SI-7,mitigates,0 +4562,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,0 +4563,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,0 +4564,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,0 +4565,,T1218.011,Rundll32,[],[],,SI-7,mitigates,0 +4566,,T1218.012,Verclsid,[],[],,SI-7,mitigates,0 +4567,,T1218.013,Mavinject,[],[],,SI-7,mitigates,0 +4568,,T1218.014,MMC,[],[],,SI-7,mitigates,0 +4569,,T1219,Remote Access Software,[],[],,SI-7,mitigates,0 +4570,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,0 +4571,,T1221,Template Injection,[],[],,SI-7,mitigates,0 +4572,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,0 +4573,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,0 +4574,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,0 +4575,,T1485,Data Destruction,[],[],,SI-7,mitigates,0 +4576,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,0 +4577,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,0 +4578,,T1491,Defacement,[],[],,SI-7,mitigates,0 +4579,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,0 +4580,,T1491.002,External Defacement,[],[],,SI-7,mitigates,0 +4581,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,0 +4582,,T1505,Server Software Component,[],[],,SI-7,mitigates,0 +4583,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,0 +4584,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,0 +4585,,T1505.004,IIS Components,[],[],,SI-7,mitigates,0 +4586,,T1525,Implant Internal Image,[],[],,SI-7,mitigates,0 +4587,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,0 +4588,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,0 +4589,,T1542.001,System Firmware,[],[],,SI-7,mitigates,0 +4590,,T1542.003,Bootkit,[],[],,SI-7,mitigates,0 +4591,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,0 +4592,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,0 +4593,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,0 +4594,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,0 +4595,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,0 +4596,,T1546.002,Screensaver,[],[],,SI-7,mitigates,0 +4597,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-7,mitigates,0 +4598,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,0 +4599,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,0 +4600,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,0 +4601,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,0 +4602,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,0 +4603,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,0 +4604,,T1547.003,Time Providers,[],[],,SI-7,mitigates,0 +4605,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,0 +4606,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,0 +4607,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,0 +4608,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,0 +4609,,T1547.011,Plist Modification,[],[],,SI-7,mitigates,0 +4610,,T1547.013,XDG Autostart Entries,[],[],,SI-7,mitigates,0 +4611,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,0 +4612,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,0 +4613,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,0 +4614,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,0 +4615,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,0 +4616,,T1552.004,Private Keys,[],[],,SI-7,mitigates,0 +4617,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,0 +4618,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,0 +4619,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,0 +4620,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-7,mitigates,0 +4621,,T1553.006,Code Signing Policy Modification,[],[],,SI-7,mitigates,0 +4622,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,0 +4623,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,0 +4624,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,0 +4625,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,0 +4626,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,0 +4627,,T1557,Adversary-in-the-Middle,[],[],,SI-7,mitigates,0 +4628,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,0 +4629,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,0 +4630,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,0 +4631,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,0 +4632,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,0 +4633,,T1559,Inter-Process Communication,[],[],,SI-7,mitigates,0 +4634,,T1559.001,Component Object Model,[],[],,SI-7,mitigates,0 +4635,,T1561,Disk Wipe,[],[],,SI-7,mitigates,0 +4636,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,0 +4637,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,0 +4638,,T1562,Impair Defenses,[],[],,SI-7,mitigates,0 +4639,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,0 +4640,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,0 +4641,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,0 +4642,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,0 +4643,,T1562.009,Safe Mode Boot,[],[],,SI-7,mitigates,0 +4644,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,0 +4645,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,0 +4646,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,0 +4647,,T1564.008,Email Hiding Rules,[],[],,SI-7,mitigates,0 +4648,,T1564.009,Resource Forking,[],[],,SI-7,mitigates,0 +4649,,T1565,Data Manipulation,[],[],,SI-7,mitigates,0 +4650,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,0 +4651,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,0 +4652,,T1569,System Services,[],[],,SI-7,mitigates,0 +4653,,T1569.002,Service Execution,[],[],,SI-7,mitigates,0 +4654,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,0 +4655,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,0 +4656,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,0 +4657,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-7,mitigates,0 +4658,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,0 +4659,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,0 +4660,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,0 +4661,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,0 +4662,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,0 +4663,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,0 +4664,,T1601,Modify System Image,[],[],,SI-7,mitigates,0 +4665,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,0 +4666,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,0 +4667,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,0 +4668,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,0 +4669,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,0 +4670,,T1609,Container Administration Command,[],[],,SI-7,mitigates,0 +4671,,T1611,Escape to Host,[],[],,SI-7,mitigates,0 +4672,,T1137,Office Application Startup,[],[],,SI-8,mitigates,0 +4673,,T1137.001,Office Template Macros,[],[],,SI-8,mitigates,0 +4674,,T1137.002,Office Test,[],[],,SI-8,mitigates,0 +4675,,T1137.003,Outlook Forms,[],[],,SI-8,mitigates,0 +4676,,T1137.004,Outlook Home Page,[],[],,SI-8,mitigates,0 +4677,,T1137.005,Outlook Rules,[],[],,SI-8,mitigates,0 +4678,,T1137.006,Add-ins,[],[],,SI-8,mitigates,0 +4679,,T1204,User Execution,[],[],,SI-8,mitigates,0 +4680,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,0 +4681,,T1204.002,Malicious File,[],[],,SI-8,mitigates,0 +4682,,T1204.003,Malicious Image,[],[],,SI-8,mitigates,0 +4683,,T1221,Template Injection,[],[],,SI-8,mitigates,0 +4684,,T1566,Phishing,[],[],,SI-8,mitigates,0 +4685,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,0 +4686,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,0 +4687,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,0 +4688,,T1598,Phishing for Information,[],[],,SI-8,mitigates,0 +4689,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,0 +4690,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,0 +4691,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,0 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata.csv new file mode 100644 index 00000000..cc46813a --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,10.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,0 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata_object.csv new file mode 100644 index 00000000..cc46813a --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,10.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,0 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_navigator_layer.json index 0ff66626..752fa3f3 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r4/parsed_nist800-53-r4-10.1_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "10.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 12, "comment": "Related to Concurrent Session Control, Remote Access, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1137.002", "score": 9, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification Or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Mobile Code, Spam Protection"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to Concurrent Session Control, Session Termination, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Identification And Authentication (Organizational Users), Session Authenticity, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information System Monitoring"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to Session Termination, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Key Establishment And Management, Public Key Infrastructure Certificates, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003", "score": 23, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Backup, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Security Function Isolation, Process Isolation, Information Handling And Retention, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Backup, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1005", "score": 12, "comment": "Related to Security Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information System Backup, Security Engineering Principles, Cryptographic Protection, Protection Of Information At Rest, Operations Security, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, System Interconnections, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1025", "score": 14, "comment": "Related to Security Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information System Backup, Media Use, Security Engineering Principles, Cryptographic Protection, Protection Of Information At Rest, Operations Security, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1041", "score": 17, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Security Engineering Principles, External Information System Services, Cryptographic Protection, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048", "score": 21, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security Engineering Principles, External Information System Services, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.002", "score": 21, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security Engineering Principles, External Information System Services, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.003", "score": 22, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security Engineering Principles, External Information System Services, Cryptographic Protection, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052", "score": 18, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Security Engineering Principles, Protection Of Information At Rest, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052.001", "score": 18, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Security Engineering Principles, Protection Of Information At Rest, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.003", "score": 10, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Configuration Settings, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505", "score": 22, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Transmission Of Security Attributes, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.002", "score": 22, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Transmission Of Security Attributes, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security Attributes, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Identification And Authentication (Non-Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.011", "score": 15, "comment": "Related to Security Attributes, Remote Access, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Developer Configuration Management, Developer Security Testing And Evaluation, Security Engineering Principles, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548", "score": 20, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Penetration Testing, Software Usage Restrictions, User-Installed Software, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Protection Of Information At Rest, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security Attributes, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification And Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1567", "score": 16, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Security Engineering Principles, External Information System Services, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Security Function Isolation, Non-Modifiable Executable Programs, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.002", "score": 12, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.003", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.004", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.005", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.007", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.008", "score": 14, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to Remote Access, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.004", "score": 21, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Boundary Protection, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1543.004", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.004", "score": 12, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Non-Persistence, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Information System Monitoring"}, {"techniqueID": "T1552.007", "score": 13, "comment": "Related to Remote Access, Account Management, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Transmission Confidentiality And Integrity"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Cryptographic Key Establishment And Management, Session Authenticity, Information System Monitoring"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Scanning, Developer Security Testing And Evaluation, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1613", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Security Function Isolation, Process Isolation, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.002", "score": 20, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.005", "score": 20, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053.007", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1078", "score": 22, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Security Engineering Principles, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, System Development Life Cycle, Security Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1218", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Non-Persistence, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.006", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Information Input Validation, Non-Persistence, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1553", "score": 23, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Software Usage Restrictions, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Service Identification And Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Information Input Validation, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.006", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Session Authenticity, Transmission Confidentiality And Integrity, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Software Usage Restrictions, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Session Authenticity, Transmission Confidentiality And Integrity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Public Key Infrastructure Certificates, Flaw Remediation"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Flaw Remediation"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to Account Management, Access Enforcement, Least Privilege"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Mobile Code, Application Partitioning, Security Function Isolation, Non-Modifiable Executable Programs, Process Isolation, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Security Testing And Evaluation, Developer Security Architecture And Design, Acquisition Process, Security Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Media Use, Port And I/O Device Access"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information In Shared Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to Access Enforcement, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Cryptographic Key Establishment And Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Boundary Protection"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1218.002", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.012", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Cryptographic Module Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.003", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Information System Backup, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Memory Protection, Information System Monitoring"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Unsupported System Components, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Information System Component Inventory, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1204.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Supply Chain Protection, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Scanning, Trustworthiness, Developer Security Architecture And Design, Security Engineering Principles, Boundary Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to Information Flow Enforcement, Configuration Change Control, Access Restrictions For Change, Least Functionality, Incident Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1137.001", "score": 9, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1137.003", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.004", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.005", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.006", "score": 5, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Spam Protection"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Vulnerability Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions For Change"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions For Change, Information System Component Inventory, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.001", "score": 15, "comment": "Related to Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Supply Chain Protection, Component Authenticity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Information System Monitoring"}, {"techniqueID": "T1218.001", "score": 9, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.003", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.004", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.005", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.008", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.009", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.013", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.014", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Developer Configuration Management, Information In Shared Resources, Detonation Chambers, Resource Availability, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to Baseline Configuration, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Scanning, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.004", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality And Integrity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality And Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "10.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 12, "comment": "Related to AC-10, AC-17, AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.002", "score": 9, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5, CM-6, SC-18, SI-8"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to AC-10, AC-12, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SC-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 23, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-3, SC-39, SI-12, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1005", "score": 12, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CP-9, SA-8, SC-13, SC-28, SC-38, SI-3, SI-4"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-4, CA-3, CM-2, CM-6, CM-8, SC-4, SC-7, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1025", "score": 14, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CP-9, MP-7, SA-8, SC-13, SC-28, SC-38, SC-41, SI-3, SI-4"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1041", "score": 17, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-7, SI-3, SI-4"}, {"techniqueID": "T1048", "score": 21, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.002", "score": 21, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.003", "score": 22, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1052", "score": 18, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4"}, {"techniqueID": "T1052.001", "score": 18, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 10, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, CM-6, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1505", "score": 22, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SC-16, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.002", "score": 22, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SC-16, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.011", "score": 15, "comment": "Related to AC-16, AC-17, AC-3, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SA-10, SA-11, SA-8, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 20, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CA-8, CM-10, CM-11, CM-2, CM-6, IA-2, IA-4, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1567", "score": 16, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-3, SI-4"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SC-3, SC-34, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.002", "score": 12, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, CM-7, IA-9, SA-12, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.003", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.004", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.005", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 14, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2, IA-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.004", "score": 21, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-8, CM-11, CM-2, CM-6, CM-7, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SC-7, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1543.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1547.004", "score": 12, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-14, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1552.007", "score": 13, "comment": "Related to AC-17, AC-2, AC-23, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SC-8"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, SC-7, SI-10, SI-7"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-8, CM-6, CM-7, RA-5, SA-11, SC-7, SI-4"}, {"techniqueID": "T1613", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1003.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-3, SC-39, SI-2, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 21, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 20, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 20, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1053.007", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078", "score": 22, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-10, SA-11, SA-12, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, IA-2, IA-9, RA-5, SA-10, SA-11, SA-15, SA-3, SA-8, SI-2"}, {"techniqueID": "T1218", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SI-2, SI-7"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SI-14, SI-3, SI-4"}, {"techniqueID": "T1547.006", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-10, SI-14, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1553", "score": 23, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-10, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-9, SA-10, SA-11, SA-14, SC-34, SI-10, SI-2, SI-4, SI-7"}, {"techniqueID": "T1553.006", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5, SC-18, SC-3, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-10, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-10, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-7"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, SC-17, SI-2"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to AC-2, AC-3, AC-6, SI-2"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to AC-2, AC-3, AC-6"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-18, SC-2, SC-3, SC-34, SC-39, SC-7, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to AC-3, CM-2, CM-6, CM-7, CM-8, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-7"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 10, "comment": "Related to AC-3, CA-7, CM-11, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.012", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565.003", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-7, SI-16, SI-4"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.003", "score": 15, "comment": "Related to AC-4, CA-7, CA-8, CM-2, CM-6, CM-7, RA-5, SA-12, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to AC-4, CA-8, CM-6, CM-7, RA-5, SA-13, SA-17, SA-8, SC-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to AC-4, CM-3, CM-5, CM-7, IR-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, CM-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1137.001", "score": 9, "comment": "Related to AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.003", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-2, SI-8"}, {"techniqueID": "T1137.004", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-2, SI-8"}, {"techniqueID": "T1137.005", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-2, SI-8"}, {"techniqueID": "T1137.006", "score": 5, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-8"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to CA-7, CM-2, CM-6, CM-7, IA-2, SI-4"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1505.001", "score": 15, "comment": "Related to CA-8, CM-11, CM-2, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SA-12, SA-19, SI-7"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1218.001", "score": 9, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.003", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.013", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.014", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SA-10, SC-4, SC-44, SC-6, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to CM-2, CM-6, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to CM-2, CM-6, IA-9, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SA-12, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to CM-2, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.004", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to CM-2, CM-6, CM-7, IA-5, SI-4"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to CM-2, CM-6, IA-2, IA-5, SI-2, SI-4"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to CM-6, CM-7, SI-10, SI-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SI-2"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings.yaml index a6dd42e8..90d34dc3 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Information Location + capability-id: CM-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Information Location + capability-id: CM-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Incident Monitoring + capability-id: IR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Usage Restrictions + capability-id: SC-43 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Usage Restrictions + capability-id: SC-43 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Resource Availability + capability-id: SC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33529,7 +33529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33537,7 +33537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33545,7 +33545,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33553,7 +33553,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33561,7 +33561,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33569,7 +33569,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33577,7 +33577,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33585,7 +33585,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33593,7 +33593,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33601,7 +33601,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33609,7 +33609,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33617,7 +33617,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33625,7 +33625,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33633,7 +33633,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33641,7 +33641,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33649,7 +33649,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33657,7 +33657,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33665,7 +33665,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33673,7 +33673,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33681,7 +33681,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33689,7 +33689,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33697,7 +33697,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33705,7 +33705,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33713,7 +33713,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33721,7 +33721,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33729,7 +33729,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33737,7 +33737,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33745,7 +33745,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33753,7 +33753,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33761,7 +33761,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33769,7 +33769,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33777,7 +33777,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33785,7 +33785,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33793,7 +33793,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33801,7 +33801,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33809,7 +33809,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33817,7 +33817,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33825,7 +33825,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33833,7 +33833,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33841,7 +33841,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33849,7 +33849,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33857,7 +33857,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33865,7 +33865,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33873,7 +33873,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33881,7 +33881,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33889,7 +33889,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33897,7 +33897,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33905,7 +33905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33913,7 +33913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33921,7 +33921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33929,7 +33929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33937,7 +33937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33945,7 +33945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33953,7 +33953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33961,7 +33961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33969,7 +33969,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33977,7 +33977,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33985,7 +33985,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33993,7 +33993,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34001,7 +34001,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34009,7 +34009,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34017,7 +34017,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34025,7 +34025,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34033,7 +34033,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34041,7 +34041,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34049,7 +34049,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34057,7 +34057,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34065,7 +34065,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34073,7 +34073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34081,7 +34081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34089,7 +34089,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34097,7 +34097,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34105,7 +34105,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34113,7 +34113,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34121,7 +34121,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34129,7 +34129,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34137,7 +34137,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34145,7 +34145,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34153,7 +34153,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34161,7 +34161,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34169,7 +34169,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34177,7 +34177,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34185,7 +34185,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34193,7 +34193,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34201,7 +34201,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34209,7 +34209,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34217,7 +34217,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34225,7 +34225,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34233,7 +34233,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34241,7 +34241,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34249,7 +34249,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34257,7 +34257,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34265,7 +34265,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34273,7 +34273,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34281,7 +34281,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34289,7 +34289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34297,7 +34297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34305,7 +34305,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34313,7 +34313,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34321,7 +34321,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34329,7 +34329,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34337,7 +34337,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34345,7 +34345,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34353,7 +34353,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34361,7 +34361,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34369,7 +34369,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34377,7 +34377,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34385,7 +34385,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34393,7 +34393,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34401,7 +34401,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34409,7 +34409,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34417,7 +34417,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34425,7 +34425,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34433,7 +34433,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34441,7 +34441,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34449,7 +34449,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34457,7 +34457,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34465,7 +34465,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34473,7 +34473,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34481,7 +34481,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34489,7 +34489,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34497,7 +34497,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34505,7 +34505,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34513,7 +34513,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34521,7 +34521,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34529,7 +34529,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34537,7 +34537,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34545,7 +34545,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34553,7 +34553,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34561,7 +34561,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34569,7 +34569,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34577,7 +34577,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34585,7 +34585,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34593,7 +34593,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34601,7 +34601,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34609,7 +34609,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34617,7 +34617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34625,7 +34625,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34633,7 +34633,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34641,7 +34641,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34649,7 +34649,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34657,7 +34657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34665,7 +34665,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34673,7 +34673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34681,7 +34681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34689,7 +34689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34697,7 +34697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34705,7 +34705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34713,7 +34713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34721,7 +34721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34729,7 +34729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34737,7 +34737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34745,7 +34745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34753,7 +34753,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34761,7 +34761,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34769,7 +34769,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34777,7 +34777,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34785,7 +34785,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34793,7 +34793,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34801,7 +34801,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34809,7 +34809,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34817,7 +34817,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34825,7 +34825,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34833,7 +34833,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34841,7 +34841,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34849,7 +34849,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34857,7 +34857,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34865,7 +34865,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34873,7 +34873,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34881,7 +34881,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34889,7 +34889,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34897,7 +34897,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34905,7 +34905,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34913,7 +34913,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34921,7 +34921,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34929,7 +34929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34937,7 +34937,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34945,7 +34945,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34953,7 +34953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34961,7 +34961,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34969,7 +34969,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34977,7 +34977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34985,7 +34985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34993,7 +34993,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35001,7 +35001,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35009,7 +35009,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35017,7 +35017,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35025,7 +35025,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35033,7 +35033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35041,7 +35041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35049,7 +35049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35057,7 +35057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35065,7 +35065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35073,7 +35073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35081,7 +35081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35089,7 +35089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35097,7 +35097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35105,7 +35105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35113,7 +35113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35121,7 +35121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35129,7 +35129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35137,7 +35137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35145,7 +35145,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35153,7 +35153,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35161,7 +35161,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35169,7 +35169,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35177,7 +35177,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35185,7 +35185,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35193,7 +35193,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35201,7 +35201,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35209,7 +35209,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35217,7 +35217,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35225,7 +35225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35233,7 +35233,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35241,7 +35241,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35249,7 +35249,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35257,7 +35257,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35265,7 +35265,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35273,7 +35273,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35281,7 +35281,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35289,7 +35289,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35297,7 +35297,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35305,7 +35305,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35313,7 +35313,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35321,7 +35321,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35329,7 +35329,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35337,7 +35337,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35345,7 +35345,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35353,7 +35353,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35361,7 +35361,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35369,7 +35369,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35377,7 +35377,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35385,7 +35385,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35393,7 +35393,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35401,7 +35401,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35409,7 +35409,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35417,7 +35417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35425,7 +35425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35433,7 +35433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35441,7 +35441,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35449,7 +35449,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35457,7 +35457,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35465,7 +35465,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35473,7 +35473,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35481,7 +35481,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35489,7 +35489,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35497,7 +35497,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35505,7 +35505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35513,7 +35513,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35521,7 +35521,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35529,7 +35529,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35537,7 +35537,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35545,7 +35545,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35553,7 +35553,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35561,7 +35561,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35569,7 +35569,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35577,7 +35577,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35585,7 +35585,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35593,7 +35593,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35601,7 +35601,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35609,7 +35609,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35617,7 +35617,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35625,7 +35625,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35633,7 +35633,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35641,7 +35641,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35649,7 +35649,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35657,7 +35657,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35665,7 +35665,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35673,7 +35673,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35681,7 +35681,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35689,7 +35689,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35697,7 +35697,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35705,7 +35705,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35713,7 +35713,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35721,7 +35721,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35729,7 +35729,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35737,7 +35737,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35745,7 +35745,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35753,7 +35753,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35761,7 +35761,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35769,7 +35769,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35777,7 +35777,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35785,7 +35785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35793,7 +35793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35801,7 +35801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35809,7 +35809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35817,7 +35817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35825,7 +35825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35833,7 +35833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35841,7 +35841,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35849,7 +35849,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35857,7 +35857,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35865,7 +35865,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35873,7 +35873,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35881,7 +35881,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35889,7 +35889,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35897,7 +35897,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35905,7 +35905,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35913,7 +35913,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35921,7 +35921,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35929,7 +35929,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35937,7 +35937,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35945,7 +35945,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35953,7 +35953,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35961,7 +35961,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35969,7 +35969,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35977,7 +35977,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35985,7 +35985,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35993,7 +35993,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36001,7 +36001,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -36009,7 +36009,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -36017,7 +36017,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -36025,7 +36025,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -36033,7 +36033,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36041,7 +36041,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36049,7 +36049,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36057,7 +36057,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36065,7 +36065,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36073,7 +36073,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36081,7 +36081,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36089,7 +36089,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36097,7 +36097,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36105,7 +36105,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36113,7 +36113,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36121,7 +36121,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36129,7 +36129,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36137,7 +36137,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36145,7 +36145,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36153,7 +36153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36161,7 +36161,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36169,7 +36169,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36177,7 +36177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36185,7 +36185,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36193,7 +36193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36201,7 +36201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36209,7 +36209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36217,7 +36217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36225,7 +36225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36233,7 +36233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36241,7 +36241,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36249,7 +36249,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36257,7 +36257,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36265,7 +36265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36273,7 +36273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36281,7 +36281,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36289,7 +36289,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36297,7 +36297,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36305,7 +36305,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36313,7 +36313,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36321,7 +36321,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36329,7 +36329,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36337,7 +36337,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36345,7 +36345,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36353,7 +36353,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36361,7 +36361,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36369,7 +36369,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36377,7 +36377,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36385,7 +36385,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36393,7 +36393,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36401,7 +36401,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36409,7 +36409,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36417,7 +36417,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36425,7 +36425,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36433,7 +36433,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36441,7 +36441,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36449,7 +36449,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36457,7 +36457,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36465,7 +36465,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36473,7 +36473,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36481,7 +36481,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36489,7 +36489,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36497,7 +36497,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36505,7 +36505,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36513,7 +36513,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36521,7 +36521,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36529,7 +36529,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36537,7 +36537,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36545,7 +36545,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36553,7 +36553,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36561,7 +36561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36569,7 +36569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36577,7 +36577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36585,7 +36585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36593,7 +36593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36601,7 +36601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36609,7 +36609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36617,7 +36617,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36625,7 +36625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36633,7 +36633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36641,7 +36641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36649,7 +36649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36657,7 +36657,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36665,7 +36665,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36673,7 +36673,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36681,7 +36681,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36689,7 +36689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36697,7 +36697,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36705,7 +36705,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36713,7 +36713,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36721,7 +36721,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36729,7 +36729,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36737,7 +36737,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36745,7 +36745,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36753,7 +36753,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36761,7 +36761,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36769,7 +36769,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36777,7 +36777,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36785,7 +36785,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36793,7 +36793,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36801,7 +36801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36809,7 +36809,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36817,7 +36817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36825,7 +36825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36833,7 +36833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36841,7 +36841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36849,7 +36849,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36857,7 +36857,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36865,7 +36865,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36873,7 +36873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36881,7 +36881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36889,7 +36889,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36897,7 +36897,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36905,7 +36905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36913,7 +36913,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36921,7 +36921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36929,7 +36929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36937,7 +36937,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36945,7 +36945,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36953,7 +36953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36961,7 +36961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36969,7 +36969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36977,7 +36977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36985,7 +36985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -36993,7 +36993,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37001,7 +37001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37009,7 +37009,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37017,7 +37017,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37025,7 +37025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37033,7 +37033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37041,7 +37041,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37049,7 +37049,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37057,7 +37057,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37065,7 +37065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37073,7 +37073,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37081,7 +37081,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37089,7 +37089,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37097,7 +37097,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37105,7 +37105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37113,7 +37113,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37121,7 +37121,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37129,7 +37129,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37137,7 +37137,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37145,7 +37145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37153,7 +37153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37161,7 +37161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37169,7 +37169,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37177,7 +37177,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37185,7 +37185,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37193,7 +37193,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37201,7 +37201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37209,7 +37209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37217,7 +37217,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37225,7 +37225,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37233,7 +37233,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37241,7 +37241,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37249,7 +37249,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37257,7 +37257,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37265,7 +37265,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37273,7 +37273,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37281,7 +37281,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37289,7 +37289,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37297,7 +37297,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37305,7 +37305,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37313,7 +37313,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37321,7 +37321,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37329,7 +37329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37337,7 +37337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37345,7 +37345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37353,7 +37353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37361,7 +37361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37369,7 +37369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37377,7 +37377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37385,7 +37385,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37393,7 +37393,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37401,7 +37401,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37409,7 +37409,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37417,7 +37417,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37425,7 +37425,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37433,7 +37433,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37441,7 +37441,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37449,7 +37449,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37457,7 +37457,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37465,7 +37465,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37473,7 +37473,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37481,7 +37481,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37489,7 +37489,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37497,7 +37497,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37505,7 +37505,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37513,7 +37513,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37521,7 +37521,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37529,7 +37529,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37537,7 +37537,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37545,7 +37545,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37553,7 +37553,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37561,7 +37561,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37569,7 +37569,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37577,7 +37577,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37585,7 +37585,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37593,7 +37593,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37601,7 +37601,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37609,7 +37609,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37617,7 +37617,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -37625,7 +37625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37633,7 +37633,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37641,7 +37641,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37649,7 +37649,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37657,7 +37657,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37665,7 +37665,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37673,7 +37673,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37681,7 +37681,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37689,7 +37689,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37697,7 +37697,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37705,7 +37705,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -37713,7 +37713,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37721,7 +37721,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37729,7 +37729,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37737,7 +37737,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37745,7 +37745,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37753,7 +37753,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37761,7 +37761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37769,7 +37769,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37777,7 +37777,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37785,7 +37785,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37793,7 +37793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37801,7 +37801,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37809,7 +37809,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37817,7 +37817,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37825,7 +37825,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37833,7 +37833,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37841,7 +37841,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37849,7 +37849,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37857,7 +37857,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37865,7 +37865,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37873,7 +37873,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37881,7 +37881,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37889,7 +37889,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37897,7 +37897,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37905,7 +37905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37913,7 +37913,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37921,7 +37921,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37929,7 +37929,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37937,7 +37937,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37945,7 +37945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -37953,7 +37953,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -37961,7 +37961,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -37969,7 +37969,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -37977,7 +37977,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -37985,7 +37985,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -37993,7 +37993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -38001,7 +38001,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -38009,7 +38009,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -38017,7 +38017,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -38025,7 +38025,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -38033,7 +38033,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_attack_objects.csv new file mode 100644 index 00000000..c5876ad4 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_attack_objects.csv @@ -0,0 +1,4756 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,1 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,1 +2,,T1185,Browser Session Hijacking,[],[],,AC-10,mitigates,1 +3,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,1 +4,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,1 +5,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,1 +6,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,1 +7,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,1 +8,,T1185,Browser Session Hijacking,[],[],,AC-12,mitigates,1 +9,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,1 +10,,T1137.002,Office Test,[],[],,AC-14,mitigates,1 +11,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,1 +12,,T1003.003,NTDS,[],[],,AC-16,mitigates,1 +13,,T1005,Data from Local System,[],[],,AC-16,mitigates,1 +14,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,1 +15,,T1025,Data from Removable Media,[],[],,AC-16,mitigates,1 +16,,T1040,Network Sniffing,[],[],,AC-16,mitigates,1 +17,,T1041,Exfiltration Over C2 Channel,[],[],,AC-16,mitigates,1 +18,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-16,mitigates,1 +19,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-16,mitigates,1 +20,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-16,mitigates,1 +21,,T1052,Exfiltration Over Physical Medium,[],[],,AC-16,mitigates,1 +22,,T1052.001,Exfiltration over USB,[],[],,AC-16,mitigates,1 +23,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,1 +24,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,1 +25,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,1 +26,,T1114,Email Collection,[],[],,AC-16,mitigates,1 +27,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,1 +28,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,1 +29,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,1 +30,,T1119,Automated Collection,[],[],,AC-16,mitigates,1 +31,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,1 +32,,T1213.001,Confluence,[],[],,AC-16,mitigates,1 +33,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,1 +34,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,1 +35,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,1 +36,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,1 +37,,T1505,Server Software Component,[],[],,AC-16,mitigates,1 +38,,T1505.002,Transport Agent,[],[],,AC-16,mitigates,1 +39,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,1 +40,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,1 +41,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,1 +42,,T1547.011,Plist Modification,[],[],,AC-16,mitigates,1 +43,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,1 +44,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,1 +45,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,1 +46,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,1 +47,,T1552.004,Private Keys,[],[],,AC-16,mitigates,1 +48,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,1 +49,,T1557,Adversary-in-the-Middle,[],[],,AC-16,mitigates,1 +50,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,1 +51,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,1 +52,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,1 +53,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,1 +54,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,1 +55,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,1 +56,,T1565,Data Manipulation,[],[],,AC-16,mitigates,1 +57,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,1 +58,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,1 +59,,T1567,Exfiltration Over Web Service,[],[],,AC-16,mitigates,1 +60,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,1 +61,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,1 +62,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,1 +63,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,1 +64,,T1021,Remote Services,[],[],,AC-17,mitigates,1 +65,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,1 +66,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,1 +67,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,1 +68,,T1021.004,SSH,[],[],,AC-17,mitigates,1 +69,,T1021.005,VNC,[],[],,AC-17,mitigates,1 +70,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,1 +71,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,1 +72,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,1 +73,,T1040,Network Sniffing,[],[],,AC-17,mitigates,1 +74,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,1 +75,,T1059,Command and Scripting Interpreter,[],[],,AC-17,mitigates,1 +76,,T1059.001,PowerShell,[],[],,AC-17,mitigates,1 +77,,T1059.002,AppleScript,[],[],,AC-17,mitigates,1 +78,,T1059.003,Windows Command Shell,[],[],,AC-17,mitigates,1 +79,,T1059.004,Unix Shell,[],[],,AC-17,mitigates,1 +80,,T1059.005,Visual Basic,[],[],,AC-17,mitigates,1 +81,,T1059.006,Python,[],[],,AC-17,mitigates,1 +82,,T1059.007,JavaScript,[],[],,AC-17,mitigates,1 +83,,T1059.008,Network Device CLI,[],[],,AC-17,mitigates,1 +84,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,1 +85,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,1 +86,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,1 +87,,T1114,Email Collection,[],[],,AC-17,mitigates,1 +88,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,1 +89,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,1 +90,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,1 +91,,T1119,Automated Collection,[],[],,AC-17,mitigates,1 +92,,T1133,External Remote Services,[],[],,AC-17,mitigates,1 +93,,T1137,Office Application Startup,[],[],,AC-17,mitigates,1 +94,,T1137.002,Office Test,[],[],,AC-17,mitigates,1 +95,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,1 +96,,T1213.001,Confluence,[],[],,AC-17,mitigates,1 +97,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,1 +98,,T1219,Remote Access Software,[],[],,AC-17,mitigates,1 +99,,T1505.004,IIS Components,[],[],,AC-17,mitigates,1 +100,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,1 +101,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,1 +102,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,1 +103,,T1547.003,Time Providers,[],[],,AC-17,mitigates,1 +104,,T1547.004,Winlogon Helper DLL,[],[],,AC-17,mitigates,1 +105,,T1547.009,Shortcut Modification,[],[],,AC-17,mitigates,1 +106,,T1547.011,Plist Modification,[],[],,AC-17,mitigates,1 +107,,T1547.012,Print Processors,[],[],,AC-17,mitigates,1 +108,,T1547.013,XDG Autostart Entries,[],[],,AC-17,mitigates,1 +109,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,1 +110,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,1 +111,,T1552.002,Credentials in Registry,[],[],,AC-17,mitigates,1 +112,,T1552.004,Private Keys,[],[],,AC-17,mitigates,1 +113,,T1552.007,Container API,[],[],,AC-17,mitigates,1 +114,,T1557,Adversary-in-the-Middle,[],[],,AC-17,mitigates,1 +115,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,1 +116,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,1 +117,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,1 +118,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,1 +119,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,1 +120,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,1 +121,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,1 +122,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,1 +123,,T1565,Data Manipulation,[],[],,AC-17,mitigates,1 +124,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,1 +125,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,1 +126,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,1 +127,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,1 +128,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,1 +129,,T1609,Container Administration Command,[],[],,AC-17,mitigates,1 +130,,T1610,Deploy Container,[],[],,AC-17,mitigates,1 +131,,T1612,Build Image on Host,[],[],,AC-17,mitigates,1 +132,,T1613,Container and Resource Discovery,[],[],,AC-17,mitigates,1 +133,,T1619,Cloud Storage Object Discovery,[],[],,AC-17,mitigates,1 +134,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,1 +135,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,1 +136,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,1 +137,,T1040,Network Sniffing,[],[],,AC-18,mitigates,1 +138,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,1 +139,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,1 +140,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,1 +141,,T1119,Automated Collection,[],[],,AC-18,mitigates,1 +142,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,1 +143,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,1 +144,,T1552.004,Private Keys,[],[],,AC-18,mitigates,1 +145,,T1557,Adversary-in-the-Middle,[],[],,AC-18,mitigates,1 +146,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,1 +147,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,1 +148,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,1 +149,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,1 +150,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,1 +151,,T1565,Data Manipulation,[],[],,AC-18,mitigates,1 +152,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,1 +153,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,1 +154,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,1 +155,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,1 +156,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,1 +157,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,1 +158,,T1040,Network Sniffing,[],[],,AC-19,mitigates,1 +159,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,1 +160,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,1 +161,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,1 +162,,T1114,Email Collection,[],[],,AC-19,mitigates,1 +163,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,1 +164,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,1 +165,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,1 +166,,T1119,Automated Collection,[],[],,AC-19,mitigates,1 +167,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,1 +168,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,1 +169,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,1 +170,,T1552.004,Private Keys,[],[],,AC-19,mitigates,1 +171,,T1557,Adversary-in-the-Middle,[],[],,AC-19,mitigates,1 +172,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,1 +173,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,1 +174,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,1 +175,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,1 +176,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,1 +177,,T1565,Data Manipulation,[],[],,AC-19,mitigates,1 +178,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,1 +179,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,1 +180,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,1 +181,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,1 +182,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,1 +183,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,1 +184,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,1 +185,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,1 +186,,T1003.003,NTDS,[],[],,AC-2,mitigates,1 +187,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,1 +188,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,1 +189,,T1003.006,DCSync,[],[],,AC-2,mitigates,1 +190,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,1 +191,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,1 +192,,T1005,Data from Local System,[],[],,AC-2,mitigates,1 +193,,T1021,Remote Services,[],[],,AC-2,mitigates,1 +194,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,1 +195,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,1 +196,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,1 +197,,T1021.004,SSH,[],[],,AC-2,mitigates,1 +198,,T1021.005,VNC,[],[],,AC-2,mitigates,1 +199,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,1 +200,,T1025,Data from Removable Media,[],[],,AC-2,mitigates,1 +201,,T1036,Masquerading,[],[],,AC-2,mitigates,1 +202,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,1 +203,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,1 +204,,T1041,Exfiltration Over C2 Channel,[],[],,AC-2,mitigates,1 +205,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,1 +206,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-2,mitigates,1 +207,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-2,mitigates,1 +208,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-2,mitigates,1 +209,,T1052,Exfiltration Over Physical Medium,[],[],,AC-2,mitigates,1 +210,,T1052.001,Exfiltration over USB,[],[],,AC-2,mitigates,1 +211,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,1 +212,,T1053.001,At (Linux),[],[],,AC-2,mitigates,1 +213,,T1053.002,At (Windows),[],[],,AC-2,mitigates,1 +214,,T1053.003,Cron,[],[],,AC-2,mitigates,1 +215,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,1 +216,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,1 +217,,T1053.007,Container Orchestration Job,[],[],,AC-2,mitigates,1 +218,,T1055,Process Injection,[],[],,AC-2,mitigates,1 +219,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,1 +220,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,1 +221,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,1 +222,,T1059.001,PowerShell,[],[],,AC-2,mitigates,1 +223,,T1059.002,AppleScript,[],[],,AC-2,mitigates,1 +224,,T1059.003,Windows Command Shell,[],[],,AC-2,mitigates,1 +225,,T1059.004,Unix Shell,[],[],,AC-2,mitigates,1 +226,,T1059.005,Visual Basic,[],[],,AC-2,mitigates,1 +227,,T1059.006,Python,[],[],,AC-2,mitigates,1 +228,,T1059.007,JavaScript,[],[],,AC-2,mitigates,1 +229,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,1 +230,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,1 +231,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,1 +232,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,1 +233,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,1 +234,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,1 +235,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,1 +236,,T1078,Valid Accounts,[],[],,AC-2,mitigates,1 +237,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,1 +238,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,1 +239,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,1 +240,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,1 +241,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,1 +242,,T1098,Account Manipulation,[],[],,AC-2,mitigates,1 +243,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,1 +244,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,1 +245,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,1 +246,,T1110,Brute Force,[],[],,AC-2,mitigates,1 +247,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,1 +248,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,1 +249,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,1 +250,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,1 +251,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,1 +252,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,1 +253,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,1 +254,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,1 +255,,T1136,Create Account,[],[],,AC-2,mitigates,1 +256,,T1136.001,Local Account,[],[],,AC-2,mitigates,1 +257,,T1136.002,Domain Account,[],[],,AC-2,mitigates,1 +258,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,1 +259,,T1185,Browser Session Hijacking,[],[],,AC-2,mitigates,1 +260,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,1 +261,,T1197,BITS Jobs,[],[],,AC-2,mitigates,1 +262,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,1 +263,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,1 +264,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,1 +265,,T1213.001,Confluence,[],[],,AC-2,mitigates,1 +266,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,1 +267,,T1213.003,Code Repositories,[],[],,AC-2,mitigates,1 +268,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,1 +269,,T1218.007,Msiexec,[],[],,AC-2,mitigates,1 +270,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,1 +271,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,1 +272,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,1 +273,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,1 +274,,T1489,Service Stop,[],[],,AC-2,mitigates,1 +275,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,1 +276,,T1505,Server Software Component,[],[],,AC-2,mitigates,1 +277,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,1 +278,,T1505.003,Web Shell,[],[],,AC-2,mitigates,1 +279,,T1525,Implant Internal Image,[],[],,AC-2,mitigates,1 +280,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,1 +281,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,1 +282,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,1 +283,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,1 +284,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,1 +285,,T1542.001,System Firmware,[],[],,AC-2,mitigates,1 +286,,T1542.003,Bootkit,[],[],,AC-2,mitigates,1 +287,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,1 +288,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,1 +289,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,1 +290,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,1 +291,,T1543.003,Windows Service,[],[],,AC-2,mitigates,1 +292,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,1 +293,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,1 +294,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,1 +295,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,1 +296,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,1 +297,,T1547.012,Print Processors,[],[],,AC-2,mitigates,1 +298,,T1547.013,XDG Autostart Entries,[],[],,AC-2,mitigates,1 +299,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,1 +300,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,1 +301,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,1 +302,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,1 +303,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,1 +304,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,1 +305,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,1 +306,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,1 +307,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,1 +308,,T1552.004,Private Keys,[],[],,AC-2,mitigates,1 +309,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,1 +310,,T1552.007,Container API,[],[],,AC-2,mitigates,1 +311,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,1 +312,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,1 +313,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,1 +314,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,1 +315,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,1 +316,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,1 +317,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,1 +318,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,1 +319,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,1 +320,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,1 +321,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,1 +322,,T1562,Impair Defenses,[],[],,AC-2,mitigates,1 +323,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,1 +324,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,1 +325,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,1 +326,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,1 +327,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,1 +328,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,1 +329,,T1562.009,Safe Mode Boot,[],[],,AC-2,mitigates,1 +330,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,1 +331,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,1 +332,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,1 +333,,T1567,Exfiltration Over Web Service,[],[],,AC-2,mitigates,1 +334,,T1569,System Services,[],[],,AC-2,mitigates,1 +335,,T1569.001,Launchctl,[],[],,AC-2,mitigates,1 +336,,T1569.002,Service Execution,[],[],,AC-2,mitigates,1 +337,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,1 +338,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,1 +339,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,1 +340,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,1 +341,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,1 +342,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,1 +343,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,1 +344,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,1 +345,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,1 +346,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,1 +347,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,1 +348,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,1 +349,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,1 +350,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,1 +351,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,1 +352,,T1601,Modify System Image,[],[],,AC-2,mitigates,1 +353,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,1 +354,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,1 +355,,T1606,Forge Web Credentials,[],[],,AC-2,mitigates,1 +356,,T1606.001,Web Cookies,[],[],,AC-2,mitigates,1 +357,,T1606.002,SAML Tokens,[],[],,AC-2,mitigates,1 +358,,T1609,Container Administration Command,[],[],,AC-2,mitigates,1 +359,,T1610,Deploy Container,[],[],,AC-2,mitigates,1 +360,,T1611,Escape to Host,[],[],,AC-2,mitigates,1 +361,,T1612,Build Image on Host,[],[],,AC-2,mitigates,1 +362,,T1613,Container and Resource Discovery,[],[],,AC-2,mitigates,1 +363,,T1619,Cloud Storage Object Discovery,[],[],,AC-2,mitigates,1 +364,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,1 +365,,T1021,Remote Services,[],[],,AC-20,mitigates,1 +366,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,1 +367,,T1021.004,SSH,[],[],,AC-20,mitigates,1 +368,,T1041,Exfiltration Over C2 Channel,[],[],,AC-20,mitigates,1 +369,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-20,mitigates,1 +370,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-20,mitigates,1 +371,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-20,mitigates,1 +372,,T1052,Exfiltration Over Physical Medium,[],[],,AC-20,mitigates,1 +373,,T1052.001,Exfiltration over USB,[],[],,AC-20,mitigates,1 +374,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,1 +375,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,1 +376,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,1 +377,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,1 +378,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,1 +379,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,1 +380,,T1110,Brute Force,[],[],,AC-20,mitigates,1 +381,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,1 +382,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,1 +383,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,1 +384,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,1 +385,,T1114,Email Collection,[],[],,AC-20,mitigates,1 +386,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,1 +387,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,1 +388,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,1 +389,,T1119,Automated Collection,[],[],,AC-20,mitigates,1 +390,,T1133,External Remote Services,[],[],,AC-20,mitigates,1 +391,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,1 +392,,T1136,Create Account,[],[],,AC-20,mitigates,1 +393,,T1136.001,Local Account,[],[],,AC-20,mitigates,1 +394,,T1136.002,Domain Account,[],[],,AC-20,mitigates,1 +395,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,1 +396,,T1200,Hardware Additions,[],[],,AC-20,mitigates,1 +397,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,1 +398,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,1 +399,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,1 +400,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,1 +401,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,1 +402,,T1552.004,Private Keys,[],[],,AC-20,mitigates,1 +403,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,1 +404,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,1 +405,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,1 +406,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,1 +407,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,1 +408,,T1557,Adversary-in-the-Middle,[],[],,AC-20,mitigates,1 +409,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,1 +410,,T1565,Data Manipulation,[],[],,AC-20,mitigates,1 +411,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,1 +412,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,1 +413,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,1 +414,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,1 +415,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,1 +416,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,1 +417,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,1 +418,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,1 +419,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,1 +420,,T1213.001,Confluence,[],[],,AC-21,mitigates,1 +421,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,1 +422,,T1005,Data from Local System,[],[],,AC-23,mitigates,1 +423,,T1025,Data from Removable Media,[],[],,AC-23,mitigates,1 +424,,T1041,Exfiltration Over C2 Channel,[],[],,AC-23,mitigates,1 +425,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-23,mitigates,1 +426,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-23,mitigates,1 +427,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-23,mitigates,1 +428,,T1052,Exfiltration Over Physical Medium,[],[],,AC-23,mitigates,1 +429,,T1052.001,Exfiltration over USB,[],[],,AC-23,mitigates,1 +430,,T1133,External Remote Services,[],[],,AC-23,mitigates,1 +431,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,1 +432,,T1213.001,Confluence,[],[],,AC-23,mitigates,1 +433,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,1 +434,,T1552.007,Container API,[],[],,AC-23,mitigates,1 +435,,T1567,Exfiltration Over Web Service,[],[],,AC-23,mitigates,1 +436,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,1 +437,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,1 +438,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,1 +439,,T1003.003,NTDS,[],[],,AC-3,mitigates,1 +440,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,1 +441,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,1 +442,,T1003.006,DCSync,[],[],,AC-3,mitigates,1 +443,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,1 +444,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,1 +445,,T1005,Data from Local System,[],[],,AC-3,mitigates,1 +446,,T1021,Remote Services,[],[],,AC-3,mitigates,1 +447,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,1 +448,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,1 +449,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,1 +450,,T1021.004,SSH,[],[],,AC-3,mitigates,1 +451,,T1021.005,VNC,[],[],,AC-3,mitigates,1 +452,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,1 +453,,T1025,Data from Removable Media,[],[],,AC-3,mitigates,1 +454,,T1036,Masquerading,[],[],,AC-3,mitigates,1 +455,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,1 +456,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,1 +457,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,1 +458,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,1 +459,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,1 +460,,T1037.004,RC Scripts,[],[],,AC-3,mitigates,1 +461,,T1037.005,Startup Items,[],[],,AC-3,mitigates,1 +462,,T1041,Exfiltration Over C2 Channel,[],[],,AC-3,mitigates,1 +463,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,1 +464,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,1 +465,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,1 +466,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,1 +467,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,1 +468,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,1 +469,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,1 +470,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,1 +471,,T1053.001,At (Linux),[],[],,AC-3,mitigates,1 +472,,T1053.002,At (Windows),[],[],,AC-3,mitigates,1 +473,,T1053.003,Cron,[],[],,AC-3,mitigates,1 +474,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,1 +475,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,1 +476,,T1053.007,Container Orchestration Job,[],[],,AC-3,mitigates,1 +477,,T1055,Process Injection,[],[],,AC-3,mitigates,1 +478,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,1 +479,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,1 +480,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,1 +481,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,1 +482,,T1059.001,PowerShell,[],[],,AC-3,mitigates,1 +483,,T1059.002,AppleScript,[],[],,AC-3,mitigates,1 +484,,T1059.003,Windows Command Shell,[],[],,AC-3,mitigates,1 +485,,T1059.004,Unix Shell,[],[],,AC-3,mitigates,1 +486,,T1059.005,Visual Basic,[],[],,AC-3,mitigates,1 +487,,T1059.006,Python,[],[],,AC-3,mitigates,1 +488,,T1059.007,JavaScript,[],[],,AC-3,mitigates,1 +489,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,1 +490,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,1 +491,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,1 +492,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,1 +493,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,1 +494,,T1071.004,DNS,[],[],,AC-3,mitigates,1 +495,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,1 +496,,T1078,Valid Accounts,[],[],,AC-3,mitigates,1 +497,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,1 +498,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,1 +499,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,1 +500,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,1 +501,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,1 +502,,T1090,Proxy,[],[],,AC-3,mitigates,1 +503,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,1 +504,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,1 +505,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,1 +506,,T1098,Account Manipulation,[],[],,AC-3,mitigates,1 +507,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,1 +508,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,1 +509,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,1 +510,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,1 +511,,T1110,Brute Force,[],[],,AC-3,mitigates,1 +512,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,1 +513,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,1 +514,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,1 +515,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,1 +516,,T1114,Email Collection,[],[],,AC-3,mitigates,1 +517,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,1 +518,,T1133,External Remote Services,[],[],,AC-3,mitigates,1 +519,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,1 +520,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,1 +521,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,1 +522,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,1 +523,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,1 +524,,T1136,Create Account,[],[],,AC-3,mitigates,1 +525,,T1136.001,Local Account,[],[],,AC-3,mitigates,1 +526,,T1136.002,Domain Account,[],[],,AC-3,mitigates,1 +527,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,1 +528,,T1185,Browser Session Hijacking,[],[],,AC-3,mitigates,1 +529,,T1187,Forced Authentication,[],[],,AC-3,mitigates,1 +530,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,1 +531,,T1197,BITS Jobs,[],[],,AC-3,mitigates,1 +532,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,1 +533,,T1200,Hardware Additions,[],[],,AC-3,mitigates,1 +534,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,1 +535,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,1 +536,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,1 +537,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,1 +538,,T1213.001,Confluence,[],[],,AC-3,mitigates,1 +539,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,1 +540,,T1213.003,Code Repositories,[],[],,AC-3,mitigates,1 +541,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,1 +542,,T1218.002,Control Panel,[],[],,AC-3,mitigates,1 +543,,T1218.007,Msiexec,[],[],,AC-3,mitigates,1 +544,,T1218.012,Verclsid,[],[],,AC-3,mitigates,1 +545,,T1219,Remote Access Software,[],[],,AC-3,mitigates,1 +546,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,1 +547,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,1 +548,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,1 +549,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,1 +550,,T1485,Data Destruction,[],[],,AC-3,mitigates,1 +551,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,1 +552,,T1489,Service Stop,[],[],,AC-3,mitigates,1 +553,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,1 +554,,T1491,Defacement,[],[],,AC-3,mitigates,1 +555,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,1 +556,,T1491.002,External Defacement,[],[],,AC-3,mitigates,1 +557,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,1 +558,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,1 +559,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,1 +560,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,1 +561,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,1 +562,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,1 +563,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,1 +564,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,1 +565,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,1 +566,,T1505,Server Software Component,[],[],,AC-3,mitigates,1 +567,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,1 +568,,T1505.003,Web Shell,[],[],,AC-3,mitigates,1 +569,,T1505.004,IIS Components,[],[],,AC-3,mitigates,1 +570,,T1525,Implant Internal Image,[],[],,AC-3,mitigates,1 +571,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,1 +572,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,1 +573,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,1 +574,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,1 +575,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,1 +576,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,1 +577,,T1542.001,System Firmware,[],[],,AC-3,mitigates,1 +578,,T1542.003,Bootkit,[],[],,AC-3,mitigates,1 +579,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,1 +580,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,1 +581,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,1 +582,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,1 +583,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,1 +584,,T1543.003,Windows Service,[],[],,AC-3,mitigates,1 +585,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,1 +586,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,1 +587,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-3,mitigates,1 +588,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,1 +589,,T1547.003,Time Providers,[],[],,AC-3,mitigates,1 +590,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,1 +591,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,1 +592,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,1 +593,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,1 +594,,T1547.011,Plist Modification,[],[],,AC-3,mitigates,1 +595,,T1547.012,Print Processors,[],[],,AC-3,mitigates,1 +596,,T1547.013,XDG Autostart Entries,[],[],,AC-3,mitigates,1 +597,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,1 +598,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,1 +599,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,1 +600,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,1 +601,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,1 +602,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,1 +603,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,1 +604,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,1 +605,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,1 +606,,T1552.007,Container API,[],[],,AC-3,mitigates,1 +607,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,1 +608,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,1 +609,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,1 +610,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,1 +611,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,1 +612,,T1557,Adversary-in-the-Middle,[],[],,AC-3,mitigates,1 +613,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,1 +614,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,1 +615,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,1 +616,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,1 +617,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,1 +618,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,1 +619,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,1 +620,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,1 +621,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,1 +622,,T1561,Disk Wipe,[],[],,AC-3,mitigates,1 +623,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,1 +624,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,1 +625,,T1562,Impair Defenses,[],[],,AC-3,mitigates,1 +626,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,1 +627,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,1 +628,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,1 +629,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,1 +630,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,1 +631,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,1 +632,,T1562.009,Safe Mode Boot,[],[],,AC-3,mitigates,1 +633,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,1 +634,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,1 +635,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,1 +636,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,1 +637,,T1565,Data Manipulation,[],[],,AC-3,mitigates,1 +638,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,1 +639,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,1 +640,,T1567,Exfiltration Over Web Service,[],[],,AC-3,mitigates,1 +641,,T1569,System Services,[],[],,AC-3,mitigates,1 +642,,T1569.001,Launchctl,[],[],,AC-3,mitigates,1 +643,,T1569.002,Service Execution,[],[],,AC-3,mitigates,1 +644,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,1 +645,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,1 +646,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,1 +647,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,1 +648,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,1 +649,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,1 +650,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,1 +651,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,1 +652,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,1 +653,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,1 +654,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,1 +655,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,1 +656,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,1 +657,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,1 +658,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,1 +659,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,1 +660,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,1 +661,,T1601,Modify System Image,[],[],,AC-3,mitigates,1 +662,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,1 +663,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,1 +664,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,1 +665,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,1 +666,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,1 +667,,T1606,Forge Web Credentials,[],[],,AC-3,mitigates,1 +668,,T1606.001,Web Cookies,[],[],,AC-3,mitigates,1 +669,,T1606.002,SAML Tokens,[],[],,AC-3,mitigates,1 +670,,T1609,Container Administration Command,[],[],,AC-3,mitigates,1 +671,,T1610,Deploy Container,[],[],,AC-3,mitigates,1 +672,,T1611,Escape to Host,[],[],,AC-3,mitigates,1 +673,,T1612,Build Image on Host,[],[],,AC-3,mitigates,1 +674,,T1613,Container and Resource Discovery,[],[],,AC-3,mitigates,1 +675,,T1619,Cloud Storage Object Discovery,[],[],,AC-3,mitigates,1 +676,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,1 +677,,T1001.001,Junk Data,[],[],,AC-4,mitigates,1 +678,,T1001.002,Steganography,[],[],,AC-4,mitigates,1 +679,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,1 +680,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,1 +681,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,1 +682,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,1 +683,,T1003.006,DCSync,[],[],,AC-4,mitigates,1 +684,,T1008,Fallback Channels,[],[],,AC-4,mitigates,1 +685,,T1020.001,Traffic Duplication,[],[],,AC-4,mitigates,1 +686,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,1 +687,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,1 +688,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,1 +689,,T1021.005,VNC,[],[],,AC-4,mitigates,1 +690,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,1 +691,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,1 +692,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,1 +693,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,1 +694,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,1 +695,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,1 +696,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,1 +697,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,1 +698,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,1 +699,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,1 +700,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,1 +701,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,1 +702,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,1 +703,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,1 +704,,T1071.004,DNS,[],[],,AC-4,mitigates,1 +705,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,1 +706,,T1090,Proxy,[],[],,AC-4,mitigates,1 +707,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,1 +708,,T1090.002,External Proxy,[],[],,AC-4,mitigates,1 +709,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,1 +710,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,1 +711,,T1098,Account Manipulation,[],[],,AC-4,mitigates,1 +712,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,1 +713,,T1102,Web Service,[],[],,AC-4,mitigates,1 +714,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,1 +715,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,1 +716,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,1 +717,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,1 +718,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,1 +719,,T1114,Email Collection,[],[],,AC-4,mitigates,1 +720,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,1 +721,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,1 +722,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,1 +723,,T1132,Data Encoding,[],[],,AC-4,mitigates,1 +724,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,1 +725,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,1 +726,,T1133,External Remote Services,[],[],,AC-4,mitigates,1 +727,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,1 +728,,T1136,Create Account,[],[],,AC-4,mitigates,1 +729,,T1136.002,Domain Account,[],[],,AC-4,mitigates,1 +730,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,1 +731,,T1187,Forced Authentication,[],[],,AC-4,mitigates,1 +732,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,1 +733,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,1 +734,,T1197,BITS Jobs,[],[],,AC-4,mitigates,1 +735,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,1 +736,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,1 +737,,T1204,User Execution,[],[],,AC-4,mitigates,1 +738,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,1 +739,,T1204.002,Malicious File,[],[],,AC-4,mitigates,1 +740,,T1204.003,Malicious Image,[],[],,AC-4,mitigates,1 +741,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,1 +742,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,1 +743,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,1 +744,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,1 +745,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,1 +746,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,1 +747,,T1213.001,Confluence,[],[],,AC-4,mitigates,1 +748,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,1 +749,,T1218.012,Verclsid,[],[],,AC-4,mitigates,1 +750,,T1219,Remote Access Software,[],[],,AC-4,mitigates,1 +751,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,1 +752,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,1 +753,,T1489,Service Stop,[],[],,AC-4,mitigates,1 +754,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,1 +755,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,1 +756,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,1 +757,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,1 +758,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,1 +759,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,1 +760,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,1 +761,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,1 +762,,T1505.004,IIS Components,[],[],,AC-4,mitigates,1 +763,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,1 +764,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,1 +765,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,1 +766,,T1547.003,Time Providers,[],[],,AC-4,mitigates,1 +767,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,1 +768,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,1 +769,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,1 +770,,T1552.007,Container API,[],[],,AC-4,mitigates,1 +771,,T1557,Adversary-in-the-Middle,[],[],,AC-4,mitigates,1 +772,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,1 +773,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,1 +774,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,1 +775,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,1 +776,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,1 +777,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,1 +778,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,1 +779,,T1564.008,Email Hiding Rules,[],[],,AC-4,mitigates,1 +780,,T1565,Data Manipulation,[],[],,AC-4,mitigates,1 +781,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,1 +782,,T1566,Phishing,[],[],,AC-4,mitigates,1 +783,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,1 +784,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,1 +785,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,1 +786,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,1 +787,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,1 +788,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,1 +789,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,1 +790,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,1 +791,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,1 +792,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,1 +793,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,1 +794,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,1 +795,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,1 +796,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,1 +797,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,1 +798,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,1 +799,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,1 +800,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,1 +801,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,1 +802,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,1 +803,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,1 +804,,T1598,Phishing for Information,[],[],,AC-4,mitigates,1 +805,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,1 +806,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,1 +807,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,1 +808,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,1 +809,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,1 +810,,T1601,Modify System Image,[],[],,AC-4,mitigates,1 +811,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,1 +812,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,1 +813,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,1 +814,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,1 +815,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,1 +816,,T1611,Escape to Host,[],[],,AC-4,mitigates,1 +817,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,1 +818,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,1 +819,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,1 +820,,T1003.003,NTDS,[],[],,AC-5,mitigates,1 +821,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,1 +822,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,1 +823,,T1003.006,DCSync,[],[],,AC-5,mitigates,1 +824,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,1 +825,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,1 +826,,T1021,Remote Services,[],[],,AC-5,mitigates,1 +827,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,1 +828,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,1 +829,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,1 +830,,T1021.004,SSH,[],[],,AC-5,mitigates,1 +831,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,1 +832,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,1 +833,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,1 +834,,T1053.001,At (Linux),[],[],,AC-5,mitigates,1 +835,,T1053.002,At (Windows),[],[],,AC-5,mitigates,1 +836,,T1053.003,Cron,[],[],,AC-5,mitigates,1 +837,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,1 +838,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,1 +839,,T1053.007,Container Orchestration Job,[],[],,AC-5,mitigates,1 +840,,T1055,Process Injection,[],[],,AC-5,mitigates,1 +841,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,1 +842,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,1 +843,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,1 +844,,T1059.001,PowerShell,[],[],,AC-5,mitigates,1 +845,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,1 +846,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,1 +847,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,1 +848,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,1 +849,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,1 +850,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,1 +851,,T1078,Valid Accounts,[],[],,AC-5,mitigates,1 +852,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,1 +853,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,1 +854,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,1 +855,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,1 +856,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,1 +857,,T1098,Account Manipulation,[],[],,AC-5,mitigates,1 +858,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,1 +859,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,1 +860,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,1 +861,,T1110,Brute Force,[],[],,AC-5,mitigates,1 +862,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,1 +863,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,1 +864,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,1 +865,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,1 +866,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,1 +867,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,1 +868,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,1 +869,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,1 +870,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,1 +871,,T1136,Create Account,[],[],,AC-5,mitigates,1 +872,,T1136.001,Local Account,[],[],,AC-5,mitigates,1 +873,,T1136.002,Domain Account,[],[],,AC-5,mitigates,1 +874,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,1 +875,,T1185,Browser Session Hijacking,[],[],,AC-5,mitigates,1 +876,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,1 +877,,T1197,BITS Jobs,[],[],,AC-5,mitigates,1 +878,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,1 +879,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,1 +880,,T1213.001,Confluence,[],[],,AC-5,mitigates,1 +881,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,1 +882,,T1213.003,Code Repositories,[],[],,AC-5,mitigates,1 +883,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,1 +884,,T1218.007,Msiexec,[],[],,AC-5,mitigates,1 +885,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,1 +886,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,1 +887,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,1 +888,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,1 +889,,T1489,Service Stop,[],[],,AC-5,mitigates,1 +890,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,1 +891,,T1505,Server Software Component,[],[],,AC-5,mitigates,1 +892,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,1 +893,,T1505.003,Web Shell,[],[],,AC-5,mitigates,1 +894,,T1525,Implant Internal Image,[],[],,AC-5,mitigates,1 +895,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,1 +896,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,1 +897,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,1 +898,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,1 +899,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,1 +900,,T1542.001,System Firmware,[],[],,AC-5,mitigates,1 +901,,T1542.003,Bootkit,[],[],,AC-5,mitigates,1 +902,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,1 +903,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,1 +904,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,1 +905,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,1 +906,,T1543.003,Windows Service,[],[],,AC-5,mitigates,1 +907,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,1 +908,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,1 +909,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,1 +910,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,1 +911,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,1 +912,,T1547.012,Print Processors,[],[],,AC-5,mitigates,1 +913,,T1547.013,XDG Autostart Entries,[],[],,AC-5,mitigates,1 +914,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,1 +915,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,1 +916,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,1 +917,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,1 +918,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,1 +919,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,1 +920,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,1 +921,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,1 +922,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,1 +923,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,1 +924,,T1552.007,Container API,[],[],,AC-5,mitigates,1 +925,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,1 +926,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,1 +927,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,1 +928,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,1 +929,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,1 +930,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,1 +931,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,1 +932,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,1 +933,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,1 +934,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,1 +935,,T1562,Impair Defenses,[],[],,AC-5,mitigates,1 +936,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,1 +937,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,1 +938,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,1 +939,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,1 +940,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,1 +941,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,1 +942,,T1562.009,Safe Mode Boot,[],[],,AC-5,mitigates,1 +943,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,1 +944,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,1 +945,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,1 +946,,T1569,System Services,[],[],,AC-5,mitigates,1 +947,,T1569.001,Launchctl,[],[],,AC-5,mitigates,1 +948,,T1569.002,Service Execution,[],[],,AC-5,mitigates,1 +949,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,1 +950,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,1 +951,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,1 +952,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,1 +953,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,1 +954,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,1 +955,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,1 +956,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,1 +957,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,1 +958,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,1 +959,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,1 +960,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,1 +961,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,1 +962,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,1 +963,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,1 +964,,T1601,Modify System Image,[],[],,AC-5,mitigates,1 +965,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,1 +966,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,1 +967,,T1606,Forge Web Credentials,[],[],,AC-5,mitigates,1 +968,,T1611,Escape to Host,[],[],,AC-5,mitigates,1 +969,,T1619,Cloud Storage Object Discovery,[],[],,AC-5,mitigates,1 +970,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,1 +971,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,1 +972,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,1 +973,,T1003.003,NTDS,[],[],,AC-6,mitigates,1 +974,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,1 +975,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,1 +976,,T1003.006,DCSync,[],[],,AC-6,mitigates,1 +977,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,1 +978,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,1 +979,,T1005,Data from Local System,[],[],,AC-6,mitigates,1 +980,,T1021,Remote Services,[],[],,AC-6,mitigates,1 +981,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,1 +982,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,1 +983,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,1 +984,,T1021.004,SSH,[],[],,AC-6,mitigates,1 +985,,T1021.005,VNC,[],[],,AC-6,mitigates,1 +986,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,1 +987,,T1025,Data from Removable Media,[],[],,AC-6,mitigates,1 +988,,T1036,Masquerading,[],[],,AC-6,mitigates,1 +989,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,1 +990,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,1 +991,,T1041,Exfiltration Over C2 Channel,[],[],,AC-6,mitigates,1 +992,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,1 +993,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-6,mitigates,1 +994,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-6,mitigates,1 +995,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-6,mitigates,1 +996,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,1 +997,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,1 +998,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,1 +999,,T1053.001,At (Linux),[],[],,AC-6,mitigates,1 +1000,,T1053.002,At (Windows),[],[],,AC-6,mitigates,1 +1001,,T1053.003,Cron,[],[],,AC-6,mitigates,1 +1002,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,1 +1003,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,1 +1004,,T1053.007,Container Orchestration Job,[],[],,AC-6,mitigates,1 +1005,,T1055,Process Injection,[],[],,AC-6,mitigates,1 +1006,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,1 +1007,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,1 +1008,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,1 +1009,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,1 +1010,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,1 +1011,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,1 +1012,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,1 +1013,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,1 +1014,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,1 +1015,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,1 +1016,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,1 +1017,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,1 +1018,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,1 +1019,,T1059.001,PowerShell,[],[],,AC-6,mitigates,1 +1020,,T1059.002,AppleScript,[],[],,AC-6,mitigates,1 +1021,,T1059.003,Windows Command Shell,[],[],,AC-6,mitigates,1 +1022,,T1059.004,Unix Shell,[],[],,AC-6,mitigates,1 +1023,,T1059.005,Visual Basic,[],[],,AC-6,mitigates,1 +1024,,T1059.006,Python,[],[],,AC-6,mitigates,1 +1025,,T1059.007,JavaScript,[],[],,AC-6,mitigates,1 +1026,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,1 +1027,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,1 +1028,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,1 +1029,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,1 +1030,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,1 +1031,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,1 +1032,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,1 +1033,,T1078,Valid Accounts,[],[],,AC-6,mitigates,1 +1034,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,1 +1035,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,1 +1036,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,1 +1037,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,1 +1038,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,1 +1039,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,1 +1040,,T1098,Account Manipulation,[],[],,AC-6,mitigates,1 +1041,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,1 +1042,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,1 +1043,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,1 +1044,,T1106,Native API,[],[],,AC-6,mitigates,1 +1045,,T1110,Brute Force,[],[],,AC-6,mitigates,1 +1046,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,1 +1047,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,1 +1048,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,1 +1049,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,1 +1050,,T1112,Modify Registry,[],[],,AC-6,mitigates,1 +1051,,T1133,External Remote Services,[],[],,AC-6,mitigates,1 +1052,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,1 +1053,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,1 +1054,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,1 +1055,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,1 +1056,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,1 +1057,,T1136,Create Account,[],[],,AC-6,mitigates,1 +1058,,T1136.001,Local Account,[],[],,AC-6,mitigates,1 +1059,,T1136.002,Domain Account,[],[],,AC-6,mitigates,1 +1060,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,1 +1061,,T1137,Office Application Startup,[],[],,AC-6,mitigates,1 +1062,,T1137.001,Office Template Macros,[],[],,AC-6,mitigates,1 +1063,,T1137.002,Office Test,[],[],,AC-6,mitigates,1 +1064,,T1137.003,Outlook Forms,[],[],,AC-6,mitigates,1 +1065,,T1137.004,Outlook Home Page,[],[],,AC-6,mitigates,1 +1066,,T1137.005,Outlook Rules,[],[],,AC-6,mitigates,1 +1067,,T1137.006,Add-ins,[],[],,AC-6,mitigates,1 +1068,,T1176,Browser Extensions,[],[],,AC-6,mitigates,1 +1069,,T1185,Browser Session Hijacking,[],[],,AC-6,mitigates,1 +1070,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,1 +1071,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,1 +1072,,T1197,BITS Jobs,[],[],,AC-6,mitigates,1 +1073,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,1 +1074,,T1200,Hardware Additions,[],[],,AC-6,mitigates,1 +1075,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,1 +1076,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,1 +1077,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,1 +1078,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,1 +1079,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,1 +1080,,T1213.001,Confluence,[],[],,AC-6,mitigates,1 +1081,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,1 +1082,,T1213.003,Code Repositories,[],[],,AC-6,mitigates,1 +1083,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,1 +1084,,T1218.007,Msiexec,[],[],,AC-6,mitigates,1 +1085,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,1 +1086,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,1 +1087,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,1 +1088,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,1 +1089,,T1485,Data Destruction,[],[],,AC-6,mitigates,1 +1090,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,1 +1091,,T1489,Service Stop,[],[],,AC-6,mitigates,1 +1092,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,1 +1093,,T1491,Defacement,[],[],,AC-6,mitigates,1 +1094,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,1 +1095,,T1491.002,External Defacement,[],[],,AC-6,mitigates,1 +1096,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,1 +1097,,T1505,Server Software Component,[],[],,AC-6,mitigates,1 +1098,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,1 +1099,,T1505.003,Web Shell,[],[],,AC-6,mitigates,1 +1100,,T1505.004,IIS Components,[],[],,AC-6,mitigates,1 +1101,,T1525,Implant Internal Image,[],[],,AC-6,mitigates,1 +1102,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,1 +1103,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,1 +1104,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,1 +1105,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,1 +1106,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,1 +1107,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,1 +1108,,T1542.001,System Firmware,[],[],,AC-6,mitigates,1 +1109,,T1542.003,Bootkit,[],[],,AC-6,mitigates,1 +1110,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,1 +1111,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,1 +1112,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,1 +1113,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,1 +1114,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,1 +1115,,T1543.003,Windows Service,[],[],,AC-6,mitigates,1 +1116,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,1 +1117,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,1 +1118,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-6,mitigates,1 +1119,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,1 +1120,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,1 +1121,,T1547.003,Time Providers,[],[],,AC-6,mitigates,1 +1122,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,1 +1123,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,1 +1124,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,1 +1125,,T1547.011,Plist Modification,[],[],,AC-6,mitigates,1 +1126,,T1547.012,Print Processors,[],[],,AC-6,mitigates,1 +1127,,T1547.013,XDG Autostart Entries,[],[],,AC-6,mitigates,1 +1128,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,1 +1129,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,1 +1130,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,1 +1131,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,1 +1132,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,1 +1133,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,1 +1134,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,1 +1135,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,1 +1136,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,1 +1137,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,1 +1138,,T1552.007,Container API,[],[],,AC-6,mitigates,1 +1139,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,1 +1140,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,1 +1141,,T1553.006,Code Signing Policy Modification,[],[],,AC-6,mitigates,1 +1142,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,1 +1143,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,1 +1144,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,1 +1145,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,1 +1146,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,1 +1147,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,1 +1148,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,1 +1149,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,1 +1150,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,1 +1151,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,1 +1152,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,1 +1153,,T1561,Disk Wipe,[],[],,AC-6,mitigates,1 +1154,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,1 +1155,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,1 +1156,,T1562,Impair Defenses,[],[],,AC-6,mitigates,1 +1157,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,1 +1158,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,1 +1159,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,1 +1160,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,1 +1161,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,1 +1162,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,1 +1163,,T1562.009,Safe Mode Boot,[],[],,AC-6,mitigates,1 +1164,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,1 +1165,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,1 +1166,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,1 +1167,,T1567,Exfiltration Over Web Service,[],[],,AC-6,mitigates,1 +1168,,T1569,System Services,[],[],,AC-6,mitigates,1 +1169,,T1569.001,Launchctl,[],[],,AC-6,mitigates,1 +1170,,T1569.002,Service Execution,[],[],,AC-6,mitigates,1 +1171,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,1 +1172,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,1 +1173,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,1 +1174,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,1 +1175,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,1 +1176,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,1 +1177,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,1 +1178,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,1 +1179,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,1 +1180,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,1 +1181,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,1 +1182,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,1 +1183,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,1 +1184,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,1 +1185,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,1 +1186,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,1 +1187,,T1601,Modify System Image,[],[],,AC-6,mitigates,1 +1188,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,1 +1189,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,1 +1190,,T1606,Forge Web Credentials,[],[],,AC-6,mitigates,1 +1191,,T1606.001,Web Cookies,[],[],,AC-6,mitigates,1 +1192,,T1606.002,SAML Tokens,[],[],,AC-6,mitigates,1 +1193,,T1609,Container Administration Command,[],[],,AC-6,mitigates,1 +1194,,T1610,Deploy Container,[],[],,AC-6,mitigates,1 +1195,,T1611,Escape to Host,[],[],,AC-6,mitigates,1 +1196,,T1612,Build Image on Host,[],[],,AC-6,mitigates,1 +1197,,T1613,Container and Resource Discovery,[],[],,AC-6,mitigates,1 +1198,,T1619,Cloud Storage Object Discovery,[],[],,AC-6,mitigates,1 +1199,,T1021,Remote Services,[],[],,AC-7,mitigates,1 +1200,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,1 +1201,,T1021.004,SSH,[],[],,AC-7,mitigates,1 +1202,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,1 +1203,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,1 +1204,,T1110,Brute Force,[],[],,AC-7,mitigates,1 +1205,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,1 +1206,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,1 +1207,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,1 +1208,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,1 +1209,,T1133,External Remote Services,[],[],,AC-7,mitigates,1 +1210,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,1 +1211,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,1 +1212,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,1 +1213,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,1 +1214,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,1 +1215,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,1 +1216,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,1 +1217,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,1 +1218,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,1 +1219,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,1 +1220,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,1 +1221,,T1020.001,Traffic Duplication,[],[],,CA-3,mitigates,1 +1222,,T1041,Exfiltration Over C2 Channel,[],[],,CA-3,mitigates,1 +1223,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-3,mitigates,1 +1224,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-3,mitigates,1 +1225,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-3,mitigates,1 +1226,,T1567,Exfiltration Over Web Service,[],[],,CA-3,mitigates,1 +1227,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,1 +1228,,T1001.001,Junk Data,[],[],,CA-7,mitigates,1 +1229,,T1001.002,Steganography,[],[],,CA-7,mitigates,1 +1230,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,1 +1231,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,1 +1232,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,1 +1233,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,1 +1234,,T1003.003,NTDS,[],[],,CA-7,mitigates,1 +1235,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,1 +1236,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,1 +1237,,T1003.006,DCSync,[],[],,CA-7,mitigates,1 +1238,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,1 +1239,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,1 +1240,,T1008,Fallback Channels,[],[],,CA-7,mitigates,1 +1241,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,1 +1242,,T1021.005,VNC,[],[],,CA-7,mitigates,1 +1243,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,1 +1244,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,1 +1245,,T1036,Masquerading,[],[],,CA-7,mitigates,1 +1246,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,1 +1247,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,1 +1248,,T1036.007,Double File Extension,[],[],,CA-7,mitigates,1 +1249,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,1 +1250,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,1 +1251,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,1 +1252,,T1037.004,RC Scripts,[],[],,CA-7,mitigates,1 +1253,,T1037.005,Startup Items,[],[],,CA-7,mitigates,1 +1254,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,1 +1255,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,1 +1256,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,1 +1257,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,1 +1258,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,1 +1259,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,1 +1260,,T1052,Exfiltration Over Physical Medium,[],[],,CA-7,mitigates,1 +1261,,T1052.001,Exfiltration over USB,[],[],,CA-7,mitigates,1 +1262,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,1 +1263,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,1 +1264,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,1 +1265,,T1059,Command and Scripting Interpreter,[],[],,CA-7,mitigates,1 +1266,,T1059.005,Visual Basic,[],[],,CA-7,mitigates,1 +1267,,T1059.007,JavaScript,[],[],,CA-7,mitigates,1 +1268,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,1 +1269,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,1 +1270,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,1 +1271,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,1 +1272,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,1 +1273,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,1 +1274,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,1 +1275,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,1 +1276,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,1 +1277,,T1071.004,DNS,[],[],,CA-7,mitigates,1 +1278,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,1 +1279,,T1078,Valid Accounts,[],[],,CA-7,mitigates,1 +1280,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,1 +1281,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,1 +1282,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,1 +1283,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,1 +1284,,T1090,Proxy,[],[],,CA-7,mitigates,1 +1285,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,1 +1286,,T1090.002,External Proxy,[],[],,CA-7,mitigates,1 +1287,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,1 +1288,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,1 +1289,,T1102,Web Service,[],[],,CA-7,mitigates,1 +1290,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,1 +1291,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,1 +1292,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,1 +1293,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,1 +1294,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,1 +1295,,T1110,Brute Force,[],[],,CA-7,mitigates,1 +1296,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,1 +1297,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,1 +1298,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,1 +1299,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,1 +1300,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,1 +1301,,T1132,Data Encoding,[],[],,CA-7,mitigates,1 +1302,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,1 +1303,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,1 +1304,,T1176,Browser Extensions,[],[],,CA-7,mitigates,1 +1305,,T1185,Browser Session Hijacking,[],[],,CA-7,mitigates,1 +1306,,T1187,Forced Authentication,[],[],,CA-7,mitigates,1 +1307,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,1 +1308,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,1 +1309,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,1 +1310,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,1 +1311,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,1 +1312,,T1197,BITS Jobs,[],[],,CA-7,mitigates,1 +1313,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,1 +1314,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,1 +1315,,T1204,User Execution,[],[],,CA-7,mitigates,1 +1316,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,1 +1317,,T1204.002,Malicious File,[],[],,CA-7,mitigates,1 +1318,,T1204.003,Malicious Image,[],[],,CA-7,mitigates,1 +1319,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,1 +1320,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,1 +1321,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,1 +1322,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,1 +1323,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,1 +1324,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,1 +1325,,T1213.001,Confluence,[],[],,CA-7,mitigates,1 +1326,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,1 +1327,,T1213.003,Code Repositories,[],[],,CA-7,mitigates,1 +1328,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,1 +1329,,T1218.002,Control Panel,[],[],,CA-7,mitigates,1 +1330,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,1 +1331,,T1218.011,Rundll32,[],[],,CA-7,mitigates,1 +1332,,T1218.012,Verclsid,[],[],,CA-7,mitigates,1 +1333,,T1219,Remote Access Software,[],[],,CA-7,mitigates,1 +1334,,T1221,Template Injection,[],[],,CA-7,mitigates,1 +1335,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,1 +1336,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,1 +1337,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,1 +1338,,T1489,Service Stop,[],[],,CA-7,mitigates,1 +1339,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,1 +1340,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,1 +1341,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,1 +1342,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,1 +1343,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,1 +1344,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,1 +1345,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,1 +1346,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,1 +1347,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,1 +1348,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,1 +1349,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,1 +1350,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,1 +1351,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,1 +1352,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,1 +1353,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,1 +1354,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,1 +1355,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CA-7,mitigates,1 +1356,,T1546.004,Unix Shell Configuration Modification,[],[],,CA-7,mitigates,1 +1357,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,1 +1358,,T1547.003,Time Providers,[],[],,CA-7,mitigates,1 +1359,,T1547.011,Plist Modification,[],[],,CA-7,mitigates,1 +1360,,T1547.013,XDG Autostart Entries,[],[],,CA-7,mitigates,1 +1361,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,1 +1362,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,1 +1363,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,1 +1364,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,1 +1365,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,1 +1366,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,1 +1367,,T1552.004,Private Keys,[],[],,CA-7,mitigates,1 +1368,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,1 +1369,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,1 +1370,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,1 +1371,,T1555.001,Keychain,[],[],,CA-7,mitigates,1 +1372,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,1 +1373,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,1 +1374,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,1 +1375,,T1557,Adversary-in-the-Middle,[],[],,CA-7,mitigates,1 +1376,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,1 +1377,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,1 +1378,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,1 +1379,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,1 +1380,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,1 +1381,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,1 +1382,,T1562,Impair Defenses,[],[],,CA-7,mitigates,1 +1383,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,1 +1384,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,1 +1385,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,1 +1386,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,1 +1387,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,1 +1388,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,1 +1389,,T1565,Data Manipulation,[],[],,CA-7,mitigates,1 +1390,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,1 +1391,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,1 +1392,,T1566,Phishing,[],[],,CA-7,mitigates,1 +1393,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,1 +1394,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,1 +1395,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,1 +1396,,T1567,Exfiltration Over Web Service,[],[],,CA-7,mitigates,1 +1397,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,1 +1398,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,1 +1399,,T1569,System Services,[],[],,CA-7,mitigates,1 +1400,,T1569.002,Service Execution,[],[],,CA-7,mitigates,1 +1401,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,1 +1402,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,1 +1403,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,1 +1404,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,1 +1405,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,1 +1406,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,1 +1407,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,1 +1408,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,1 +1409,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,1 +1410,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,1 +1411,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,1 +1412,,T1598,Phishing for Information,[],[],,CA-7,mitigates,1 +1413,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,1 +1414,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,1 +1415,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,1 +1416,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,1 +1417,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,1 +1418,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,1 +1419,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,1 +1420,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,1 +1421,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,1 +1422,,T1021.005,VNC,[],[],,CA-8,mitigates,1 +1423,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,1 +1424,,T1053.001,At (Linux),[],[],,CA-8,mitigates,1 +1425,,T1053.002,At (Windows),[],[],,CA-8,mitigates,1 +1426,,T1053.003,Cron,[],[],,CA-8,mitigates,1 +1427,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,1 +1428,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,1 +1429,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,1 +1430,,T1078,Valid Accounts,[],[],,CA-8,mitigates,1 +1431,,T1176,Browser Extensions,[],[],,CA-8,mitigates,1 +1432,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,1 +1433,,T1204.003,Malicious Image,[],[],,CA-8,mitigates,1 +1434,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,1 +1435,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,1 +1436,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,1 +1437,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,1 +1438,,T1213.001,Confluence,[],[],,CA-8,mitigates,1 +1439,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,1 +1440,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,1 +1441,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,1 +1442,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,1 +1443,,T1505,Server Software Component,[],[],,CA-8,mitigates,1 +1444,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,1 +1445,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,1 +1446,,T1505.004,IIS Components,[],[],,CA-8,mitigates,1 +1447,,T1525,Implant Internal Image,[],[],,CA-8,mitigates,1 +1448,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,1 +1449,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,1 +1450,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,1 +1451,,T1542.001,System Firmware,[],[],,CA-8,mitigates,1 +1452,,T1542.003,Bootkit,[],[],,CA-8,mitigates,1 +1453,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,1 +1454,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,1 +1455,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,1 +1456,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,1 +1457,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,1 +1458,,T1550.001,Application Access Token,[],[],,CA-8,mitigates,1 +1459,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,1 +1460,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,1 +1461,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,1 +1462,,T1552.004,Private Keys,[],[],,CA-8,mitigates,1 +1463,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,1 +1464,,T1553,Subvert Trust Controls,[],[],,CA-8,mitigates,1 +1465,,T1553.006,Code Signing Policy Modification,[],[],,CA-8,mitigates,1 +1466,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,1 +1467,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,1 +1468,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,1 +1469,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,1 +1470,,T1562,Impair Defenses,[],[],,CA-8,mitigates,1 +1471,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,1 +1472,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,1 +1473,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,1 +1474,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,1 +1475,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,1 +1476,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,1 +1477,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,1 +1478,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,1 +1479,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,1 +1480,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,1 +1481,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,1 +1482,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,1 +1483,,T1601,Modify System Image,[],[],,CA-8,mitigates,1 +1484,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,1 +1485,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,1 +1486,,T1612,Build Image on Host,[],[],,CA-8,mitigates,1 +1487,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,1 +1488,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,1 +1489,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,1 +1490,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,1 +1491,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,1 +1492,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,1 +1493,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,1 +1494,,T1562.006,Indicator Blocking,[],[],,CM-10,mitigates,1 +1495,,T1562.009,Safe Mode Boot,[],[],,CM-10,mitigates,1 +1496,,T1021.005,VNC,[],[],,CM-11,mitigates,1 +1497,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,1 +1498,,T1059.006,Python,[],[],,CM-11,mitigates,1 +1499,,T1176,Browser Extensions,[],[],,CM-11,mitigates,1 +1500,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,1 +1501,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,1 +1502,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,1 +1503,,T1218,Signed Binary Proxy Execution,[],[],,CM-11,mitigates,1 +1504,,T1218.001,Compiled HTML File,[],[],,CM-11,mitigates,1 +1505,,T1218.002,Control Panel,[],[],,CM-11,mitigates,1 +1506,,T1218.003,CMSTP,[],[],,CM-11,mitigates,1 +1507,,T1218.004,InstallUtil,[],[],,CM-11,mitigates,1 +1508,,T1218.005,Mshta,[],[],,CM-11,mitigates,1 +1509,,T1218.008,Odbcconf,[],[],,CM-11,mitigates,1 +1510,,T1218.009,Regsvcs/Regasm,[],[],,CM-11,mitigates,1 +1511,,T1218.012,Verclsid,[],[],,CM-11,mitigates,1 +1512,,T1218.013,Mavinject,[],[],,CM-11,mitigates,1 +1513,,T1218.014,MMC,[],[],,CM-11,mitigates,1 +1514,,T1505,Server Software Component,[],[],,CM-11,mitigates,1 +1515,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,1 +1516,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,1 +1517,,T1505.004,IIS Components,[],[],,CM-11,mitigates,1 +1518,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,1 +1519,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,1 +1520,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,1 +1521,,T1543.003,Windows Service,[],[],,CM-11,mitigates,1 +1522,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,1 +1523,,T1547.013,XDG Autostart Entries,[],[],,CM-11,mitigates,1 +1524,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,1 +1525,,T1564.009,Resource Forking,[],[],,CM-11,mitigates,1 +1526,,T1569,System Services,[],[],,CM-11,mitigates,1 +1527,,T1569.001,Launchctl,[],[],,CM-11,mitigates,1 +1528,,T1005,Data from Local System,[],[],,CM-12,mitigates,1 +1529,,T1025,Data from Removable Media,[],[],,CM-12,mitigates,1 +1530,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,1 +1531,,T1001.001,Junk Data,[],[],,CM-2,mitigates,1 +1532,,T1001.002,Steganography,[],[],,CM-2,mitigates,1 +1533,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,1 +1534,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,1 +1535,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,1 +1536,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,1 +1537,,T1003.003,NTDS,[],[],,CM-2,mitigates,1 +1538,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,1 +1539,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,1 +1540,,T1003.006,DCSync,[],[],,CM-2,mitigates,1 +1541,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,1 +1542,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,1 +1543,,T1008,Fallback Channels,[],[],,CM-2,mitigates,1 +1544,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,1 +1545,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,1 +1546,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,1 +1547,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,1 +1548,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,1 +1549,,T1021.004,SSH,[],[],,CM-2,mitigates,1 +1550,,T1021.005,VNC,[],[],,CM-2,mitigates,1 +1551,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,1 +1552,,T1027,Obfuscated Files or Information,[],[],,CM-2,mitigates,1 +1553,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,1 +1554,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,1 +1555,,T1036,Masquerading,[],[],,CM-2,mitigates,1 +1556,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,1 +1557,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,1 +1558,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,1 +1559,,T1036.007,Double File Extension,[],[],,CM-2,mitigates,1 +1560,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,1 +1561,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,1 +1562,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,1 +1563,,T1037.004,RC Scripts,[],[],,CM-2,mitigates,1 +1564,,T1037.005,Startup Items,[],[],,CM-2,mitigates,1 +1565,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,1 +1566,,T1047,Windows Management Instrumentation,[],[],,CM-2,mitigates,1 +1567,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,1 +1568,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,1 +1569,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,1 +1570,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,1 +1571,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,1 +1572,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,1 +1573,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,1 +1574,,T1053.002,At (Windows),[],[],,CM-2,mitigates,1 +1575,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,1 +1576,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,1 +1577,,T1059.001,PowerShell,[],[],,CM-2,mitigates,1 +1578,,T1059.002,AppleScript,[],[],,CM-2,mitigates,1 +1579,,T1059.003,Windows Command Shell,[],[],,CM-2,mitigates,1 +1580,,T1059.004,Unix Shell,[],[],,CM-2,mitigates,1 +1581,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,1 +1582,,T1059.006,Python,[],[],,CM-2,mitigates,1 +1583,,T1059.007,JavaScript,[],[],,CM-2,mitigates,1 +1584,,T1059.008,Network Device CLI,[],[],,CM-2,mitigates,1 +1585,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,1 +1586,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,1 +1587,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,1 +1588,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,1 +1589,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,1 +1590,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,1 +1591,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,1 +1592,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,1 +1593,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,1 +1594,,T1071.004,DNS,[],[],,CM-2,mitigates,1 +1595,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,1 +1596,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,1 +1597,,T1090,Proxy,[],[],,CM-2,mitigates,1 +1598,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,1 +1599,,T1090.002,External Proxy,[],[],,CM-2,mitigates,1 +1600,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,1 +1601,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,1 +1602,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,1 +1603,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,1 +1604,,T1102,Web Service,[],[],,CM-2,mitigates,1 +1605,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,1 +1606,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,1 +1607,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,1 +1608,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,1 +1609,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,1 +1610,,T1106,Native API,[],[],,CM-2,mitigates,1 +1611,,T1110,Brute Force,[],[],,CM-2,mitigates,1 +1612,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,1 +1613,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,1 +1614,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,1 +1615,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,1 +1616,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,1 +1617,,T1114,Email Collection,[],[],,CM-2,mitigates,1 +1618,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,1 +1619,,T1119,Automated Collection,[],[],,CM-2,mitigates,1 +1620,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,1 +1621,,T1127.001,MSBuild,[],[],,CM-2,mitigates,1 +1622,,T1129,Shared Modules,[],[],,CM-2,mitigates,1 +1623,,T1132,Data Encoding,[],[],,CM-2,mitigates,1 +1624,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,1 +1625,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,1 +1626,,T1133,External Remote Services,[],[],,CM-2,mitigates,1 +1627,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,1 +1628,,T1137,Office Application Startup,[],[],,CM-2,mitigates,1 +1629,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,1 +1630,,T1137.002,Office Test,[],[],,CM-2,mitigates,1 +1631,,T1137.003,Outlook Forms,[],[],,CM-2,mitigates,1 +1632,,T1137.004,Outlook Home Page,[],[],,CM-2,mitigates,1 +1633,,T1137.005,Outlook Rules,[],[],,CM-2,mitigates,1 +1634,,T1137.006,Add-ins,[],[],,CM-2,mitigates,1 +1635,,T1176,Browser Extensions,[],[],,CM-2,mitigates,1 +1636,,T1185,Browser Session Hijacking,[],[],,CM-2,mitigates,1 +1637,,T1187,Forced Authentication,[],[],,CM-2,mitigates,1 +1638,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,1 +1639,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,1 +1640,,T1204,User Execution,[],[],,CM-2,mitigates,1 +1641,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,1 +1642,,T1204.002,Malicious File,[],[],,CM-2,mitigates,1 +1643,,T1204.003,Malicious Image,[],[],,CM-2,mitigates,1 +1644,,T1205,Traffic Signaling,[],[],,CM-2,mitigates,1 +1645,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,1 +1646,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,1 +1647,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,1 +1648,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,1 +1649,,T1213.001,Confluence,[],[],,CM-2,mitigates,1 +1650,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,1 +1651,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,1 +1652,,T1216.001,PubPrn,[],[],,CM-2,mitigates,1 +1653,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,1 +1654,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,1 +1655,,T1218.002,Control Panel,[],[],,CM-2,mitigates,1 +1656,,T1218.003,CMSTP,[],[],,CM-2,mitigates,1 +1657,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,1 +1658,,T1218.005,Mshta,[],[],,CM-2,mitigates,1 +1659,,T1218.007,Msiexec,[],[],,CM-2,mitigates,1 +1660,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,1 +1661,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,1 +1662,,T1218.012,Verclsid,[],[],,CM-2,mitigates,1 +1663,,T1218.013,Mavinject,[],[],,CM-2,mitigates,1 +1664,,T1218.014,MMC,[],[],,CM-2,mitigates,1 +1665,,T1219,Remote Access Software,[],[],,CM-2,mitigates,1 +1666,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,1 +1667,,T1221,Template Injection,[],[],,CM-2,mitigates,1 +1668,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,1 +1669,,T1485,Data Destruction,[],[],,CM-2,mitigates,1 +1670,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,1 +1671,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,1 +1672,,T1491,Defacement,[],[],,CM-2,mitigates,1 +1673,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,1 +1674,,T1491.002,External Defacement,[],[],,CM-2,mitigates,1 +1675,,T1505,Server Software Component,[],[],,CM-2,mitigates,1 +1676,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,1 +1677,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,1 +1678,,T1505.003,Web Shell,[],[],,CM-2,mitigates,1 +1679,,T1505.004,IIS Components,[],[],,CM-2,mitigates,1 +1680,,T1525,Implant Internal Image,[],[],,CM-2,mitigates,1 +1681,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,1 +1682,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,1 +1683,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,1 +1684,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,1 +1685,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,1 +1686,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,1 +1687,,T1543.001,Launch Agent,[],[],,CM-2,mitigates,1 +1688,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,1 +1689,,T1543.003,Windows Service,[],[],,CM-2,mitigates,1 +1690,,T1543.004,Launch Daemon,[],[],,CM-2,mitigates,1 +1691,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,1 +1692,,T1546.002,Screensaver,[],[],,CM-2,mitigates,1 +1693,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-2,mitigates,1 +1694,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-2,mitigates,1 +1695,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,1 +1696,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,1 +1697,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,1 +1698,,T1546.014,Emond,[],[],,CM-2,mitigates,1 +1699,,T1547.003,Time Providers,[],[],,CM-2,mitigates,1 +1700,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,1 +1701,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,1 +1702,,T1547.011,Plist Modification,[],[],,CM-2,mitigates,1 +1703,,T1547.013,XDG Autostart Entries,[],[],,CM-2,mitigates,1 +1704,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,1 +1705,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,1 +1706,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,1 +1707,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,1 +1708,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,1 +1709,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,1 +1710,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,1 +1711,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,1 +1712,,T1552.004,Private Keys,[],[],,CM-2,mitigates,1 +1713,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,1 +1714,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,1 +1715,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,1 +1716,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,1 +1717,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-2,mitigates,1 +1718,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,1 +1719,,T1555.004,Windows Credential Manager,[],[],,CM-2,mitigates,1 +1720,,T1555.005,Password Managers,[],[],,CM-2,mitigates,1 +1721,,T1556,Modify Authentication Process,[],[],,CM-2,mitigates,1 +1722,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,1 +1723,,T1557,Adversary-in-the-Middle,[],[],,CM-2,mitigates,1 +1724,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,1 +1725,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,1 +1726,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,1 +1727,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,1 +1728,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,1 +1729,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,1 +1730,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,1 +1731,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,1 +1732,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,1 +1733,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,1 +1734,,T1561,Disk Wipe,[],[],,CM-2,mitigates,1 +1735,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,1 +1736,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,1 +1737,,T1562,Impair Defenses,[],[],,CM-2,mitigates,1 +1738,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,1 +1739,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,1 +1740,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,1 +1741,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,1 +1742,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,1 +1743,,T1562.010,Downgrade Attack,[],[],,CM-2,mitigates,1 +1744,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,1 +1745,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,1 +1746,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,1 +1747,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,1 +1748,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,1 +1749,,T1564.009,Resource Forking,[],[],,CM-2,mitigates,1 +1750,,T1565,Data Manipulation,[],[],,CM-2,mitigates,1 +1751,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,1 +1752,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,1 +1753,,T1566,Phishing,[],[],,CM-2,mitigates,1 +1754,,T1566.001,Spearphishing Attachment,[],[],,CM-2,mitigates,1 +1755,,T1566.002,Spearphishing Link,[],[],,CM-2,mitigates,1 +1756,,T1569,System Services,[],[],,CM-2,mitigates,1 +1757,,T1569.002,Service Execution,[],[],,CM-2,mitigates,1 +1758,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,1 +1759,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,1 +1760,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,1 +1761,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,1 +1762,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,1 +1763,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,1 +1764,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,1 +1765,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,1 +1766,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,1 +1767,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,1 +1768,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,1 +1769,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,1 +1770,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,1 +1771,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,1 +1772,,T1598,Phishing for Information,[],[],,CM-2,mitigates,1 +1773,,T1598.002,Spearphishing Attachment,[],[],,CM-2,mitigates,1 +1774,,T1598.003,Spearphishing Link,[],[],,CM-2,mitigates,1 +1775,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,1 +1776,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,1 +1777,,T1601,Modify System Image,[],[],,CM-2,mitigates,1 +1778,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,1 +1779,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,1 +1780,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,1 +1781,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,1 +1782,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,1 +1783,,T1021.005,VNC,[],[],,CM-3,mitigates,1 +1784,,T1059.006,Python,[],[],,CM-3,mitigates,1 +1785,,T1176,Browser Extensions,[],[],,CM-3,mitigates,1 +1786,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,1 +1787,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,1 +1788,,T1213.001,Confluence,[],[],,CM-3,mitigates,1 +1789,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,1 +1790,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,1 +1791,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,1 +1792,,T1542.001,System Firmware,[],[],,CM-3,mitigates,1 +1793,,T1542.003,Bootkit,[],[],,CM-3,mitigates,1 +1794,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,1 +1795,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,1 +1796,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,1 +1797,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,1 +1798,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,1 +1799,,T1547.011,Plist Modification,[],[],,CM-3,mitigates,1 +1800,,T1547.013,XDG Autostart Entries,[],[],,CM-3,mitigates,1 +1801,,T1553,Subvert Trust Controls,[],[],,CM-3,mitigates,1 +1802,,T1553.006,Code Signing Policy Modification,[],[],,CM-3,mitigates,1 +1803,,T1564.008,Email Hiding Rules,[],[],,CM-3,mitigates,1 +1804,,T1601,Modify System Image,[],[],,CM-3,mitigates,1 +1805,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,1 +1806,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,1 +1807,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,1 +1808,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,1 +1809,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,1 +1810,,T1003.003,NTDS,[],[],,CM-5,mitigates,1 +1811,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,1 +1812,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,1 +1813,,T1003.006,DCSync,[],[],,CM-5,mitigates,1 +1814,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,1 +1815,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,1 +1816,,T1021,Remote Services,[],[],,CM-5,mitigates,1 +1817,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,1 +1818,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,1 +1819,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,1 +1820,,T1021.004,SSH,[],[],,CM-5,mitigates,1 +1821,,T1021.005,VNC,[],[],,CM-5,mitigates,1 +1822,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,1 +1823,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,1 +1824,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,1 +1825,,T1053.001,At (Linux),[],[],,CM-5,mitigates,1 +1826,,T1053.002,At (Windows),[],[],,CM-5,mitigates,1 +1827,,T1053.003,Cron,[],[],,CM-5,mitigates,1 +1828,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,1 +1829,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,1 +1830,,T1053.007,Container Orchestration Job,[],[],,CM-5,mitigates,1 +1831,,T1055,Process Injection,[],[],,CM-5,mitigates,1 +1832,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,1 +1833,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,1 +1834,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,1 +1835,,T1059.001,PowerShell,[],[],,CM-5,mitigates,1 +1836,,T1059.006,Python,[],[],,CM-5,mitigates,1 +1837,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,1 +1838,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,1 +1839,,T1078,Valid Accounts,[],[],,CM-5,mitigates,1 +1840,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,1 +1841,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,1 +1842,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,1 +1843,,T1098,Account Manipulation,[],[],,CM-5,mitigates,1 +1844,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,1 +1845,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,1 +1846,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,1 +1847,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,1 +1848,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,1 +1849,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,1 +1850,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,1 +1851,,T1136,Create Account,[],[],,CM-5,mitigates,1 +1852,,T1136.001,Local Account,[],[],,CM-5,mitigates,1 +1853,,T1136.002,Domain Account,[],[],,CM-5,mitigates,1 +1854,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,1 +1855,,T1137.002,Office Test,[],[],,CM-5,mitigates,1 +1856,,T1176,Browser Extensions,[],[],,CM-5,mitigates,1 +1857,,T1185,Browser Session Hijacking,[],[],,CM-5,mitigates,1 +1858,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,1 +1859,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,1 +1860,,T1197,BITS Jobs,[],[],,CM-5,mitigates,1 +1861,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,1 +1862,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,1 +1863,,T1213.001,Confluence,[],[],,CM-5,mitigates,1 +1864,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,1 +1865,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,1 +1866,,T1218.007,Msiexec,[],[],,CM-5,mitigates,1 +1867,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,1 +1868,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,1 +1869,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,1 +1870,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,1 +1871,,T1489,Service Stop,[],[],,CM-5,mitigates,1 +1872,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,1 +1873,,T1505,Server Software Component,[],[],,CM-5,mitigates,1 +1874,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,1 +1875,,T1525,Implant Internal Image,[],[],,CM-5,mitigates,1 +1876,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,1 +1877,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,1 +1878,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,1 +1879,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,1 +1880,,T1542.001,System Firmware,[],[],,CM-5,mitigates,1 +1881,,T1542.003,Bootkit,[],[],,CM-5,mitigates,1 +1882,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,1 +1883,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,1 +1884,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,1 +1885,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,1 +1886,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,1 +1887,,T1543.003,Windows Service,[],[],,CM-5,mitigates,1 +1888,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,1 +1889,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,1 +1890,,T1547.003,Time Providers,[],[],,CM-5,mitigates,1 +1891,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,1 +1892,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,1 +1893,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,1 +1894,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,1 +1895,,T1547.011,Plist Modification,[],[],,CM-5,mitigates,1 +1896,,T1547.012,Print Processors,[],[],,CM-5,mitigates,1 +1897,,T1547.013,XDG Autostart Entries,[],[],,CM-5,mitigates,1 +1898,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,1 +1899,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,1 +1900,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,1 +1901,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,1 +1902,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,1 +1903,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,1 +1904,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,1 +1905,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,1 +1906,,T1552.007,Container API,[],[],,CM-5,mitigates,1 +1907,,T1553,Subvert Trust Controls,[],[],,CM-5,mitigates,1 +1908,,T1553.006,Code Signing Policy Modification,[],[],,CM-5,mitigates,1 +1909,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,1 +1910,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,1 +1911,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,1 +1912,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,1 +1913,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,1 +1914,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,1 +1915,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,1 +1916,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,1 +1917,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,1 +1918,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,1 +1919,,T1562,Impair Defenses,[],[],,CM-5,mitigates,1 +1920,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,1 +1921,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,1 +1922,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,1 +1923,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,1 +1924,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,1 +1925,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,1 +1926,,T1562.009,Safe Mode Boot,[],[],,CM-5,mitigates,1 +1927,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,1 +1928,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,1 +1929,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,1 +1930,,T1564.008,Email Hiding Rules,[],[],,CM-5,mitigates,1 +1931,,T1569,System Services,[],[],,CM-5,mitigates,1 +1932,,T1569.001,Launchctl,[],[],,CM-5,mitigates,1 +1933,,T1569.002,Service Execution,[],[],,CM-5,mitigates,1 +1934,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,1 +1935,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,1 +1936,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,1 +1937,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,1 +1938,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,1 +1939,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,1 +1940,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,1 +1941,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,1 +1942,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,1 +1943,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,1 +1944,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,1 +1945,,T1601,Modify System Image,[],[],,CM-5,mitigates,1 +1946,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,1 +1947,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,1 +1948,,T1611,Escape to Host,[],[],,CM-5,mitigates,1 +1949,,T1619,Cloud Storage Object Discovery,[],[],,CM-5,mitigates,1 +1950,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,1 +1951,,T1001.001,Junk Data,[],[],,CM-6,mitigates,1 +1952,,T1001.002,Steganography,[],[],,CM-6,mitigates,1 +1953,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,1 +1954,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,1 +1955,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,1 +1956,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,1 +1957,,T1003.003,NTDS,[],[],,CM-6,mitigates,1 +1958,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,1 +1959,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,1 +1960,,T1003.006,DCSync,[],[],,CM-6,mitigates,1 +1961,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,1 +1962,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,1 +1963,,T1008,Fallback Channels,[],[],,CM-6,mitigates,1 +1964,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,1 +1965,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,1 +1966,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,1 +1967,,T1021,Remote Services,[],[],,CM-6,mitigates,1 +1968,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,1 +1969,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,1 +1970,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,1 +1971,,T1021.004,SSH,[],[],,CM-6,mitigates,1 +1972,,T1021.005,VNC,[],[],,CM-6,mitigates,1 +1973,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,1 +1974,,T1027,Obfuscated Files or Information,[],[],,CM-6,mitigates,1 +1975,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,1 +1976,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,1 +1977,,T1036,Masquerading,[],[],,CM-6,mitigates,1 +1978,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,1 +1979,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,1 +1980,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,1 +1981,,T1036.007,Double File Extension,[],[],,CM-6,mitigates,1 +1982,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,1 +1983,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,1 +1984,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,1 +1985,,T1037.004,RC Scripts,[],[],,CM-6,mitigates,1 +1986,,T1037.005,Startup Items,[],[],,CM-6,mitigates,1 +1987,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,1 +1988,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,1 +1989,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,1 +1990,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,1 +1991,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,1 +1992,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,1 +1993,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,1 +1994,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,1 +1995,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,1 +1996,,T1053.002,At (Windows),[],[],,CM-6,mitigates,1 +1997,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,1 +1998,,T1055,Process Injection,[],[],,CM-6,mitigates,1 +1999,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,1 +2000,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,1 +2001,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,1 +2002,,T1059.001,PowerShell,[],[],,CM-6,mitigates,1 +2003,,T1059.002,AppleScript,[],[],,CM-6,mitigates,1 +2004,,T1059.003,Windows Command Shell,[],[],,CM-6,mitigates,1 +2005,,T1059.004,Unix Shell,[],[],,CM-6,mitigates,1 +2006,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,1 +2007,,T1059.006,Python,[],[],,CM-6,mitigates,1 +2008,,T1059.007,JavaScript,[],[],,CM-6,mitigates,1 +2009,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,1 +2010,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,1 +2011,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,1 +2012,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,1 +2013,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,1 +2014,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,1 +2015,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,1 +2016,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,1 +2017,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,1 +2018,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,1 +2019,,T1071.004,DNS,[],[],,CM-6,mitigates,1 +2020,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,1 +2021,,T1078,Valid Accounts,[],[],,CM-6,mitigates,1 +2022,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,1 +2023,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,1 +2024,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,1 +2025,,T1087,Account Discovery,[],[],,CM-6,mitigates,1 +2026,,T1087.001,Local Account,[],[],,CM-6,mitigates,1 +2027,,T1087.002,Domain Account,[],[],,CM-6,mitigates,1 +2028,,T1090,Proxy,[],[],,CM-6,mitigates,1 +2029,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,1 +2030,,T1090.002,External Proxy,[],[],,CM-6,mitigates,1 +2031,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,1 +2032,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,1 +2033,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,1 +2034,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,1 +2035,,T1098,Account Manipulation,[],[],,CM-6,mitigates,1 +2036,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,1 +2037,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,1 +2038,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,1 +2039,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,1 +2040,,T1102,Web Service,[],[],,CM-6,mitigates,1 +2041,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,1 +2042,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,1 +2043,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,1 +2044,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,1 +2045,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,1 +2046,,T1106,Native API,[],[],,CM-6,mitigates,1 +2047,,T1110,Brute Force,[],[],,CM-6,mitigates,1 +2048,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,1 +2049,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,1 +2050,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,1 +2051,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,1 +2052,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,1 +2053,,T1114,Email Collection,[],[],,CM-6,mitigates,1 +2054,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,1 +2055,,T1114.003,Email Forwarding Rule,[],[],,CM-6,mitigates,1 +2056,,T1119,Automated Collection,[],[],,CM-6,mitigates,1 +2057,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,1 +2058,,T1127.001,MSBuild,[],[],,CM-6,mitigates,1 +2059,,T1132,Data Encoding,[],[],,CM-6,mitigates,1 +2060,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,1 +2061,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,1 +2062,,T1133,External Remote Services,[],[],,CM-6,mitigates,1 +2063,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,1 +2064,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,1 +2065,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,1 +2066,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,1 +2067,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,1 +2068,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,1 +2069,,T1136,Create Account,[],[],,CM-6,mitigates,1 +2070,,T1136.001,Local Account,[],[],,CM-6,mitigates,1 +2071,,T1136.002,Domain Account,[],[],,CM-6,mitigates,1 +2072,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,1 +2073,,T1137,Office Application Startup,[],[],,CM-6,mitigates,1 +2074,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,1 +2075,,T1137.002,Office Test,[],[],,CM-6,mitigates,1 +2076,,T1137.003,Outlook Forms,[],[],,CM-6,mitigates,1 +2077,,T1137.004,Outlook Home Page,[],[],,CM-6,mitigates,1 +2078,,T1137.005,Outlook Rules,[],[],,CM-6,mitigates,1 +2079,,T1137.006,Add-ins,[],[],,CM-6,mitigates,1 +2080,,T1176,Browser Extensions,[],[],,CM-6,mitigates,1 +2081,,T1187,Forced Authentication,[],[],,CM-6,mitigates,1 +2082,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,1 +2083,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,1 +2084,,T1197,BITS Jobs,[],[],,CM-6,mitigates,1 +2085,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,1 +2086,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,1 +2087,,T1204,User Execution,[],[],,CM-6,mitigates,1 +2088,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,1 +2089,,T1204.002,Malicious File,[],[],,CM-6,mitigates,1 +2090,,T1204.003,Malicious Image,[],[],,CM-6,mitigates,1 +2091,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,1 +2092,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,1 +2093,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,1 +2094,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,1 +2095,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,1 +2096,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,1 +2097,,T1213.001,Confluence,[],[],,CM-6,mitigates,1 +2098,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,1 +2099,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,1 +2100,,T1216.001,PubPrn,[],[],,CM-6,mitigates,1 +2101,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,1 +2102,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,1 +2103,,T1218.002,Control Panel,[],[],,CM-6,mitigates,1 +2104,,T1218.003,CMSTP,[],[],,CM-6,mitigates,1 +2105,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,1 +2106,,T1218.005,Mshta,[],[],,CM-6,mitigates,1 +2107,,T1218.007,Msiexec,[],[],,CM-6,mitigates,1 +2108,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,1 +2109,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,1 +2110,,T1218.012,Verclsid,[],[],,CM-6,mitigates,1 +2111,,T1218.013,Mavinject,[],[],,CM-6,mitigates,1 +2112,,T1218.014,MMC,[],[],,CM-6,mitigates,1 +2113,,T1219,Remote Access Software,[],[],,CM-6,mitigates,1 +2114,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,1 +2115,,T1221,Template Injection,[],[],,CM-6,mitigates,1 +2116,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,1 +2117,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,1 +2118,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,1 +2119,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,1 +2120,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,1 +2121,,T1489,Service Stop,[],[],,CM-6,mitigates,1 +2122,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,1 +2123,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,1 +2124,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,1 +2125,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,1 +2126,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,1 +2127,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,1 +2128,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,1 +2129,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,1 +2130,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,1 +2131,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,1 +2132,,T1505,Server Software Component,[],[],,CM-6,mitigates,1 +2133,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,1 +2134,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,1 +2135,,T1505.003,Web Shell,[],[],,CM-6,mitigates,1 +2136,,T1505.004,IIS Components,[],[],,CM-6,mitigates,1 +2137,,T1525,Implant Internal Image,[],[],,CM-6,mitigates,1 +2138,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,1 +2139,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,1 +2140,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,1 +2141,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,1 +2142,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,1 +2143,,T1542.001,System Firmware,[],[],,CM-6,mitigates,1 +2144,,T1542.003,Bootkit,[],[],,CM-6,mitigates,1 +2145,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,1 +2146,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,1 +2147,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,1 +2148,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,1 +2149,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,1 +2150,,T1546.002,Screensaver,[],[],,CM-6,mitigates,1 +2151,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,1 +2152,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-6,mitigates,1 +2153,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,1 +2154,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,1 +2155,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,1 +2156,,T1546.014,Emond,[],[],,CM-6,mitigates,1 +2157,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,1 +2158,,T1547.003,Time Providers,[],[],,CM-6,mitigates,1 +2159,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,1 +2160,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,1 +2161,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,1 +2162,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,1 +2163,,T1547.011,Plist Modification,[],[],,CM-6,mitigates,1 +2164,,T1547.013,XDG Autostart Entries,[],[],,CM-6,mitigates,1 +2165,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,1 +2166,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,1 +2167,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,1 +2168,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,1 +2169,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,1 +2170,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,1 +2171,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,1 +2172,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,1 +2173,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,1 +2174,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,1 +2175,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,1 +2176,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,1 +2177,,T1552.003,Bash History,[],[],,CM-6,mitigates,1 +2178,,T1552.004,Private Keys,[],[],,CM-6,mitigates,1 +2179,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,1 +2180,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,1 +2181,,T1552.007,Container API,[],[],,CM-6,mitigates,1 +2182,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,1 +2183,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,1 +2184,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,1 +2185,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,1 +2186,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-6,mitigates,1 +2187,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,1 +2188,,T1555.004,Windows Credential Manager,[],[],,CM-6,mitigates,1 +2189,,T1555.005,Password Managers,[],[],,CM-6,mitigates,1 +2190,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,1 +2191,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,1 +2192,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,1 +2193,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,1 +2194,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,1 +2195,,T1557,Adversary-in-the-Middle,[],[],,CM-6,mitigates,1 +2196,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,1 +2197,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,1 +2198,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,1 +2199,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,1 +2200,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,1 +2201,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,1 +2202,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,1 +2203,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,1 +2204,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,1 +2205,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,1 +2206,,T1562,Impair Defenses,[],[],,CM-6,mitigates,1 +2207,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,1 +2208,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,1 +2209,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,1 +2210,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,1 +2211,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,1 +2212,,T1562.009,Safe Mode Boot,[],[],,CM-6,mitigates,1 +2213,,T1562.010,Downgrade Attack,[],[],,CM-6,mitigates,1 +2214,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,1 +2215,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,1 +2216,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,1 +2217,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,1 +2218,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,1 +2219,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,1 +2220,,T1564.009,Resource Forking,[],[],,CM-6,mitigates,1 +2221,,T1565,Data Manipulation,[],[],,CM-6,mitigates,1 +2222,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,1 +2223,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,1 +2224,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,1 +2225,,T1566,Phishing,[],[],,CM-6,mitigates,1 +2226,,T1566.001,Spearphishing Attachment,[],[],,CM-6,mitigates,1 +2227,,T1566.002,Spearphishing Link,[],[],,CM-6,mitigates,1 +2228,,T1569,System Services,[],[],,CM-6,mitigates,1 +2229,,T1569.002,Service Execution,[],[],,CM-6,mitigates,1 +2230,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,1 +2231,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,1 +2232,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,1 +2233,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,1 +2234,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,1 +2235,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,1 +2236,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,1 +2237,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,1 +2238,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,1 +2239,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,1 +2240,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-6,mitigates,1 +2241,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,1 +2242,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,1 +2243,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,1 +2244,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,1 +2245,,T1598,Phishing for Information,[],[],,CM-6,mitigates,1 +2246,,T1598.002,Spearphishing Attachment,[],[],,CM-6,mitigates,1 +2247,,T1598.003,Spearphishing Link,[],[],,CM-6,mitigates,1 +2248,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,1 +2249,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,1 +2250,,T1601,Modify System Image,[],[],,CM-6,mitigates,1 +2251,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,1 +2252,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,1 +2253,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,1 +2254,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,1 +2255,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,1 +2256,,T1609,Container Administration Command,[],[],,CM-6,mitigates,1 +2257,,T1610,Deploy Container,[],[],,CM-6,mitigates,1 +2258,,T1611,Escape to Host,[],[],,CM-6,mitigates,1 +2259,,T1612,Build Image on Host,[],[],,CM-6,mitigates,1 +2260,,T1613,Container and Resource Discovery,[],[],,CM-6,mitigates,1 +2261,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,1 +2262,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,1 +2263,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,1 +2264,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,1 +2265,,T1008,Fallback Channels,[],[],,CM-7,mitigates,1 +2266,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,1 +2267,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,1 +2268,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,1 +2269,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,1 +2270,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,1 +2271,,T1021.005,VNC,[],[],,CM-7,mitigates,1 +2272,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,1 +2273,,T1036,Masquerading,[],[],,CM-7,mitigates,1 +2274,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,1 +2275,,T1036.007,Double File Extension,[],[],,CM-7,mitigates,1 +2276,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,1 +2277,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,1 +2278,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,1 +2279,,T1047,Windows Management Instrumentation,[],[],,CM-7,mitigates,1 +2280,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,1 +2281,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,1 +2282,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,1 +2283,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,1 +2284,,T1052,Exfiltration Over Physical Medium,[],[],,CM-7,mitigates,1 +2285,,T1052.001,Exfiltration over USB,[],[],,CM-7,mitigates,1 +2286,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,1 +2287,,T1053.002,At (Windows),[],[],,CM-7,mitigates,1 +2288,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,1 +2289,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,1 +2290,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,1 +2291,,T1059.007,JavaScript,[],[],,CM-7,mitigates,1 +2292,,T1068,Exploitation for Privilege Escalation,[],[],,CM-7,mitigates,1 +2293,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,1 +2294,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,1 +2295,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,1 +2296,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,1 +2297,,T1071.004,DNS,[],[],,CM-7,mitigates,1 +2298,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,1 +2299,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,1 +2300,,T1087,Account Discovery,[],[],,CM-7,mitigates,1 +2301,,T1087.001,Local Account,[],[],,CM-7,mitigates,1 +2302,,T1087.002,Domain Account,[],[],,CM-7,mitigates,1 +2303,,T1090,Proxy,[],[],,CM-7,mitigates,1 +2304,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,1 +2305,,T1090.002,External Proxy,[],[],,CM-7,mitigates,1 +2306,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,1 +2307,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,1 +2308,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,1 +2309,,T1098,Account Manipulation,[],[],,CM-7,mitigates,1 +2310,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,1 +2311,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,1 +2312,,T1102,Web Service,[],[],,CM-7,mitigates,1 +2313,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,1 +2314,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,1 +2315,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,1 +2316,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,1 +2317,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,1 +2318,,T1106,Native API,[],[],,CM-7,mitigates,1 +2319,,T1112,Modify Registry,[],[],,CM-7,mitigates,1 +2320,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,1 +2321,,T1129,Shared Modules,[],[],,CM-7,mitigates,1 +2322,,T1133,External Remote Services,[],[],,CM-7,mitigates,1 +2323,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,1 +2324,,T1136,Create Account,[],[],,CM-7,mitigates,1 +2325,,T1136.002,Domain Account,[],[],,CM-7,mitigates,1 +2326,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,1 +2327,,T1176,Browser Extensions,[],[],,CM-7,mitigates,1 +2328,,T1187,Forced Authentication,[],[],,CM-7,mitigates,1 +2329,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,1 +2330,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,1 +2331,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,1 +2332,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,1 +2333,,T1197,BITS Jobs,[],[],,CM-7,mitigates,1 +2334,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,1 +2335,,T1204,User Execution,[],[],,CM-7,mitigates,1 +2336,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,1 +2337,,T1204.002,Malicious File,[],[],,CM-7,mitigates,1 +2338,,T1204.003,Malicious Image,[],[],,CM-7,mitigates,1 +2339,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,1 +2340,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,1 +2341,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,1 +2342,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,1 +2343,,T1213.001,Confluence,[],[],,CM-7,mitigates,1 +2344,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,1 +2345,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,1 +2346,,T1216.001,PubPrn,[],[],,CM-7,mitigates,1 +2347,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,1 +2348,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,1 +2349,,T1218.002,Control Panel,[],[],,CM-7,mitigates,1 +2350,,T1218.003,CMSTP,[],[],,CM-7,mitigates,1 +2351,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,1 +2352,,T1218.005,Mshta,[],[],,CM-7,mitigates,1 +2353,,T1218.007,Msiexec,[],[],,CM-7,mitigates,1 +2354,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,1 +2355,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,1 +2356,,T1218.012,Verclsid,[],[],,CM-7,mitigates,1 +2357,,T1218.013,Mavinject,[],[],,CM-7,mitigates,1 +2358,,T1218.014,MMC,[],[],,CM-7,mitigates,1 +2359,,T1219,Remote Access Software,[],[],,CM-7,mitigates,1 +2360,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,1 +2361,,T1221,Template Injection,[],[],,CM-7,mitigates,1 +2362,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,1 +2363,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,1 +2364,,T1489,Service Stop,[],[],,CM-7,mitigates,1 +2365,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,1 +2366,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,1 +2367,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,1 +2368,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,1 +2369,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,1 +2370,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,1 +2371,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,1 +2372,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,1 +2373,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,1 +2374,,T1505.004,IIS Components,[],[],,CM-7,mitigates,1 +2375,,T1525,Implant Internal Image,[],[],,CM-7,mitigates,1 +2376,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,1 +2377,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,1 +2378,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,1 +2379,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,1 +2380,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,1 +2381,,T1546.002,Screensaver,[],[],,CM-7,mitigates,1 +2382,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,1 +2383,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,1 +2384,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,1 +2385,,T1546.010,AppInit DLLs,[],[],,CM-7,mitigates,1 +2386,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,1 +2387,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,1 +2388,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,1 +2389,,T1547.011,Plist Modification,[],[],,CM-7,mitigates,1 +2390,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,1 +2391,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,1 +2392,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,1 +2393,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,1 +2394,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,1 +2395,,T1552.003,Bash History,[],[],,CM-7,mitigates,1 +2396,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,1 +2397,,T1552.007,Container API,[],[],,CM-7,mitigates,1 +2398,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,1 +2399,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,1 +2400,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,1 +2401,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,1 +2402,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-7,mitigates,1 +2403,,T1553.006,Code Signing Policy Modification,[],[],,CM-7,mitigates,1 +2404,,T1555.004,Windows Credential Manager,[],[],,CM-7,mitigates,1 +2405,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,1 +2406,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,1 +2407,,T1557,Adversary-in-the-Middle,[],[],,CM-7,mitigates,1 +2408,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,1 +2409,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,1 +2410,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,1 +2411,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,1 +2412,,T1562,Impair Defenses,[],[],,CM-7,mitigates,1 +2413,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,1 +2414,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,1 +2415,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,1 +2416,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,1 +2417,,T1562.006,Indicator Blocking,[],[],,CM-7,mitigates,1 +2418,,T1562.009,Safe Mode Boot,[],[],,CM-7,mitigates,1 +2419,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,1 +2420,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,1 +2421,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,1 +2422,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,1 +2423,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,1 +2424,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,1 +2425,,T1564.008,Email Hiding Rules,[],[],,CM-7,mitigates,1 +2426,,T1564.009,Resource Forking,[],[],,CM-7,mitigates,1 +2427,,T1565,Data Manipulation,[],[],,CM-7,mitigates,1 +2428,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,1 +2429,,T1569,System Services,[],[],,CM-7,mitigates,1 +2430,,T1569.002,Service Execution,[],[],,CM-7,mitigates,1 +2431,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,1 +2432,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,1 +2433,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,1 +2434,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,1 +2435,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,1 +2436,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,1 +2437,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,1 +2438,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,1 +2439,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-7,mitigates,1 +2440,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,1 +2441,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,1 +2442,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,1 +2443,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,1 +2444,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,1 +2445,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,1 +2446,,T1601,Modify System Image,[],[],,CM-7,mitigates,1 +2447,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,1 +2448,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,1 +2449,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,1 +2450,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,1 +2451,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,1 +2452,,T1609,Container Administration Command,[],[],,CM-7,mitigates,1 +2453,,T1610,Deploy Container,[],[],,CM-7,mitigates,1 +2454,,T1611,Escape to Host,[],[],,CM-7,mitigates,1 +2455,,T1612,Build Image on Host,[],[],,CM-7,mitigates,1 +2456,,T1613,Container and Resource Discovery,[],[],,CM-7,mitigates,1 +2457,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,1 +2458,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,1 +2459,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,1 +2460,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,1 +2461,,T1021.004,SSH,[],[],,CM-8,mitigates,1 +2462,,T1021.005,VNC,[],[],,CM-8,mitigates,1 +2463,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,1 +2464,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,1 +2465,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,1 +2466,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,1 +2467,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,1 +2468,,T1053.002,At (Windows),[],[],,CM-8,mitigates,1 +2469,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,1 +2470,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,1 +2471,,T1059.001,PowerShell,[],[],,CM-8,mitigates,1 +2472,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,1 +2473,,T1059.007,JavaScript,[],[],,CM-8,mitigates,1 +2474,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,1 +2475,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,1 +2476,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,1 +2477,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,1 +2478,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,1 +2479,,T1119,Automated Collection,[],[],,CM-8,mitigates,1 +2480,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,1 +2481,,T1127.001,MSBuild,[],[],,CM-8,mitigates,1 +2482,,T1133,External Remote Services,[],[],,CM-8,mitigates,1 +2483,,T1137,Office Application Startup,[],[],,CM-8,mitigates,1 +2484,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,1 +2485,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,1 +2486,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,1 +2487,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,1 +2488,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,1 +2489,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,1 +2490,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,1 +2491,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,1 +2492,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,1 +2493,,T1213.001,Confluence,[],[],,CM-8,mitigates,1 +2494,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,1 +2495,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,1 +2496,,T1218.003,CMSTP,[],[],,CM-8,mitigates,1 +2497,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,1 +2498,,T1218.005,Mshta,[],[],,CM-8,mitigates,1 +2499,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,1 +2500,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,1 +2501,,T1218.012,Verclsid,[],[],,CM-8,mitigates,1 +2502,,T1218.013,Mavinject,[],[],,CM-8,mitigates,1 +2503,,T1218.014,MMC,[],[],,CM-8,mitigates,1 +2504,,T1221,Template Injection,[],[],,CM-8,mitigates,1 +2505,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,1 +2506,,T1505,Server Software Component,[],[],,CM-8,mitigates,1 +2507,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,1 +2508,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,1 +2509,,T1505.004,IIS Components,[],[],,CM-8,mitigates,1 +2510,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,1 +2511,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,1 +2512,,T1542.001,System Firmware,[],[],,CM-8,mitigates,1 +2513,,T1542.003,Bootkit,[],[],,CM-8,mitigates,1 +2514,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,1 +2515,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,1 +2516,,T1546.002,Screensaver,[],[],,CM-8,mitigates,1 +2517,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,1 +2518,,T1546.014,Emond,[],[],,CM-8,mitigates,1 +2519,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,1 +2520,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,1 +2521,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,1 +2522,,T1553,Subvert Trust Controls,[],[],,CM-8,mitigates,1 +2523,,T1553.006,Code Signing Policy Modification,[],[],,CM-8,mitigates,1 +2524,,T1557,Adversary-in-the-Middle,[],[],,CM-8,mitigates,1 +2525,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,1 +2526,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,1 +2527,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,1 +2528,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,1 +2529,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,1 +2530,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,1 +2531,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,1 +2532,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,1 +2533,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,1 +2534,,T1565,Data Manipulation,[],[],,CM-8,mitigates,1 +2535,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,1 +2536,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,1 +2537,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,1 +2538,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,1 +2539,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,1 +2540,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,1 +2541,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,1 +2542,,T1601,Modify System Image,[],[],,CM-8,mitigates,1 +2543,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,1 +2544,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,1 +2545,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,1 +2546,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,1 +2547,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,1 +2548,,T1485,Data Destruction,[],[],,CP-10,mitigates,1 +2549,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,1 +2550,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,1 +2551,,T1491,Defacement,[],[],,CP-10,mitigates,1 +2552,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,1 +2553,,T1491.002,External Defacement,[],[],,CP-10,mitigates,1 +2554,,T1561,Disk Wipe,[],[],,CP-10,mitigates,1 +2555,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,1 +2556,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,1 +2557,,T1565,Data Manipulation,[],[],,CP-10,mitigates,1 +2558,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,1 +2559,,T1485,Data Destruction,[],[],,CP-2,mitigates,1 +2560,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,1 +2561,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,1 +2562,,T1491,Defacement,[],[],,CP-2,mitigates,1 +2563,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,1 +2564,,T1491.002,External Defacement,[],[],,CP-2,mitigates,1 +2565,,T1561,Disk Wipe,[],[],,CP-2,mitigates,1 +2566,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,1 +2567,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,1 +2568,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,1 +2569,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,1 +2570,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,1 +2571,,T1119,Automated Collection,[],[],,CP-6,mitigates,1 +2572,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,1 +2573,,T1565,Data Manipulation,[],[],,CP-6,mitigates,1 +2574,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,1 +2575,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,1 +2576,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,1 +2577,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,1 +2578,,T1119,Automated Collection,[],[],,CP-7,mitigates,1 +2579,,T1485,Data Destruction,[],[],,CP-7,mitigates,1 +2580,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,1 +2581,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,1 +2582,,T1491,Defacement,[],[],,CP-7,mitigates,1 +2583,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,1 +2584,,T1491.002,External Defacement,[],[],,CP-7,mitigates,1 +2585,,T1561,Disk Wipe,[],[],,CP-7,mitigates,1 +2586,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,1 +2587,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,1 +2588,,T1565,Data Manipulation,[],[],,CP-7,mitigates,1 +2589,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,1 +2590,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,1 +2591,,T1003.003,NTDS,[],[],,CP-9,mitigates,1 +2592,,T1005,Data from Local System,[],[],,CP-9,mitigates,1 +2593,,T1025,Data from Removable Media,[],[],,CP-9,mitigates,1 +2594,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,1 +2595,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,1 +2596,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,1 +2597,,T1119,Automated Collection,[],[],,CP-9,mitigates,1 +2598,,T1485,Data Destruction,[],[],,CP-9,mitigates,1 +2599,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,1 +2600,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,1 +2601,,T1491,Defacement,[],[],,CP-9,mitigates,1 +2602,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,1 +2603,,T1491.002,External Defacement,[],[],,CP-9,mitigates,1 +2604,,T1561,Disk Wipe,[],[],,CP-9,mitigates,1 +2605,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,1 +2606,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,1 +2607,,T1565,Data Manipulation,[],[],,CP-9,mitigates,1 +2608,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,1 +2609,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,1 +2610,,T1110,Brute Force,[],[],,IA-11,mitigates,1 +2611,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,1 +2612,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,1 +2613,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,1 +2614,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,1 +2615,,T1078,Valid Accounts,[],[],,IA-12,mitigates,1 +2616,,T1078.002,Domain Accounts,[],[],,IA-12,mitigates,1 +2617,,T1078.003,Local Accounts,[],[],,IA-12,mitigates,1 +2618,,T1078.004,Cloud Accounts,[],[],,IA-12,mitigates,1 +2619,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,1 +2620,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,1 +2621,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,1 +2622,,T1003.003,NTDS,[],[],,IA-2,mitigates,1 +2623,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,1 +2624,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,1 +2625,,T1003.006,DCSync,[],[],,IA-2,mitigates,1 +2626,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,1 +2627,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,1 +2628,,T1021,Remote Services,[],[],,IA-2,mitigates,1 +2629,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,1 +2630,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,1 +2631,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,1 +2632,,T1021.004,SSH,[],[],,IA-2,mitigates,1 +2633,,T1021.005,VNC,[],[],,IA-2,mitigates,1 +2634,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,1 +2635,,T1036.007,Double File Extension,[],[],,IA-2,mitigates,1 +2636,,T1040,Network Sniffing,[],[],,IA-2,mitigates,1 +2637,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,1 +2638,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,1 +2639,,T1053.001,At (Linux),[],[],,IA-2,mitigates,1 +2640,,T1053.002,At (Windows),[],[],,IA-2,mitigates,1 +2641,,T1053.003,Cron,[],[],,IA-2,mitigates,1 +2642,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,1 +2643,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,1 +2644,,T1053.007,Container Orchestration Job,[],[],,IA-2,mitigates,1 +2645,,T1055,Process Injection,[],[],,IA-2,mitigates,1 +2646,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,1 +2647,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,1 +2648,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,1 +2649,,T1059.001,PowerShell,[],[],,IA-2,mitigates,1 +2650,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,1 +2651,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,1 +2652,,T1078,Valid Accounts,[],[],,IA-2,mitigates,1 +2653,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,1 +2654,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,1 +2655,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,1 +2656,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,1 +2657,,T1098,Account Manipulation,[],[],,IA-2,mitigates,1 +2658,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,1 +2659,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,1 +2660,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,1 +2661,,T1110,Brute Force,[],[],,IA-2,mitigates,1 +2662,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,1 +2663,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,1 +2664,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,1 +2665,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,1 +2666,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,1 +2667,,T1114,Email Collection,[],[],,IA-2,mitigates,1 +2668,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,1 +2669,,T1133,External Remote Services,[],[],,IA-2,mitigates,1 +2670,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,1 +2671,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,1 +2672,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,1 +2673,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,1 +2674,,T1136,Create Account,[],[],,IA-2,mitigates,1 +2675,,T1136.001,Local Account,[],[],,IA-2,mitigates,1 +2676,,T1136.002,Domain Account,[],[],,IA-2,mitigates,1 +2677,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,1 +2678,,T1185,Browser Session Hijacking,[],[],,IA-2,mitigates,1 +2679,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,1 +2680,,T1197,BITS Jobs,[],[],,IA-2,mitigates,1 +2681,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,1 +2682,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,1 +2683,,T1213.001,Confluence,[],[],,IA-2,mitigates,1 +2684,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,1 +2685,,T1213.003,Code Repositories,[],[],,IA-2,mitigates,1 +2686,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,1 +2687,,T1218.007,Msiexec,[],[],,IA-2,mitigates,1 +2688,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,1 +2689,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,1 +2690,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,1 +2691,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,1 +2692,,T1489,Service Stop,[],[],,IA-2,mitigates,1 +2693,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,1 +2694,,T1505,Server Software Component,[],[],,IA-2,mitigates,1 +2695,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,1 +2696,,T1505.004,IIS Components,[],[],,IA-2,mitigates,1 +2697,,T1525,Implant Internal Image,[],[],,IA-2,mitigates,1 +2698,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,1 +2699,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,1 +2700,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,1 +2701,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,1 +2702,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,1 +2703,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,1 +2704,,T1542.001,System Firmware,[],[],,IA-2,mitigates,1 +2705,,T1542.003,Bootkit,[],[],,IA-2,mitigates,1 +2706,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,1 +2707,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,1 +2708,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,1 +2709,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,1 +2710,,T1543.003,Windows Service,[],[],,IA-2,mitigates,1 +2711,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,1 +2712,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,1 +2713,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,1 +2714,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,1 +2715,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,1 +2716,,T1547.012,Print Processors,[],[],,IA-2,mitigates,1 +2717,,T1547.013,XDG Autostart Entries,[],[],,IA-2,mitigates,1 +2718,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,1 +2719,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,1 +2720,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,1 +2721,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,1 +2722,,T1550.001,Application Access Token,[],[],,IA-2,mitigates,1 +2723,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,1 +2724,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,1 +2725,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,1 +2726,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,1 +2727,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,1 +2728,,T1552.004,Private Keys,[],[],,IA-2,mitigates,1 +2729,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,1 +2730,,T1552.007,Container API,[],[],,IA-2,mitigates,1 +2731,,T1555.005,Password Managers,[],[],,IA-2,mitigates,1 +2732,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,1 +2733,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,1 +2734,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,1 +2735,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,1 +2736,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,1 +2737,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,1 +2738,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,1 +2739,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,1 +2740,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,1 +2741,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,1 +2742,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,1 +2743,,T1562,Impair Defenses,[],[],,IA-2,mitigates,1 +2744,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,1 +2745,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,1 +2746,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,1 +2747,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,1 +2748,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,1 +2749,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,1 +2750,,T1562.009,Safe Mode Boot,[],[],,IA-2,mitigates,1 +2751,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,1 +2752,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,1 +2753,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,1 +2754,,T1569,System Services,[],[],,IA-2,mitigates,1 +2755,,T1569.001,Launchctl,[],[],,IA-2,mitigates,1 +2756,,T1569.002,Service Execution,[],[],,IA-2,mitigates,1 +2757,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,1 +2758,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,1 +2759,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,1 +2760,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,1 +2761,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,1 +2762,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,1 +2763,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,1 +2764,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,1 +2765,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,1 +2766,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,1 +2767,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,1 +2768,,T1601,Modify System Image,[],[],,IA-2,mitigates,1 +2769,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,1 +2770,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,1 +2771,,T1610,Deploy Container,[],[],,IA-2,mitigates,1 +2772,,T1611,Escape to Host,[],[],,IA-2,mitigates,1 +2773,,T1613,Container and Resource Discovery,[],[],,IA-2,mitigates,1 +2774,,T1619,Cloud Storage Object Discovery,[],[],,IA-2,mitigates,1 +2775,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,1 +2776,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,1 +2777,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,1 +2778,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,1 +2779,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,1 +2780,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,1 +2781,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,1 +2782,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,1 +2783,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,1 +2784,,T1003.006,DCSync,[],[],,IA-4,mitigates,1 +2785,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,1 +2786,,T1021.005,VNC,[],[],,IA-4,mitigates,1 +2787,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,1 +2788,,T1053.002,At (Windows),[],[],,IA-4,mitigates,1 +2789,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,1 +2790,,T1110,Brute Force,[],[],,IA-4,mitigates,1 +2791,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,1 +2792,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,1 +2793,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,1 +2794,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,1 +2795,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,1 +2796,,T1213.001,Confluence,[],[],,IA-4,mitigates,1 +2797,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,1 +2798,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,1 +2799,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,1 +2800,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,1 +2801,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,1 +2802,,T1547.006,Kernel Modules and Extensions,[],[],,IA-4,mitigates,1 +2803,,T1550.001,Application Access Token,[],[],,IA-4,mitigates,1 +2804,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,1 +2805,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,1 +2806,,T1562,Impair Defenses,[],[],,IA-4,mitigates,1 +2807,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,1 +2808,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,1 +2809,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,1 +2810,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,1 +2811,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,1 +2812,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,1 +2813,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,1 +2814,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,1 +2815,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,1 +2816,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,1 +2817,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,1 +2818,,T1003.003,NTDS,[],[],,IA-5,mitigates,1 +2819,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,1 +2820,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,1 +2821,,T1003.006,DCSync,[],[],,IA-5,mitigates,1 +2822,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,1 +2823,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,1 +2824,,T1021,Remote Services,[],[],,IA-5,mitigates,1 +2825,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,1 +2826,,T1021.004,SSH,[],[],,IA-5,mitigates,1 +2827,,T1040,Network Sniffing,[],[],,IA-5,mitigates,1 +2828,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,1 +2829,,T1078,Valid Accounts,[],[],,IA-5,mitigates,1 +2830,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,1 +2831,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,1 +2832,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,1 +2833,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,1 +2834,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,1 +2835,,T1110,Brute Force,[],[],,IA-5,mitigates,1 +2836,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,1 +2837,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,1 +2838,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,1 +2839,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,1 +2840,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,1 +2841,,T1114,Email Collection,[],[],,IA-5,mitigates,1 +2842,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,1 +2843,,T1133,External Remote Services,[],[],,IA-5,mitigates,1 +2844,,T1136,Create Account,[],[],,IA-5,mitigates,1 +2845,,T1136.001,Local Account,[],[],,IA-5,mitigates,1 +2846,,T1136.002,Domain Account,[],[],,IA-5,mitigates,1 +2847,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,1 +2848,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,1 +2849,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,1 +2850,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,1 +2851,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,1 +2852,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,1 +2853,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,1 +2854,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,1 +2855,,T1552.004,Private Keys,[],[],,IA-5,mitigates,1 +2856,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,1 +2857,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,1 +2858,,T1555.001,Keychain,[],[],,IA-5,mitigates,1 +2859,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,1 +2860,,T1555.004,Windows Credential Manager,[],[],,IA-5,mitigates,1 +2861,,T1555.005,Password Managers,[],[],,IA-5,mitigates,1 +2862,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,1 +2863,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,1 +2864,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,1 +2865,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,1 +2866,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,1 +2867,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,1 +2868,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,1 +2869,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,1 +2870,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,1 +2871,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,1 +2872,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,1 +2873,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,1 +2874,,T1601,Modify System Image,[],[],,IA-5,mitigates,1 +2875,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,1 +2876,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,1 +2877,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,1 +2878,,T1021.005,VNC,[],[],,IA-6,mitigates,1 +2879,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,1 +2880,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,1 +2881,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,1 +2882,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,1 +2883,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,1 +2884,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,1 +2885,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,1 +2886,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,1 +2887,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,1 +2888,,T1542.001,System Firmware,[],[],,IA-7,mitigates,1 +2889,,T1542.003,Bootkit,[],[],,IA-7,mitigates,1 +2890,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,1 +2891,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,1 +2892,,T1553,Subvert Trust Controls,[],[],,IA-7,mitigates,1 +2893,,T1553.006,Code Signing Policy Modification,[],[],,IA-7,mitigates,1 +2894,,T1601,Modify System Image,[],[],,IA-7,mitigates,1 +2895,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,1 +2896,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,1 +2897,,T1053,Scheduled Task/Job,[],[],,IA-8,mitigates,1 +2898,,T1053.007,Container Orchestration Job,[],[],,IA-8,mitigates,1 +2899,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,1 +2900,,T1059.001,PowerShell,[],[],,IA-8,mitigates,1 +2901,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,1 +2902,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,1 +2903,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,1 +2904,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,1 +2905,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,1 +2906,,T1213.001,Confluence,[],[],,IA-8,mitigates,1 +2907,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,1 +2908,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,1 +2909,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,1 +2910,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,1 +2911,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,1 +2912,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,1 +2913,,T1542.001,System Firmware,[],[],,IA-8,mitigates,1 +2914,,T1542.003,Bootkit,[],[],,IA-8,mitigates,1 +2915,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,1 +2916,,T1547.006,Kernel Modules and Extensions,[],[],,IA-8,mitigates,1 +2917,,T1036,Masquerading,[],[],,IA-9,mitigates,1 +2918,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,1 +2919,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,1 +2920,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,1 +2921,,T1059.001,PowerShell,[],[],,IA-9,mitigates,1 +2922,,T1059.002,AppleScript,[],[],,IA-9,mitigates,1 +2923,,T1213.003,Code Repositories,[],[],,IA-9,mitigates,1 +2924,,T1525,Implant Internal Image,[],[],,IA-9,mitigates,1 +2925,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,1 +2926,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,1 +2927,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,1 +2928,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,1 +2929,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,1 +2930,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,1 +2931,,T1562.006,Indicator Blocking,[],[],,IA-9,mitigates,1 +2932,,T1562.009,Safe Mode Boot,[],[],,IA-9,mitigates,1 +2933,,T1566,Phishing,[],[],,IA-9,mitigates,1 +2934,,T1566.001,Spearphishing Attachment,[],[],,IA-9,mitigates,1 +2935,,T1566.002,Spearphishing Link,[],[],,IA-9,mitigates,1 +2936,,T1598,Phishing for Information,[],[],,IA-9,mitigates,1 +2937,,T1598.002,Spearphishing Attachment,[],[],,IA-9,mitigates,1 +2938,,T1598.003,Spearphishing Link,[],[],,IA-9,mitigates,1 +2939,,T1564.008,Email Hiding Rules,[],[],,IR-5,mitigates,1 +2940,,T1025,Data from Removable Media,[],[],,MP-7,mitigates,1 +2941,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,1 +2942,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,1 +2943,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,1 +2944,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,1 +2945,,T1200,Hardware Additions,[],[],,MP-7,mitigates,1 +2946,,T1068,Exploitation for Privilege Escalation,[],[],,RA-10,mitigates,1 +2947,,T1190,Exploit Public-Facing Application,[],[],,RA-10,mitigates,1 +2948,,T1195,Supply Chain Compromise,[],[],,RA-10,mitigates,1 +2949,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-10,mitigates,1 +2950,,T1195.002,Compromise Software Supply Chain,[],[],,RA-10,mitigates,1 +2951,,T1210,Exploitation of Remote Services,[],[],,RA-10,mitigates,1 +2952,,T1211,Exploitation for Defense Evasion,[],[],,RA-10,mitigates,1 +2953,,T1212,Exploitation for Credential Access,[],[],,RA-10,mitigates,1 +2954,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,1 +2955,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,1 +2956,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,1 +2957,,T1021.004,SSH,[],[],,RA-5,mitigates,1 +2958,,T1021.005,VNC,[],[],,RA-5,mitigates,1 +2959,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,1 +2960,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,1 +2961,,T1047,Windows Management Instrumentation,[],[],,RA-5,mitigates,1 +2962,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,1 +2963,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,1 +2964,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,1 +2965,,T1053.001,At (Linux),[],[],,RA-5,mitigates,1 +2966,,T1053.002,At (Windows),[],[],,RA-5,mitigates,1 +2967,,T1053.003,Cron,[],[],,RA-5,mitigates,1 +2968,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,1 +2969,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,1 +2970,,T1059.001,PowerShell,[],[],,RA-5,mitigates,1 +2971,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,1 +2972,,T1059.007,JavaScript,[],[],,RA-5,mitigates,1 +2973,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,1 +2974,,T1078,Valid Accounts,[],[],,RA-5,mitigates,1 +2975,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,1 +2976,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,1 +2977,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,1 +2978,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,1 +2979,,T1127.001,MSBuild,[],[],,RA-5,mitigates,1 +2980,,T1133,External Remote Services,[],[],,RA-5,mitigates,1 +2981,,T1137,Office Application Startup,[],[],,RA-5,mitigates,1 +2982,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,1 +2983,,T1176,Browser Extensions,[],[],,RA-5,mitigates,1 +2984,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,1 +2985,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,1 +2986,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,1 +2987,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,1 +2988,,T1204.003,Malicious Image,[],[],,RA-5,mitigates,1 +2989,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,1 +2990,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,1 +2991,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,1 +2992,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,1 +2993,,T1213.001,Confluence,[],[],,RA-5,mitigates,1 +2994,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,1 +2995,,T1213.003,Code Repositories,[],[],,RA-5,mitigates,1 +2996,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,1 +2997,,T1218.003,CMSTP,[],[],,RA-5,mitigates,1 +2998,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,1 +2999,,T1218.005,Mshta,[],[],,RA-5,mitigates,1 +3000,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,1 +3001,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,1 +3002,,T1218.012,Verclsid,[],[],,RA-5,mitigates,1 +3003,,T1218.013,Mavinject,[],[],,RA-5,mitigates,1 +3004,,T1218.014,MMC,[],[],,RA-5,mitigates,1 +3005,,T1221,Template Injection,[],[],,RA-5,mitigates,1 +3006,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,1 +3007,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,1 +3008,,T1505,Server Software Component,[],[],,RA-5,mitigates,1 +3009,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,1 +3010,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,1 +3011,,T1505.003,Web Shell,[],[],,RA-5,mitigates,1 +3012,,T1505.004,IIS Components,[],[],,RA-5,mitigates,1 +3013,,T1525,Implant Internal Image,[],[],,RA-5,mitigates,1 +3014,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,1 +3015,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,1 +3016,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,1 +3017,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,1 +3018,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,1 +3019,,T1546.002,Screensaver,[],[],,RA-5,mitigates,1 +3020,,T1546.014,Emond,[],[],,RA-5,mitigates,1 +3021,,T1547.006,Kernel Modules and Extensions,[],[],,RA-5,mitigates,1 +3022,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,1 +3023,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,1 +3024,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,1 +3025,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,1 +3026,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,1 +3027,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,1 +3028,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,1 +3029,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,1 +3030,,T1552.004,Private Keys,[],[],,RA-5,mitigates,1 +3031,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,1 +3032,,T1557,Adversary-in-the-Middle,[],[],,RA-5,mitigates,1 +3033,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,1 +3034,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,1 +3035,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,1 +3036,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,1 +3037,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,1 +3038,,T1562,Impair Defenses,[],[],,RA-5,mitigates,1 +3039,,T1562.010,Downgrade Attack,[],[],,RA-5,mitigates,1 +3040,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,1 +3041,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,1 +3042,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,1 +3043,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,1 +3044,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,1 +3045,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,1 +3046,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,1 +3047,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,1 +3048,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,1 +3049,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,1 +3050,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,1 +3051,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,1 +3052,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,1 +3053,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,1 +3054,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,1 +3055,,T1612,Build Image on Host,[],[],,RA-5,mitigates,1 +3056,,T1195.003,Compromise Hardware Supply Chain,[],[],,RA-9,mitigates,1 +3057,,T1495,Firmware Corruption,[],[],,RA-9,mitigates,1 +3058,,T1542,Pre-OS Boot,[],[],,RA-9,mitigates,1 +3059,,T1542.001,System Firmware,[],[],,RA-9,mitigates,1 +3060,,T1542.003,Bootkit,[],[],,RA-9,mitigates,1 +3061,,T1542.004,ROMMONkit,[],[],,RA-9,mitigates,1 +3062,,T1542.005,TFTP Boot,[],[],,RA-9,mitigates,1 +3063,,T1553,Subvert Trust Controls,[],[],,RA-9,mitigates,1 +3064,,T1553.006,Code Signing Policy Modification,[],[],,RA-9,mitigates,1 +3065,,T1601,Modify System Image,[],[],,RA-9,mitigates,1 +3066,,T1601.001,Patch System Image,[],[],,RA-9,mitigates,1 +3067,,T1601.002,Downgrade System Image,[],[],,RA-9,mitigates,1 +3068,,T1078,Valid Accounts,[],[],,SA-10,mitigates,1 +3069,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,1 +3070,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,1 +3071,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,1 +3072,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,1 +3073,,T1213.003,Code Repositories,[],[],,SA-10,mitigates,1 +3074,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,1 +3075,,T1505,Server Software Component,[],[],,SA-10,mitigates,1 +3076,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,1 +3077,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,1 +3078,,T1505.004,IIS Components,[],[],,SA-10,mitigates,1 +3079,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,1 +3080,,T1542.001,System Firmware,[],[],,SA-10,mitigates,1 +3081,,T1542.003,Bootkit,[],[],,SA-10,mitigates,1 +3082,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,1 +3083,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,1 +3084,,T1547.011,Plist Modification,[],[],,SA-10,mitigates,1 +3085,,T1553,Subvert Trust Controls,[],[],,SA-10,mitigates,1 +3086,,T1553.006,Code Signing Policy Modification,[],[],,SA-10,mitigates,1 +3087,,T1564.009,Resource Forking,[],[],,SA-10,mitigates,1 +3088,,T1574.002,DLL Side-Loading,[],[],,SA-10,mitigates,1 +3089,,T1601,Modify System Image,[],[],,SA-10,mitigates,1 +3090,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,1 +3091,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,1 +3092,,T1078,Valid Accounts,[],[],,SA-11,mitigates,1 +3093,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,1 +3094,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,1 +3095,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,1 +3096,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,1 +3097,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,1 +3098,,T1213.003,Code Repositories,[],[],,SA-11,mitigates,1 +3099,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,1 +3100,,T1505,Server Software Component,[],[],,SA-11,mitigates,1 +3101,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,1 +3102,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,1 +3103,,T1505.004,IIS Components,[],[],,SA-11,mitigates,1 +3104,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,1 +3105,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,1 +3106,,T1542.001,System Firmware,[],[],,SA-11,mitigates,1 +3107,,T1542.003,Bootkit,[],[],,SA-11,mitigates,1 +3108,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,1 +3109,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,1 +3110,,T1547.011,Plist Modification,[],[],,SA-11,mitigates,1 +3111,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,1 +3112,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,1 +3113,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,1 +3114,,T1552.004,Private Keys,[],[],,SA-11,mitigates,1 +3115,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,1 +3116,,T1553,Subvert Trust Controls,[],[],,SA-11,mitigates,1 +3117,,T1553.006,Code Signing Policy Modification,[],[],,SA-11,mitigates,1 +3118,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,1 +3119,,T1574.002,DLL Side-Loading,[],[],,SA-11,mitigates,1 +3120,,T1601,Modify System Image,[],[],,SA-11,mitigates,1 +3121,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,1 +3122,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,1 +3123,,T1612,Build Image on Host,[],[],,SA-11,mitigates,1 +3124,,T1078,Valid Accounts,[],[],,SA-15,mitigates,1 +3125,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,1 +3126,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,1 +3127,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,1 +3128,,T1213.003,Code Repositories,[],[],,SA-15,mitigates,1 +3129,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,1 +3130,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,1 +3131,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,1 +3132,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,1 +3133,,T1552.004,Private Keys,[],[],,SA-15,mitigates,1 +3134,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,1 +3135,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,1 +3136,,T1574.002,DLL Side-Loading,[],[],,SA-15,mitigates,1 +3137,,T1078,Valid Accounts,[],[],,SA-16,mitigates,1 +3138,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,1 +3139,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,1 +3140,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,1 +3141,,T1574.002,DLL Side-Loading,[],[],,SA-16,mitigates,1 +3142,,T1078,Valid Accounts,[],[],,SA-17,mitigates,1 +3143,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,1 +3144,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,1 +3145,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,1 +3146,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,1 +3147,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,1 +3148,,T1574.002,DLL Side-Loading,[],[],,SA-17,mitigates,1 +3149,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,1 +3150,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,1 +3151,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,1 +3152,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,1 +3153,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,1 +3154,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,1 +3155,,T1078,Valid Accounts,[],[],,SA-3,mitigates,1 +3156,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,1 +3157,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,1 +3158,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,1 +3159,,T1213.003,Code Repositories,[],[],,SA-3,mitigates,1 +3160,,T1574.002,DLL Side-Loading,[],[],,SA-3,mitigates,1 +3161,,T1078,Valid Accounts,[],[],,SA-4,mitigates,1 +3162,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,1 +3163,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,1 +3164,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,1 +3165,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,1 +3166,,T1574.002,DLL Side-Loading,[],[],,SA-4,mitigates,1 +3167,,T1005,Data from Local System,[],[],,SA-8,mitigates,1 +3168,,T1025,Data from Removable Media,[],[],,SA-8,mitigates,1 +3169,,T1041,Exfiltration Over C2 Channel,[],[],,SA-8,mitigates,1 +3170,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-8,mitigates,1 +3171,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-8,mitigates,1 +3172,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-8,mitigates,1 +3173,,T1052,Exfiltration Over Physical Medium,[],[],,SA-8,mitigates,1 +3174,,T1052.001,Exfiltration over USB,[],[],,SA-8,mitigates,1 +3175,,T1078,Valid Accounts,[],[],,SA-8,mitigates,1 +3176,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,1 +3177,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,1 +3178,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,1 +3179,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,1 +3180,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,1 +3181,,T1213.003,Code Repositories,[],[],,SA-8,mitigates,1 +3182,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,1 +3183,,T1547.011,Plist Modification,[],[],,SA-8,mitigates,1 +3184,,T1567,Exfiltration Over Web Service,[],[],,SA-8,mitigates,1 +3185,,T1574.002,DLL Side-Loading,[],[],,SA-8,mitigates,1 +3186,,T1041,Exfiltration Over C2 Channel,[],[],,SA-9,mitigates,1 +3187,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-9,mitigates,1 +3188,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-9,mitigates,1 +3189,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-9,mitigates,1 +3190,,T1567,Exfiltration Over Web Service,[],[],,SA-9,mitigates,1 +3191,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,1 +3192,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,1 +3193,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,1 +3194,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,1 +3195,,T1071.004,DNS,[],[],,SC-10,mitigates,1 +3196,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,1 +3197,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,1 +3198,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,1 +3199,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,1 +3200,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,1 +3201,,T1552.004,Private Keys,[],[],,SC-12,mitigates,1 +3202,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,1 +3203,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,1 +3204,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,1 +3205,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,1 +3206,,T1005,Data from Local System,[],[],,SC-13,mitigates,1 +3207,,T1025,Data from Removable Media,[],[],,SC-13,mitigates,1 +3208,,T1041,Exfiltration Over C2 Channel,[],[],,SC-13,mitigates,1 +3209,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-13,mitigates,1 +3210,,T1505,Server Software Component,[],[],,SC-16,mitigates,1 +3211,,T1505.002,Transport Agent,[],[],,SC-16,mitigates,1 +3212,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,1 +3213,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,1 +3214,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,1 +3215,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,1 +3216,,T1606,Forge Web Credentials,[],[],,SC-17,mitigates,1 +3217,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,1 +3218,,T1055,Process Injection,[],[],,SC-18,mitigates,1 +3219,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,1 +3220,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,1 +3221,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,1 +3222,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,1 +3223,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,1 +3224,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,1 +3225,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,1 +3226,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,1 +3227,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,1 +3228,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,1 +3229,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,1 +3230,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,1 +3231,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,1 +3232,,T1059.007,JavaScript,[],[],,SC-18,mitigates,1 +3233,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,1 +3234,,T1137,Office Application Startup,[],[],,SC-18,mitigates,1 +3235,,T1137.001,Office Template Macros,[],[],,SC-18,mitigates,1 +3236,,T1137.002,Office Test,[],[],,SC-18,mitigates,1 +3237,,T1137.003,Outlook Forms,[],[],,SC-18,mitigates,1 +3238,,T1137.004,Outlook Home Page,[],[],,SC-18,mitigates,1 +3239,,T1137.005,Outlook Rules,[],[],,SC-18,mitigates,1 +3240,,T1137.006,Add-ins,[],[],,SC-18,mitigates,1 +3241,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,1 +3242,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,1 +3243,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,1 +3244,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,1 +3245,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,1 +3246,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,1 +3247,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,1 +3248,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,1 +3249,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,1 +3250,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,1 +3251,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,1 +3252,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,1 +3253,,T1611,Escape to Host,[],[],,SC-18,mitigates,1 +3254,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,1 +3255,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,1 +3256,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,1 +3257,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,1 +3258,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,1 +3259,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,1 +3260,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,1 +3261,,T1611,Escape to Host,[],[],,SC-2,mitigates,1 +3262,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,1 +3263,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,1 +3264,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,1 +3265,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,1 +3266,,T1071.004,DNS,[],[],,SC-20,mitigates,1 +3267,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,1 +3268,,T1566,Phishing,[],[],,SC-20,mitigates,1 +3269,,T1566.001,Spearphishing Attachment,[],[],,SC-20,mitigates,1 +3270,,T1566.002,Spearphishing Link,[],[],,SC-20,mitigates,1 +3271,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,1 +3272,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,1 +3273,,T1598,Phishing for Information,[],[],,SC-20,mitigates,1 +3274,,T1598.002,Spearphishing Attachment,[],[],,SC-20,mitigates,1 +3275,,T1598.003,Spearphishing Link,[],[],,SC-20,mitigates,1 +3276,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,1 +3277,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,1 +3278,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,1 +3279,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,1 +3280,,T1071.004,DNS,[],[],,SC-21,mitigates,1 +3281,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,1 +3282,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,1 +3283,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,1 +3284,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,1 +3285,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,1 +3286,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,1 +3287,,T1071.004,DNS,[],[],,SC-22,mitigates,1 +3288,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,1 +3289,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,1 +3290,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,1 +3291,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,1 +3292,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,1 +3293,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,1 +3294,,T1071.004,DNS,[],[],,SC-23,mitigates,1 +3295,,T1185,Browser Session Hijacking,[],[],,SC-23,mitigates,1 +3296,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,1 +3297,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,1 +3298,,T1557,Adversary-in-the-Middle,[],[],,SC-23,mitigates,1 +3299,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,1 +3300,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,1 +3301,,T1562.006,Indicator Blocking,[],[],,SC-23,mitigates,1 +3302,,T1562.009,Safe Mode Boot,[],[],,SC-23,mitigates,1 +3303,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,1 +3304,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,1 +3305,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,1 +3306,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,1 +3307,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,1 +3308,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,1 +3309,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,1 +3310,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,1 +3311,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,1 +3312,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,1 +3313,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,1 +3314,,T1003.003,NTDS,[],[],,SC-28,mitigates,1 +3315,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,1 +3316,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,1 +3317,,T1003.006,DCSync,[],[],,SC-28,mitigates,1 +3318,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,1 +3319,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,1 +3320,,T1005,Data from Local System,[],[],,SC-28,mitigates,1 +3321,,T1025,Data from Removable Media,[],[],,SC-28,mitigates,1 +3322,,T1041,Exfiltration Over C2 Channel,[],[],,SC-28,mitigates,1 +3323,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-28,mitigates,1 +3324,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-28,mitigates,1 +3325,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-28,mitigates,1 +3326,,T1052,Exfiltration Over Physical Medium,[],[],,SC-28,mitigates,1 +3327,,T1052.001,Exfiltration over USB,[],[],,SC-28,mitigates,1 +3328,,T1078,Valid Accounts,[],[],,SC-28,mitigates,1 +3329,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,1 +3330,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,1 +3331,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,1 +3332,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,1 +3333,,T1213.001,Confluence,[],[],,SC-28,mitigates,1 +3334,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,1 +3335,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,1 +3336,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,1 +3337,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,1 +3338,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,1 +3339,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,1 +3340,,T1552.003,Bash History,[],[],,SC-28,mitigates,1 +3341,,T1552.004,Private Keys,[],[],,SC-28,mitigates,1 +3342,,T1565,Data Manipulation,[],[],,SC-28,mitigates,1 +3343,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,1 +3344,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,1 +3345,,T1567,Exfiltration Over Web Service,[],[],,SC-28,mitigates,1 +3346,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,1 +3347,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,1 +3348,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,1 +3349,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,1 +3350,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,1 +3351,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,1 +3352,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,1 +3353,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,1 +3354,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,1 +3355,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,1 +3356,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,1 +3357,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,1 +3358,,T1003.001,LSASS Memory,[],[],,SC-3,mitigates,1 +3359,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,1 +3360,,T1047,Windows Management Instrumentation,[],[],,SC-3,mitigates,1 +3361,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,1 +3362,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,1 +3363,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,1 +3364,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,1 +3365,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,1 +3366,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,1 +3367,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,1 +3368,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,1 +3369,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,1 +3370,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,1 +3371,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,1 +3372,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,1 +3373,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,1 +3374,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,1 +3375,,T1611,Escape to Host,[],[],,SC-3,mitigates,1 +3376,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,1 +3377,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,1 +3378,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,1 +3379,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,1 +3380,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,1 +3381,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,1 +3382,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,1 +3383,,T1041,Exfiltration Over C2 Channel,[],[],,SC-31,mitigates,1 +3384,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-31,mitigates,1 +3385,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-31,mitigates,1 +3386,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-31,mitigates,1 +3387,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,1 +3388,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,1 +3389,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,1 +3390,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,1 +3391,,T1071.004,DNS,[],[],,SC-31,mitigates,1 +3392,,T1567,Exfiltration Over Web Service,[],[],,SC-31,mitigates,1 +3393,,T1047,Windows Management Instrumentation,[],[],,SC-34,mitigates,1 +3394,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,1 +3395,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,1 +3396,,T1542.001,System Firmware,[],[],,SC-34,mitigates,1 +3397,,T1542.003,Bootkit,[],[],,SC-34,mitigates,1 +3398,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,1 +3399,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,1 +3400,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,1 +3401,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,1 +3402,,T1553,Subvert Trust Controls,[],[],,SC-34,mitigates,1 +3403,,T1553.006,Code Signing Policy Modification,[],[],,SC-34,mitigates,1 +3404,,T1601,Modify System Image,[],[],,SC-34,mitigates,1 +3405,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,1 +3406,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,1 +3407,,T1611,Escape to Host,[],[],,SC-34,mitigates,1 +3408,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,1 +3409,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,1 +3410,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,1 +3411,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,1 +3412,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,1 +3413,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,1 +3414,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,1 +3415,,T1119,Automated Collection,[],[],,SC-36,mitigates,1 +3416,,T1565,Data Manipulation,[],[],,SC-36,mitigates,1 +3417,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,1 +3418,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,1 +3419,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,1 +3420,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,1 +3421,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,1 +3422,,T1071.004,DNS,[],[],,SC-37,mitigates,1 +3423,,T1005,Data from Local System,[],[],,SC-38,mitigates,1 +3424,,T1025,Data from Removable Media,[],[],,SC-38,mitigates,1 +3425,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,1 +3426,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,1 +3427,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,1 +3428,,T1003.003,NTDS,[],[],,SC-39,mitigates,1 +3429,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,1 +3430,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,1 +3431,,T1003.006,DCSync,[],[],,SC-39,mitigates,1 +3432,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,1 +3433,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,1 +3434,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,1 +3435,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,1 +3436,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,1 +3437,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,1 +3438,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,1 +3439,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,1 +3440,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,1 +3441,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,1 +3442,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,1 +3443,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,1 +3444,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,1 +3445,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,1 +3446,,T1611,Escape to Host,[],[],,SC-39,mitigates,1 +3447,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,1 +3448,,T1040,Network Sniffing,[],[],,SC-4,mitigates,1 +3449,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,1 +3450,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,1 +3451,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,1 +3452,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,1 +3453,,T1119,Automated Collection,[],[],,SC-4,mitigates,1 +3454,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,1 +3455,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,1 +3456,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,1 +3457,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,1 +3458,,T1552.004,Private Keys,[],[],,SC-4,mitigates,1 +3459,,T1557,Adversary-in-the-Middle,[],[],,SC-4,mitigates,1 +3460,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,1 +3461,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,1 +3462,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,1 +3463,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,1 +3464,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,1 +3465,,T1564.009,Resource Forking,[],[],,SC-4,mitigates,1 +3466,,T1565,Data Manipulation,[],[],,SC-4,mitigates,1 +3467,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,1 +3468,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,1 +3469,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,1 +3470,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,1 +3471,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,1 +3472,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,1 +3473,,T1025,Data from Removable Media,[],[],,SC-41,mitigates,1 +3474,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,1 +3475,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,1 +3476,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,1 +3477,,T1200,Hardware Additions,[],[],,SC-41,mitigates,1 +3478,,T1114.003,Email Forwarding Rule,[],[],,SC-43,mitigates,1 +3479,,T1613,Container and Resource Discovery,[],[],,SC-43,mitigates,1 +3480,,T1137,Office Application Startup,[],[],,SC-44,mitigates,1 +3481,,T1137.001,Office Template Macros,[],[],,SC-44,mitigates,1 +3482,,T1137.002,Office Test,[],[],,SC-44,mitigates,1 +3483,,T1137.003,Outlook Forms,[],[],,SC-44,mitigates,1 +3484,,T1137.004,Outlook Home Page,[],[],,SC-44,mitigates,1 +3485,,T1137.005,Outlook Rules,[],[],,SC-44,mitigates,1 +3486,,T1137.006,Add-ins,[],[],,SC-44,mitigates,1 +3487,,T1203,Exploitation for Client Execution,[],[],,SC-44,mitigates,1 +3488,,T1204,User Execution,[],[],,SC-44,mitigates,1 +3489,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,1 +3490,,T1204.002,Malicious File,[],[],,SC-44,mitigates,1 +3491,,T1204.003,Malicious Image,[],[],,SC-44,mitigates,1 +3492,,T1221,Template Injection,[],[],,SC-44,mitigates,1 +3493,,T1564.009,Resource Forking,[],[],,SC-44,mitigates,1 +3494,,T1566,Phishing,[],[],,SC-44,mitigates,1 +3495,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,1 +3496,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,1 +3497,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,1 +3498,,T1598,Phishing for Information,[],[],,SC-44,mitigates,1 +3499,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,1 +3500,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,1 +3501,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,1 +3502,,T1021.001,Remote Desktop Protocol,[],[],,SC-46,mitigates,1 +3503,,T1021.003,Distributed Component Object Model,[],[],,SC-46,mitigates,1 +3504,,T1021.006,Windows Remote Management,[],[],,SC-46,mitigates,1 +3505,,T1046,Network Service Scanning,[],[],,SC-46,mitigates,1 +3506,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-46,mitigates,1 +3507,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,1 +3508,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,1 +3509,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-46,mitigates,1 +3510,,T1072,Software Deployment Tools,[],[],,SC-46,mitigates,1 +3511,,T1098,Account Manipulation,[],[],,SC-46,mitigates,1 +3512,,T1098.001,Additional Cloud Credentials,[],[],,SC-46,mitigates,1 +3513,,T1133,External Remote Services,[],[],,SC-46,mitigates,1 +3514,,T1136,Create Account,[],[],,SC-46,mitigates,1 +3515,,T1136.002,Domain Account,[],[],,SC-46,mitigates,1 +3516,,T1136.003,Cloud Account,[],[],,SC-46,mitigates,1 +3517,,T1190,Exploit Public-Facing Application,[],[],,SC-46,mitigates,1 +3518,,T1199,Trusted Relationship,[],[],,SC-46,mitigates,1 +3519,,T1210,Exploitation of Remote Services,[],[],,SC-46,mitigates,1 +3520,,T1482,Domain Trust Discovery,[],[],,SC-46,mitigates,1 +3521,,T1489,Service Stop,[],[],,SC-46,mitigates,1 +3522,,T1552.007,Container API,[],[],,SC-46,mitigates,1 +3523,,T1557,Adversary-in-the-Middle,[],[],,SC-46,mitigates,1 +3524,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-46,mitigates,1 +3525,,T1563,Remote Service Session Hijacking,[],[],,SC-46,mitigates,1 +3526,,T1563.002,RDP Hijacking,[],[],,SC-46,mitigates,1 +3527,,T1565,Data Manipulation,[],[],,SC-46,mitigates,1 +3528,,T1565.003,Runtime Data Manipulation,[],[],,SC-46,mitigates,1 +3529,,T1564.009,Resource Forking,[],[],,SC-6,mitigates,1 +3530,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,1 +3531,,T1001.001,Junk Data,[],[],,SC-7,mitigates,1 +3532,,T1001.002,Steganography,[],[],,SC-7,mitigates,1 +3533,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,1 +3534,,T1008,Fallback Channels,[],[],,SC-7,mitigates,1 +3535,,T1020.001,Traffic Duplication,[],[],,SC-7,mitigates,1 +3536,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,1 +3537,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,1 +3538,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,1 +3539,,T1021.005,VNC,[],[],,SC-7,mitigates,1 +3540,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,1 +3541,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,1 +3542,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,1 +3543,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,1 +3544,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,1 +3545,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,1 +3546,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,1 +3547,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,1 +3548,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,1 +3549,,T1055,Process Injection,[],[],,SC-7,mitigates,1 +3550,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,1 +3551,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,1 +3552,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,1 +3553,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,1 +3554,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,1 +3555,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,1 +3556,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,1 +3557,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,1 +3558,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,1 +3559,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,1 +3560,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,1 +3561,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,1 +3562,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,1 +3563,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,1 +3564,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,1 +3565,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,1 +3566,,T1071.004,DNS,[],[],,SC-7,mitigates,1 +3567,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,1 +3568,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,1 +3569,,T1090,Proxy,[],[],,SC-7,mitigates,1 +3570,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,1 +3571,,T1090.002,External Proxy,[],[],,SC-7,mitigates,1 +3572,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,1 +3573,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,1 +3574,,T1098,Account Manipulation,[],[],,SC-7,mitigates,1 +3575,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,1 +3576,,T1102,Web Service,[],[],,SC-7,mitigates,1 +3577,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,1 +3578,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,1 +3579,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,1 +3580,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,1 +3581,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,1 +3582,,T1114,Email Collection,[],[],,SC-7,mitigates,1 +3583,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,1 +3584,,T1132,Data Encoding,[],[],,SC-7,mitigates,1 +3585,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,1 +3586,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,1 +3587,,T1133,External Remote Services,[],[],,SC-7,mitigates,1 +3588,,T1136,Create Account,[],[],,SC-7,mitigates,1 +3589,,T1136.002,Domain Account,[],[],,SC-7,mitigates,1 +3590,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,1 +3591,,T1176,Browser Extensions,[],[],,SC-7,mitigates,1 +3592,,T1187,Forced Authentication,[],[],,SC-7,mitigates,1 +3593,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,1 +3594,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,1 +3595,,T1197,BITS Jobs,[],[],,SC-7,mitigates,1 +3596,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,1 +3597,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,1 +3598,,T1204,User Execution,[],[],,SC-7,mitigates,1 +3599,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,1 +3600,,T1204.002,Malicious File,[],[],,SC-7,mitigates,1 +3601,,T1204.003,Malicious Image,[],[],,SC-7,mitigates,1 +3602,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,1 +3603,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,1 +3604,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,1 +3605,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,1 +3606,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,1 +3607,,T1218.012,Verclsid,[],[],,SC-7,mitigates,1 +3608,,T1219,Remote Access Software,[],[],,SC-7,mitigates,1 +3609,,T1221,Template Injection,[],[],,SC-7,mitigates,1 +3610,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,1 +3611,,T1489,Service Stop,[],[],,SC-7,mitigates,1 +3612,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,1 +3613,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,1 +3614,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,1 +3615,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,1 +3616,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,1 +3617,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,1 +3618,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,1 +3619,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,1 +3620,,T1505.004,IIS Components,[],[],,SC-7,mitigates,1 +3621,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,1 +3622,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,1 +3623,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,1 +3624,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,1 +3625,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,1 +3626,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,1 +3627,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,1 +3628,,T1552.004,Private Keys,[],[],,SC-7,mitigates,1 +3629,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,1 +3630,,T1552.007,Container API,[],[],,SC-7,mitigates,1 +3631,,T1557,Adversary-in-the-Middle,[],[],,SC-7,mitigates,1 +3632,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,1 +3633,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,1 +3634,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,1 +3635,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,1 +3636,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,1 +3637,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,1 +3638,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,1 +3639,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,1 +3640,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,1 +3641,,T1565,Data Manipulation,[],[],,SC-7,mitigates,1 +3642,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,1 +3643,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,1 +3644,,T1566,Phishing,[],[],,SC-7,mitigates,1 +3645,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,1 +3646,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,1 +3647,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,1 +3648,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,1 +3649,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,1 +3650,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,1 +3651,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,1 +3652,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,1 +3653,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,1 +3654,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,1 +3655,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,1 +3656,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,1 +3657,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,1 +3658,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,1 +3659,,T1598,Phishing for Information,[],[],,SC-7,mitigates,1 +3660,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,1 +3661,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,1 +3662,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,1 +3663,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,1 +3664,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,1 +3665,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,1 +3666,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,1 +3667,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,1 +3668,,T1609,Container Administration Command,[],[],,SC-7,mitigates,1 +3669,,T1610,Deploy Container,[],[],,SC-7,mitigates,1 +3670,,T1611,Escape to Host,[],[],,SC-7,mitigates,1 +3671,,T1612,Build Image on Host,[],[],,SC-7,mitigates,1 +3672,,T1613,Container and Resource Discovery,[],[],,SC-7,mitigates,1 +3673,,T1020.001,Traffic Duplication,[],[],,SC-8,mitigates,1 +3674,,T1040,Network Sniffing,[],[],,SC-8,mitigates,1 +3675,,T1090,Proxy,[],[],,SC-8,mitigates,1 +3676,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,1 +3677,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,1 +3678,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,1 +3679,,T1552.007,Container API,[],[],,SC-8,mitigates,1 +3680,,T1557,Adversary-in-the-Middle,[],[],,SC-8,mitigates,1 +3681,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,1 +3682,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,1 +3683,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,1 +3684,,T1562.009,Safe Mode Boot,[],[],,SC-8,mitigates,1 +3685,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,1 +3686,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,1 +3687,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,1 +3688,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,1 +3689,,T1021.005,VNC,[],[],,SI-10,mitigates,1 +3690,,T1036,Masquerading,[],[],,SI-10,mitigates,1 +3691,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,1 +3692,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,1 +3693,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,1 +3694,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,1 +3695,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,1 +3696,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,1 +3697,,T1059.001,PowerShell,[],[],,SI-10,mitigates,1 +3698,,T1059.002,AppleScript,[],[],,SI-10,mitigates,1 +3699,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,1 +3700,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,1 +3701,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,1 +3702,,T1059.006,Python,[],[],,SI-10,mitigates,1 +3703,,T1059.007,JavaScript,[],[],,SI-10,mitigates,1 +3704,,T1059.008,Network Device CLI,[],[],,SI-10,mitigates,1 +3705,,T1071.004,DNS,[],[],,SI-10,mitigates,1 +3706,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,1 +3707,,T1090,Proxy,[],[],,SI-10,mitigates,1 +3708,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,1 +3709,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,1 +3710,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,1 +3711,,T1129,Shared Modules,[],[],,SI-10,mitigates,1 +3712,,T1176,Browser Extensions,[],[],,SI-10,mitigates,1 +3713,,T1187,Forced Authentication,[],[],,SI-10,mitigates,1 +3714,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,1 +3715,,T1197,BITS Jobs,[],[],,SI-10,mitigates,1 +3716,,T1204,User Execution,[],[],,SI-10,mitigates,1 +3717,,T1204.002,Malicious File,[],[],,SI-10,mitigates,1 +3718,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,1 +3719,,T1216.001,PubPrn,[],[],,SI-10,mitigates,1 +3720,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,1 +3721,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,1 +3722,,T1218.002,Control Panel,[],[],,SI-10,mitigates,1 +3723,,T1218.003,CMSTP,[],[],,SI-10,mitigates,1 +3724,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,1 +3725,,T1218.005,Mshta,[],[],,SI-10,mitigates,1 +3726,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,1 +3727,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,1 +3728,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,1 +3729,,T1218.011,Rundll32,[],[],,SI-10,mitigates,1 +3730,,T1218.012,Verclsid,[],[],,SI-10,mitigates,1 +3731,,T1218.013,Mavinject,[],[],,SI-10,mitigates,1 +3732,,T1218.014,MMC,[],[],,SI-10,mitigates,1 +3733,,T1219,Remote Access Software,[],[],,SI-10,mitigates,1 +3734,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,1 +3735,,T1221,Template Injection,[],[],,SI-10,mitigates,1 +3736,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,1 +3737,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,1 +3738,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,1 +3739,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,1 +3740,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,1 +3741,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,1 +3742,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,1 +3743,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,1 +3744,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,1 +3745,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,1 +3746,,T1546.002,Screensaver,[],[],,SI-10,mitigates,1 +3747,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,1 +3748,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,1 +3749,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,1 +3750,,T1546.010,AppInit DLLs,[],[],,SI-10,mitigates,1 +3751,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,1 +3752,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,1 +3753,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,1 +3754,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,1 +3755,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,1 +3756,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,1 +3757,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,1 +3758,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-10,mitigates,1 +3759,,T1557,Adversary-in-the-Middle,[],[],,SI-10,mitigates,1 +3760,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,1 +3761,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,1 +3762,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,1 +3763,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,1 +3764,,T1564.009,Resource Forking,[],[],,SI-10,mitigates,1 +3765,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,1 +3766,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,1 +3767,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,1 +3768,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,1 +3769,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-10,mitigates,1 +3770,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,1 +3771,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,1 +3772,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,1 +3773,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,1 +3774,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,1 +3775,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,1 +3776,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,1 +3777,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,1 +3778,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,1 +3779,,T1609,Container Administration Command,[],[],,SI-10,mitigates,1 +3780,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,1 +3781,,T1003.003,NTDS,[],[],,SI-12,mitigates,1 +3782,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,1 +3783,,T1040,Network Sniffing,[],[],,SI-12,mitigates,1 +3784,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,1 +3785,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,1 +3786,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,1 +3787,,T1114,Email Collection,[],[],,SI-12,mitigates,1 +3788,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,1 +3789,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,1 +3790,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,1 +3791,,T1119,Automated Collection,[],[],,SI-12,mitigates,1 +3792,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,1 +3793,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,1 +3794,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,1 +3795,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,1 +3796,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,1 +3797,,T1552.004,Private Keys,[],[],,SI-12,mitigates,1 +3798,,T1557,Adversary-in-the-Middle,[],[],,SI-12,mitigates,1 +3799,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,1 +3800,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,1 +3801,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,1 +3802,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,1 +3803,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,1 +3804,,T1565,Data Manipulation,[],[],,SI-12,mitigates,1 +3805,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,1 +3806,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,1 +3807,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,1 +3808,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,1 +3809,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,1 +3810,,T1505,Server Software Component,[],[],,SI-14,mitigates,1 +3811,,T1505.001,SQL Stored Procedures,[],[],,SI-14,mitigates,1 +3812,,T1505.002,Transport Agent,[],[],,SI-14,mitigates,1 +3813,,T1505.004,IIS Components,[],[],,SI-14,mitigates,1 +3814,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-14,mitigates,1 +3815,,T1547.004,Winlogon Helper DLL,[],[],,SI-14,mitigates,1 +3816,,T1547.006,Kernel Modules and Extensions,[],[],,SI-14,mitigates,1 +3817,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,1 +3818,,T1021.005,VNC,[],[],,SI-15,mitigates,1 +3819,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,1 +3820,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,1 +3821,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,1 +3822,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,1 +3823,,T1071.004,DNS,[],[],,SI-15,mitigates,1 +3824,,T1090,Proxy,[],[],,SI-15,mitigates,1 +3825,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,1 +3826,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,1 +3827,,T1187,Forced Authentication,[],[],,SI-15,mitigates,1 +3828,,T1197,BITS Jobs,[],[],,SI-15,mitigates,1 +3829,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,1 +3830,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,1 +3831,,T1218.012,Verclsid,[],[],,SI-15,mitigates,1 +3832,,T1219,Remote Access Software,[],[],,SI-15,mitigates,1 +3833,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,1 +3834,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,1 +3835,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,1 +3836,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,1 +3837,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,1 +3838,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,1 +3839,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,1 +3840,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,1 +3841,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,1 +3842,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,1 +3843,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,1 +3844,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,1 +3845,,T1557,Adversary-in-the-Middle,[],[],,SI-15,mitigates,1 +3846,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,1 +3847,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,1 +3848,,T1564.009,Resource Forking,[],[],,SI-15,mitigates,1 +3849,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,1 +3850,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,1 +3851,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,1 +3852,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,1 +3853,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,1 +3854,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,1 +3855,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,1 +3856,,T1003.001,LSASS Memory,[],[],,SI-16,mitigates,1 +3857,,T1047,Windows Management Instrumentation,[],[],,SI-16,mitigates,1 +3858,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,1 +3859,,T1059,Command and Scripting Interpreter,[],[],,SI-16,mitigates,1 +3860,,T1059.001,PowerShell,[],[],,SI-16,mitigates,1 +3861,,T1059.002,AppleScript,[],[],,SI-16,mitigates,1 +3862,,T1059.003,Windows Command Shell,[],[],,SI-16,mitigates,1 +3863,,T1059.004,Unix Shell,[],[],,SI-16,mitigates,1 +3864,,T1059.005,Visual Basic,[],[],,SI-16,mitigates,1 +3865,,T1059.006,Python,[],[],,SI-16,mitigates,1 +3866,,T1059.007,JavaScript,[],[],,SI-16,mitigates,1 +3867,,T1059.008,Network Device CLI,[],[],,SI-16,mitigates,1 +3868,,T1218,Signed Binary Proxy Execution,[],[],,SI-16,mitigates,1 +3869,,T1218.001,Compiled HTML File,[],[],,SI-16,mitigates,1 +3870,,T1218.002,Control Panel,[],[],,SI-16,mitigates,1 +3871,,T1218.003,CMSTP,[],[],,SI-16,mitigates,1 +3872,,T1218.004,InstallUtil,[],[],,SI-16,mitigates,1 +3873,,T1218.005,Mshta,[],[],,SI-16,mitigates,1 +3874,,T1218.008,Odbcconf,[],[],,SI-16,mitigates,1 +3875,,T1218.009,Regsvcs/Regasm,[],[],,SI-16,mitigates,1 +3876,,T1218.012,Verclsid,[],[],,SI-16,mitigates,1 +3877,,T1218.013,Mavinject,[],[],,SI-16,mitigates,1 +3878,,T1218.014,MMC,[],[],,SI-16,mitigates,1 +3879,,T1505.004,IIS Components,[],[],,SI-16,mitigates,1 +3880,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,1 +3881,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,1 +3882,,T1547.004,Winlogon Helper DLL,[],[],,SI-16,mitigates,1 +3883,,T1547.006,Kernel Modules and Extensions,[],[],,SI-16,mitigates,1 +3884,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-16,mitigates,1 +3885,,T1548.004,Elevated Execution with Prompt,[],[],,SI-16,mitigates,1 +3886,,T1565,Data Manipulation,[],[],,SI-16,mitigates,1 +3887,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,1 +3888,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,1 +3889,,T1611,Escape to Host,[],[],,SI-16,mitigates,1 +3890,,T1003,OS Credential Dumping,[],[],,SI-2,mitigates,1 +3891,,T1003.001,LSASS Memory,[],[],,SI-2,mitigates,1 +3892,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,1 +3893,,T1027.002,Software Packing,[],[],,SI-2,mitigates,1 +3894,,T1047,Windows Management Instrumentation,[],[],,SI-2,mitigates,1 +3895,,T1055,Process Injection,[],[],,SI-2,mitigates,1 +3896,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,1 +3897,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,1 +3898,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,1 +3899,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,1 +3900,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,1 +3901,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,1 +3902,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,1 +3903,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,1 +3904,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,1 +3905,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,1 +3906,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,1 +3907,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,1 +3908,,T1059.001,PowerShell,[],[],,SI-2,mitigates,1 +3909,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,1 +3910,,T1059.006,Python,[],[],,SI-2,mitigates,1 +3911,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,1 +3912,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,1 +3913,,T1106,Native API,[],[],,SI-2,mitigates,1 +3914,,T1137,Office Application Startup,[],[],,SI-2,mitigates,1 +3915,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,1 +3916,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,1 +3917,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,1 +3918,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,1 +3919,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,1 +3920,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,1 +3921,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,1 +3922,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,1 +3923,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,1 +3924,,T1204,User Execution,[],[],,SI-2,mitigates,1 +3925,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,1 +3926,,T1204.003,Malicious Image,[],[],,SI-2,mitigates,1 +3927,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,1 +3928,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,1 +3929,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,1 +3930,,T1213.003,Code Repositories,[],[],,SI-2,mitigates,1 +3931,,T1221,Template Injection,[],[],,SI-2,mitigates,1 +3932,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,1 +3933,,T1525,Implant Internal Image,[],[],,SI-2,mitigates,1 +3934,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,1 +3935,,T1542.001,System Firmware,[],[],,SI-2,mitigates,1 +3936,,T1542.003,Bootkit,[],[],,SI-2,mitigates,1 +3937,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,1 +3938,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,1 +3939,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,1 +3940,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,1 +3941,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,1 +3942,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,1 +3943,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,1 +3944,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,1 +3945,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,1 +3946,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,1 +3947,,T1553,Subvert Trust Controls,[],[],,SI-2,mitigates,1 +3948,,T1553.006,Code Signing Policy Modification,[],[],,SI-2,mitigates,1 +3949,,T1555.005,Password Managers,[],[],,SI-2,mitigates,1 +3950,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,1 +3951,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,1 +3952,,T1566,Phishing,[],[],,SI-2,mitigates,1 +3953,,T1566.001,Spearphishing Attachment,[],[],,SI-2,mitigates,1 +3954,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,1 +3955,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,1 +3956,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,1 +3957,,T1601,Modify System Image,[],[],,SI-2,mitigates,1 +3958,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,1 +3959,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,1 +3960,,T1606,Forge Web Credentials,[],[],,SI-2,mitigates,1 +3961,,T1606.001,Web Cookies,[],[],,SI-2,mitigates,1 +3962,,T1611,Escape to Host,[],[],,SI-2,mitigates,1 +3963,,T1070,Indicator Removal on Host,[],[],,SI-23,mitigates,1 +3964,,T1070.001,Clear Windows Event Logs,[],[],,SI-23,mitigates,1 +3965,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-23,mitigates,1 +3966,,T1072,Software Deployment Tools,[],[],,SI-23,mitigates,1 +3967,,T1119,Automated Collection,[],[],,SI-23,mitigates,1 +3968,,T1565,Data Manipulation,[],[],,SI-23,mitigates,1 +3969,,T1565.001,Stored Data Manipulation,[],[],,SI-23,mitigates,1 +3970,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,1 +3971,,T1001.001,Junk Data,[],[],,SI-3,mitigates,1 +3972,,T1001.002,Steganography,[],[],,SI-3,mitigates,1 +3973,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,1 +3974,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,1 +3975,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,1 +3976,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,1 +3977,,T1003.003,NTDS,[],[],,SI-3,mitigates,1 +3978,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,1 +3979,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,1 +3980,,T1003.006,DCSync,[],[],,SI-3,mitigates,1 +3981,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,1 +3982,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,1 +3983,,T1005,Data from Local System,[],[],,SI-3,mitigates,1 +3984,,T1008,Fallback Channels,[],[],,SI-3,mitigates,1 +3985,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,1 +3986,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,1 +3987,,T1021.005,VNC,[],[],,SI-3,mitigates,1 +3988,,T1025,Data from Removable Media,[],[],,SI-3,mitigates,1 +3989,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,1 +3990,,T1027.002,Software Packing,[],[],,SI-3,mitigates,1 +3991,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,1 +3992,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,1 +3993,,T1036,Masquerading,[],[],,SI-3,mitigates,1 +3994,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,1 +3995,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,1 +3996,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,1 +3997,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,1 +3998,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,1 +3999,,T1037.004,RC Scripts,[],[],,SI-3,mitigates,1 +4000,,T1037.005,Startup Items,[],[],,SI-3,mitigates,1 +4001,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,1 +4002,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,1 +4003,,T1047,Windows Management Instrumentation,[],[],,SI-3,mitigates,1 +4004,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,1 +4005,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,1 +4006,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,1 +4007,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,1 +4008,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,1 +4009,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,1 +4010,,T1055,Process Injection,[],[],,SI-3,mitigates,1 +4011,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,1 +4012,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,1 +4013,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,1 +4014,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,1 +4015,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,1 +4016,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,1 +4017,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,1 +4018,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,1 +4019,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,1 +4020,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,1 +4021,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,1 +4022,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,1 +4023,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,1 +4024,,T1059.001,PowerShell,[],[],,SI-3,mitigates,1 +4025,,T1059.002,AppleScript,[],[],,SI-3,mitigates,1 +4026,,T1059.003,Windows Command Shell,[],[],,SI-3,mitigates,1 +4027,,T1059.004,Unix Shell,[],[],,SI-3,mitigates,1 +4028,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,1 +4029,,T1059.006,Python,[],[],,SI-3,mitigates,1 +4030,,T1059.007,JavaScript,[],[],,SI-3,mitigates,1 +4031,,T1059.008,Network Device CLI,[],[],,SI-3,mitigates,1 +4032,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,1 +4033,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,1 +4034,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,1 +4035,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,1 +4036,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,1 +4037,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,1 +4038,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,1 +4039,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,1 +4040,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,1 +4041,,T1071.004,DNS,[],[],,SI-3,mitigates,1 +4042,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,1 +4043,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,1 +4044,,T1090,Proxy,[],[],,SI-3,mitigates,1 +4045,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,1 +4046,,T1090.002,External Proxy,[],[],,SI-3,mitigates,1 +4047,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,1 +4048,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,1 +4049,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,1 +4050,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,1 +4051,,T1102,Web Service,[],[],,SI-3,mitigates,1 +4052,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,1 +4053,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,1 +4054,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,1 +4055,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,1 +4056,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,1 +4057,,T1106,Native API,[],[],,SI-3,mitigates,1 +4058,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,1 +4059,,T1132,Data Encoding,[],[],,SI-3,mitigates,1 +4060,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,1 +4061,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,1 +4062,,T1137,Office Application Startup,[],[],,SI-3,mitigates,1 +4063,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,1 +4064,,T1176,Browser Extensions,[],[],,SI-3,mitigates,1 +4065,,T1185,Browser Session Hijacking,[],[],,SI-3,mitigates,1 +4066,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,1 +4067,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,1 +4068,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,1 +4069,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,1 +4070,,T1204,User Execution,[],[],,SI-3,mitigates,1 +4071,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,1 +4072,,T1204.002,Malicious File,[],[],,SI-3,mitigates,1 +4073,,T1204.003,Malicious Image,[],[],,SI-3,mitigates,1 +4074,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,1 +4075,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,1 +4076,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,1 +4077,,T1218,Signed Binary Proxy Execution,[],[],,SI-3,mitigates,1 +4078,,T1218.001,Compiled HTML File,[],[],,SI-3,mitigates,1 +4079,,T1218.002,Control Panel,[],[],,SI-3,mitigates,1 +4080,,T1218.003,CMSTP,[],[],,SI-3,mitigates,1 +4081,,T1218.004,InstallUtil,[],[],,SI-3,mitigates,1 +4082,,T1218.005,Mshta,[],[],,SI-3,mitigates,1 +4083,,T1218.008,Odbcconf,[],[],,SI-3,mitigates,1 +4084,,T1218.009,Regsvcs/Regasm,[],[],,SI-3,mitigates,1 +4085,,T1218.012,Verclsid,[],[],,SI-3,mitigates,1 +4086,,T1218.013,Mavinject,[],[],,SI-3,mitigates,1 +4087,,T1218.014,MMC,[],[],,SI-3,mitigates,1 +4088,,T1219,Remote Access Software,[],[],,SI-3,mitigates,1 +4089,,T1221,Template Injection,[],[],,SI-3,mitigates,1 +4090,,T1485,Data Destruction,[],[],,SI-3,mitigates,1 +4091,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,1 +4092,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,1 +4093,,T1491,Defacement,[],[],,SI-3,mitigates,1 +4094,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,1 +4095,,T1491.002,External Defacement,[],[],,SI-3,mitigates,1 +4096,,T1505.004,IIS Components,[],[],,SI-3,mitigates,1 +4097,,T1525,Implant Internal Image,[],[],,SI-3,mitigates,1 +4098,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,1 +4099,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,1 +4100,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,1 +4101,,T1546.002,Screensaver,[],[],,SI-3,mitigates,1 +4102,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-3,mitigates,1 +4103,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-3,mitigates,1 +4104,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,1 +4105,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,1 +4106,,T1546.014,Emond,[],[],,SI-3,mitigates,1 +4107,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,1 +4108,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,1 +4109,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,1 +4110,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,1 +4111,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,1 +4112,,T1547.013,XDG Autostart Entries,[],[],,SI-3,mitigates,1 +4113,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,1 +4114,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,1 +4115,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,1 +4116,,T1557,Adversary-in-the-Middle,[],[],,SI-3,mitigates,1 +4117,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,1 +4118,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,1 +4119,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,1 +4120,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,1 +4121,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,1 +4122,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,1 +4123,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,1 +4124,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,1 +4125,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,1 +4126,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,1 +4127,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,1 +4128,,T1561,Disk Wipe,[],[],,SI-3,mitigates,1 +4129,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,1 +4130,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,1 +4131,,T1562,Impair Defenses,[],[],,SI-3,mitigates,1 +4132,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,1 +4133,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,1 +4134,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,1 +4135,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,1 +4136,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,1 +4137,,T1564.008,Email Hiding Rules,[],[],,SI-3,mitigates,1 +4138,,T1564.009,Resource Forking,[],[],,SI-3,mitigates,1 +4139,,T1566,Phishing,[],[],,SI-3,mitigates,1 +4140,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,1 +4141,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,1 +4142,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,1 +4143,,T1567,Exfiltration Over Web Service,[],[],,SI-3,mitigates,1 +4144,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,1 +4145,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,1 +4146,,T1569,System Services,[],[],,SI-3,mitigates,1 +4147,,T1569.002,Service Execution,[],[],,SI-3,mitigates,1 +4148,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,1 +4149,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,1 +4150,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,1 +4151,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,1 +4152,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,1 +4153,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,1 +4154,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,1 +4155,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,1 +4156,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,1 +4157,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,1 +4158,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,1 +4159,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,1 +4160,,T1598,Phishing for Information,[],[],,SI-3,mitigates,1 +4161,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,1 +4162,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,1 +4163,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,1 +4164,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,1 +4165,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,1 +4166,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,1 +4167,,T1611,Escape to Host,[],[],,SI-3,mitigates,1 +4168,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,1 +4169,,T1001.001,Junk Data,[],[],,SI-4,mitigates,1 +4170,,T1001.002,Steganography,[],[],,SI-4,mitigates,1 +4171,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,1 +4172,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,1 +4173,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,1 +4174,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,1 +4175,,T1003.003,NTDS,[],[],,SI-4,mitigates,1 +4176,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,1 +4177,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,1 +4178,,T1003.006,DCSync,[],[],,SI-4,mitigates,1 +4179,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,1 +4180,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,1 +4181,,T1005,Data from Local System,[],[],,SI-4,mitigates,1 +4182,,T1008,Fallback Channels,[],[],,SI-4,mitigates,1 +4183,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,1 +4184,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,1 +4185,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,1 +4186,,T1021,Remote Services,[],[],,SI-4,mitigates,1 +4187,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,1 +4188,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,1 +4189,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,1 +4190,,T1021.004,SSH,[],[],,SI-4,mitigates,1 +4191,,T1021.005,VNC,[],[],,SI-4,mitigates,1 +4192,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,1 +4193,,T1025,Data from Removable Media,[],[],,SI-4,mitigates,1 +4194,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,1 +4195,,T1027.002,Software Packing,[],[],,SI-4,mitigates,1 +4196,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,1 +4197,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,1 +4198,,T1036,Masquerading,[],[],,SI-4,mitigates,1 +4199,,T1036.001,Invalid Code Signature,[],[],,SI-4,mitigates,1 +4200,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,1 +4201,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,1 +4202,,T1036.007,Double File Extension,[],[],,SI-4,mitigates,1 +4203,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,1 +4204,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,1 +4205,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,1 +4206,,T1037.004,RC Scripts,[],[],,SI-4,mitigates,1 +4207,,T1037.005,Startup Items,[],[],,SI-4,mitigates,1 +4208,,T1040,Network Sniffing,[],[],,SI-4,mitigates,1 +4209,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,1 +4210,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,1 +4211,,T1047,Windows Management Instrumentation,[],[],,SI-4,mitigates,1 +4212,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,1 +4213,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,1 +4214,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,1 +4215,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,1 +4216,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,1 +4217,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,1 +4218,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,1 +4219,,T1053.001,At (Linux),[],[],,SI-4,mitigates,1 +4220,,T1053.002,At (Windows),[],[],,SI-4,mitigates,1 +4221,,T1053.003,Cron,[],[],,SI-4,mitigates,1 +4222,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,1 +4223,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,1 +4224,,T1055,Process Injection,[],[],,SI-4,mitigates,1 +4225,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,1 +4226,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,1 +4227,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,1 +4228,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,1 +4229,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,1 +4230,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,1 +4231,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,1 +4232,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,1 +4233,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,1 +4234,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,1 +4235,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,1 +4236,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,1 +4237,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,1 +4238,,T1059.001,PowerShell,[],[],,SI-4,mitigates,1 +4239,,T1059.002,AppleScript,[],[],,SI-4,mitigates,1 +4240,,T1059.003,Windows Command Shell,[],[],,SI-4,mitigates,1 +4241,,T1059.004,Unix Shell,[],[],,SI-4,mitigates,1 +4242,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,1 +4243,,T1059.006,Python,[],[],,SI-4,mitigates,1 +4244,,T1059.007,JavaScript,[],[],,SI-4,mitigates,1 +4245,,T1059.008,Network Device CLI,[],[],,SI-4,mitigates,1 +4246,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,1 +4247,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,1 +4248,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,1 +4249,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,1 +4250,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,1 +4251,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,1 +4252,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,1 +4253,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,1 +4254,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,1 +4255,,T1071.004,DNS,[],[],,SI-4,mitigates,1 +4256,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,1 +4257,,T1078,Valid Accounts,[],[],,SI-4,mitigates,1 +4258,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,1 +4259,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,1 +4260,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,1 +4261,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,1 +4262,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,1 +4263,,T1087,Account Discovery,[],[],,SI-4,mitigates,1 +4264,,T1087.001,Local Account,[],[],,SI-4,mitigates,1 +4265,,T1087.002,Domain Account,[],[],,SI-4,mitigates,1 +4266,,T1090,Proxy,[],[],,SI-4,mitigates,1 +4267,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,1 +4268,,T1090.002,External Proxy,[],[],,SI-4,mitigates,1 +4269,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,1 +4270,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,1 +4271,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,1 +4272,,T1098,Account Manipulation,[],[],,SI-4,mitigates,1 +4273,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,1 +4274,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,1 +4275,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,1 +4276,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,1 +4277,,T1102,Web Service,[],[],,SI-4,mitigates,1 +4278,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,1 +4279,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,1 +4280,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,1 +4281,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,1 +4282,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,1 +4283,,T1106,Native API,[],[],,SI-4,mitigates,1 +4284,,T1110,Brute Force,[],[],,SI-4,mitigates,1 +4285,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,1 +4286,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,1 +4287,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,1 +4288,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,1 +4289,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,1 +4290,,T1114,Email Collection,[],[],,SI-4,mitigates,1 +4291,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,1 +4292,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,1 +4293,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,1 +4294,,T1119,Automated Collection,[],[],,SI-4,mitigates,1 +4295,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,1 +4296,,T1127.001,MSBuild,[],[],,SI-4,mitigates,1 +4297,,T1129,Shared Modules,[],[],,SI-4,mitigates,1 +4298,,T1132,Data Encoding,[],[],,SI-4,mitigates,1 +4299,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,1 +4300,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,1 +4301,,T1133,External Remote Services,[],[],,SI-4,mitigates,1 +4302,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,1 +4303,,T1136,Create Account,[],[],,SI-4,mitigates,1 +4304,,T1136.001,Local Account,[],[],,SI-4,mitigates,1 +4305,,T1136.002,Domain Account,[],[],,SI-4,mitigates,1 +4306,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,1 +4307,,T1137,Office Application Startup,[],[],,SI-4,mitigates,1 +4308,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,1 +4309,,T1176,Browser Extensions,[],[],,SI-4,mitigates,1 +4310,,T1185,Browser Session Hijacking,[],[],,SI-4,mitigates,1 +4311,,T1187,Forced Authentication,[],[],,SI-4,mitigates,1 +4312,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,1 +4313,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,1 +4314,,T1197,BITS Jobs,[],[],,SI-4,mitigates,1 +4315,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,1 +4316,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,1 +4317,,T1204,User Execution,[],[],,SI-4,mitigates,1 +4318,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,1 +4319,,T1204.002,Malicious File,[],[],,SI-4,mitigates,1 +4320,,T1204.003,Malicious Image,[],[],,SI-4,mitigates,1 +4321,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,1 +4322,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,1 +4323,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,1 +4324,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,1 +4325,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,1 +4326,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,1 +4327,,T1213.001,Confluence,[],[],,SI-4,mitigates,1 +4328,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,1 +4329,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,1 +4330,,T1216.001,PubPrn,[],[],,SI-4,mitigates,1 +4331,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,1 +4332,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,1 +4333,,T1218.002,Control Panel,[],[],,SI-4,mitigates,1 +4334,,T1218.003,CMSTP,[],[],,SI-4,mitigates,1 +4335,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,1 +4336,,T1218.005,Mshta,[],[],,SI-4,mitigates,1 +4337,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,1 +4338,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,1 +4339,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,1 +4340,,T1218.011,Rundll32,[],[],,SI-4,mitigates,1 +4341,,T1218.012,Verclsid,[],[],,SI-4,mitigates,1 +4342,,T1218.013,Mavinject,[],[],,SI-4,mitigates,1 +4343,,T1218.014,MMC,[],[],,SI-4,mitigates,1 +4344,,T1219,Remote Access Software,[],[],,SI-4,mitigates,1 +4345,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,1 +4346,,T1221,Template Injection,[],[],,SI-4,mitigates,1 +4347,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,1 +4348,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,1 +4349,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,1 +4350,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,1 +4351,,T1485,Data Destruction,[],[],,SI-4,mitigates,1 +4352,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,1 +4353,,T1489,Service Stop,[],[],,SI-4,mitigates,1 +4354,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,1 +4355,,T1491,Defacement,[],[],,SI-4,mitigates,1 +4356,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,1 +4357,,T1491.002,External Defacement,[],[],,SI-4,mitigates,1 +4358,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,1 +4359,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,1 +4360,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,1 +4361,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,1 +4362,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,1 +4363,,T1505,Server Software Component,[],[],,SI-4,mitigates,1 +4364,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,1 +4365,,T1505.003,Web Shell,[],[],,SI-4,mitigates,1 +4366,,T1505.004,IIS Components,[],[],,SI-4,mitigates,1 +4367,,T1525,Implant Internal Image,[],[],,SI-4,mitigates,1 +4368,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,1 +4369,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,1 +4370,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,1 +4371,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,1 +4372,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,1 +4373,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,1 +4374,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,1 +4375,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,1 +4376,,T1546.002,Screensaver,[],[],,SI-4,mitigates,1 +4377,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-4,mitigates,1 +4378,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-4,mitigates,1 +4379,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,1 +4380,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,1 +4381,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,1 +4382,,T1546.014,Emond,[],[],,SI-4,mitigates,1 +4383,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,1 +4384,,T1547.003,Time Providers,[],[],,SI-4,mitigates,1 +4385,,T1547.004,Winlogon Helper DLL,[],[],,SI-4,mitigates,1 +4386,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,1 +4387,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,1 +4388,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,1 +4389,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,1 +4390,,T1547.009,Shortcut Modification,[],[],,SI-4,mitigates,1 +4391,,T1547.011,Plist Modification,[],[],,SI-4,mitigates,1 +4392,,T1547.012,Print Processors,[],[],,SI-4,mitigates,1 +4393,,T1547.013,XDG Autostart Entries,[],[],,SI-4,mitigates,1 +4394,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,1 +4395,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,1 +4396,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,1 +4397,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,1 +4398,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,1 +4399,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,1 +4400,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,1 +4401,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,1 +4402,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,1 +4403,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,1 +4404,,T1552.003,Bash History,[],[],,SI-4,mitigates,1 +4405,,T1552.004,Private Keys,[],[],,SI-4,mitigates,1 +4406,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,1 +4407,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,1 +4408,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,1 +4409,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,1 +4410,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,1 +4411,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,1 +4412,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-4,mitigates,1 +4413,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,1 +4414,,T1555.001,Keychain,[],[],,SI-4,mitigates,1 +4415,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,1 +4416,,T1555.004,Windows Credential Manager,[],[],,SI-4,mitigates,1 +4417,,T1555.005,Password Managers,[],[],,SI-4,mitigates,1 +4418,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,1 +4419,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,1 +4420,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,1 +4421,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,1 +4422,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,1 +4423,,T1557,Adversary-in-the-Middle,[],[],,SI-4,mitigates,1 +4424,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,1 +4425,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,1 +4426,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,1 +4427,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,1 +4428,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,1 +4429,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,1 +4430,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,1 +4431,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,1 +4432,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,1 +4433,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,1 +4434,,T1561,Disk Wipe,[],[],,SI-4,mitigates,1 +4435,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,1 +4436,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,1 +4437,,T1562,Impair Defenses,[],[],,SI-4,mitigates,1 +4438,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,1 +4439,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,1 +4440,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,1 +4441,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,1 +4442,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,1 +4443,,T1562.010,Downgrade Attack,[],[],,SI-4,mitigates,1 +4444,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,1 +4445,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,1 +4446,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,1 +4447,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,1 +4448,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,1 +4449,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,1 +4450,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,1 +4451,,T1564.008,Email Hiding Rules,[],[],,SI-4,mitigates,1 +4452,,T1564.009,Resource Forking,[],[],,SI-4,mitigates,1 +4453,,T1565,Data Manipulation,[],[],,SI-4,mitigates,1 +4454,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,1 +4455,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,1 +4456,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,1 +4457,,T1566,Phishing,[],[],,SI-4,mitigates,1 +4458,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,1 +4459,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,1 +4460,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,1 +4461,,T1567,Exfiltration Over Web Service,[],[],,SI-4,mitigates,1 +4462,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,1 +4463,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,1 +4464,,T1569,System Services,[],[],,SI-4,mitigates,1 +4465,,T1569.002,Service Execution,[],[],,SI-4,mitigates,1 +4466,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,1 +4467,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,1 +4468,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,1 +4469,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,1 +4470,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,1 +4471,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,1 +4472,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,1 +4473,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,1 +4474,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,1 +4475,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,1 +4476,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,1 +4477,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,1 +4478,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,1 +4479,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,1 +4480,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,1 +4481,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,1 +4482,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,1 +4483,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,1 +4484,,T1598,Phishing for Information,[],[],,SI-4,mitigates,1 +4485,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,1 +4486,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,1 +4487,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,1 +4488,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,1 +4489,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,1 +4490,,T1601,Modify System Image,[],[],,SI-4,mitigates,1 +4491,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,1 +4492,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,1 +4493,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,1 +4494,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,1 +4495,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,1 +4496,,T1610,Deploy Container,[],[],,SI-4,mitigates,1 +4497,,T1611,Escape to Host,[],[],,SI-4,mitigates,1 +4498,,T1612,Build Image on Host,[],[],,SI-4,mitigates,1 +4499,,T1613,Container and Resource Discovery,[],[],,SI-4,mitigates,1 +4500,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,1 +4501,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,1 +4502,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,1 +4503,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,1 +4504,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,1 +4505,,T1003.003,NTDS,[],[],,SI-7,mitigates,1 +4506,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,1 +4507,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,1 +4508,,T1027.002,Software Packing,[],[],,SI-7,mitigates,1 +4509,,T1036,Masquerading,[],[],,SI-7,mitigates,1 +4510,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,1 +4511,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,1 +4512,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,1 +4513,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,1 +4514,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,1 +4515,,T1037.004,RC Scripts,[],[],,SI-7,mitigates,1 +4516,,T1037.005,Startup Items,[],[],,SI-7,mitigates,1 +4517,,T1040,Network Sniffing,[],[],,SI-7,mitigates,1 +4518,,T1047,Windows Management Instrumentation,[],[],,SI-7,mitigates,1 +4519,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,1 +4520,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,1 +4521,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,1 +4522,,T1059.001,PowerShell,[],[],,SI-7,mitigates,1 +4523,,T1059.002,AppleScript,[],[],,SI-7,mitigates,1 +4524,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,1 +4525,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,1 +4526,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,1 +4527,,T1059.006,Python,[],[],,SI-7,mitigates,1 +4528,,T1059.007,JavaScript,[],[],,SI-7,mitigates,1 +4529,,T1059.008,Network Device CLI,[],[],,SI-7,mitigates,1 +4530,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,1 +4531,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,1 +4532,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,1 +4533,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,1 +4534,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,1 +4535,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,1 +4536,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,1 +4537,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,1 +4538,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,1 +4539,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,1 +4540,,T1114,Email Collection,[],[],,SI-7,mitigates,1 +4541,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,1 +4542,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,1 +4543,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,1 +4544,,T1119,Automated Collection,[],[],,SI-7,mitigates,1 +4545,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,1 +4546,,T1129,Shared Modules,[],[],,SI-7,mitigates,1 +4547,,T1133,External Remote Services,[],[],,SI-7,mitigates,1 +4548,,T1136,Create Account,[],[],,SI-7,mitigates,1 +4549,,T1136.001,Local Account,[],[],,SI-7,mitigates,1 +4550,,T1136.002,Domain Account,[],[],,SI-7,mitigates,1 +4551,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,1 +4552,,T1176,Browser Extensions,[],[],,SI-7,mitigates,1 +4553,,T1185,Browser Session Hijacking,[],[],,SI-7,mitigates,1 +4554,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,1 +4555,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,1 +4556,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,1 +4557,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,1 +4558,,T1204,User Execution,[],[],,SI-7,mitigates,1 +4559,,T1204.002,Malicious File,[],[],,SI-7,mitigates,1 +4560,,T1204.003,Malicious Image,[],[],,SI-7,mitigates,1 +4561,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,1 +4562,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,1 +4563,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,1 +4564,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,1 +4565,,T1213.001,Confluence,[],[],,SI-7,mitigates,1 +4566,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,1 +4567,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,1 +4568,,T1216.001,PubPrn,[],[],,SI-7,mitigates,1 +4569,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,1 +4570,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,1 +4571,,T1218.002,Control Panel,[],[],,SI-7,mitigates,1 +4572,,T1218.003,CMSTP,[],[],,SI-7,mitigates,1 +4573,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,1 +4574,,T1218.005,Mshta,[],[],,SI-7,mitigates,1 +4575,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,1 +4576,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,1 +4577,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,1 +4578,,T1218.011,Rundll32,[],[],,SI-7,mitigates,1 +4579,,T1218.012,Verclsid,[],[],,SI-7,mitigates,1 +4580,,T1218.013,Mavinject,[],[],,SI-7,mitigates,1 +4581,,T1218.014,MMC,[],[],,SI-7,mitigates,1 +4582,,T1219,Remote Access Software,[],[],,SI-7,mitigates,1 +4583,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,1 +4584,,T1221,Template Injection,[],[],,SI-7,mitigates,1 +4585,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,1 +4586,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,1 +4587,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,1 +4588,,T1485,Data Destruction,[],[],,SI-7,mitigates,1 +4589,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,1 +4590,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,1 +4591,,T1491,Defacement,[],[],,SI-7,mitigates,1 +4592,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,1 +4593,,T1491.002,External Defacement,[],[],,SI-7,mitigates,1 +4594,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,1 +4595,,T1505,Server Software Component,[],[],,SI-7,mitigates,1 +4596,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,1 +4597,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,1 +4598,,T1505.004,IIS Components,[],[],,SI-7,mitigates,1 +4599,,T1525,Implant Internal Image,[],[],,SI-7,mitigates,1 +4600,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,1 +4601,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,1 +4602,,T1542.001,System Firmware,[],[],,SI-7,mitigates,1 +4603,,T1542.003,Bootkit,[],[],,SI-7,mitigates,1 +4604,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,1 +4605,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,1 +4606,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,1 +4607,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,1 +4608,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,1 +4609,,T1546.002,Screensaver,[],[],,SI-7,mitigates,1 +4610,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-7,mitigates,1 +4611,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,1 +4612,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,1 +4613,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,1 +4614,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,1 +4615,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,1 +4616,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,1 +4617,,T1547.003,Time Providers,[],[],,SI-7,mitigates,1 +4618,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,1 +4619,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,1 +4620,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,1 +4621,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,1 +4622,,T1547.011,Plist Modification,[],[],,SI-7,mitigates,1 +4623,,T1547.013,XDG Autostart Entries,[],[],,SI-7,mitigates,1 +4624,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,1 +4625,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,1 +4626,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,1 +4627,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,1 +4628,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,1 +4629,,T1552.004,Private Keys,[],[],,SI-7,mitigates,1 +4630,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,1 +4631,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,1 +4632,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,1 +4633,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-7,mitigates,1 +4634,,T1553.006,Code Signing Policy Modification,[],[],,SI-7,mitigates,1 +4635,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,1 +4636,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,1 +4637,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,1 +4638,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,1 +4639,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,1 +4640,,T1557,Adversary-in-the-Middle,[],[],,SI-7,mitigates,1 +4641,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,1 +4642,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,1 +4643,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,1 +4644,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,1 +4645,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,1 +4646,,T1561,Disk Wipe,[],[],,SI-7,mitigates,1 +4647,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,1 +4648,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,1 +4649,,T1562,Impair Defenses,[],[],,SI-7,mitigates,1 +4650,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,1 +4651,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,1 +4652,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,1 +4653,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,1 +4654,,T1562.009,Safe Mode Boot,[],[],,SI-7,mitigates,1 +4655,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,1 +4656,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,1 +4657,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,1 +4658,,T1564.008,Email Hiding Rules,[],[],,SI-7,mitigates,1 +4659,,T1564.009,Resource Forking,[],[],,SI-7,mitigates,1 +4660,,T1565,Data Manipulation,[],[],,SI-7,mitigates,1 +4661,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,1 +4662,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,1 +4663,,T1569,System Services,[],[],,SI-7,mitigates,1 +4664,,T1569.002,Service Execution,[],[],,SI-7,mitigates,1 +4665,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,1 +4666,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,1 +4667,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,1 +4668,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-7,mitigates,1 +4669,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,1 +4670,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,1 +4671,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,1 +4672,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,1 +4673,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,1 +4674,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,1 +4675,,T1601,Modify System Image,[],[],,SI-7,mitigates,1 +4676,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,1 +4677,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,1 +4678,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,1 +4679,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,1 +4680,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,1 +4681,,T1609,Container Administration Command,[],[],,SI-7,mitigates,1 +4682,,T1611,Escape to Host,[],[],,SI-7,mitigates,1 +4683,,T1137,Office Application Startup,[],[],,SI-8,mitigates,1 +4684,,T1137.001,Office Template Macros,[],[],,SI-8,mitigates,1 +4685,,T1137.002,Office Test,[],[],,SI-8,mitigates,1 +4686,,T1137.003,Outlook Forms,[],[],,SI-8,mitigates,1 +4687,,T1137.004,Outlook Home Page,[],[],,SI-8,mitigates,1 +4688,,T1137.005,Outlook Rules,[],[],,SI-8,mitigates,1 +4689,,T1137.006,Add-ins,[],[],,SI-8,mitigates,1 +4690,,T1204,User Execution,[],[],,SI-8,mitigates,1 +4691,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,1 +4692,,T1204.002,Malicious File,[],[],,SI-8,mitigates,1 +4693,,T1204.003,Malicious Image,[],[],,SI-8,mitigates,1 +4694,,T1221,Template Injection,[],[],,SI-8,mitigates,1 +4695,,T1566,Phishing,[],[],,SI-8,mitigates,1 +4696,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,1 +4697,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,1 +4698,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,1 +4699,,T1598,Phishing for Information,[],[],,SI-8,mitigates,1 +4700,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,1 +4701,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,1 +4702,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,1 +4703,,T1059.002,AppleScript,[],[],,SR-11,mitigates,1 +4704,,T1204.003,Malicious Image,[],[],,SR-11,mitigates,1 +4705,,T1505,Server Software Component,[],[],,SR-11,mitigates,1 +4706,,T1505.001,SQL Stored Procedures,[],[],,SR-11,mitigates,1 +4707,,T1505.002,Transport Agent,[],[],,SR-11,mitigates,1 +4708,,T1505.004,IIS Components,[],[],,SR-11,mitigates,1 +4709,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-11,mitigates,1 +4710,,T1554,Compromise Client Software Binary,[],[],,SR-11,mitigates,1 +4711,,T1601,Modify System Image,[],[],,SR-11,mitigates,1 +4712,,T1601.001,Patch System Image,[],[],,SR-11,mitigates,1 +4713,,T1601.002,Downgrade System Image,[],[],,SR-11,mitigates,1 +4714,,T1041,Exfiltration Over C2 Channel,[],[],,SR-4,mitigates,1 +4715,,T1048,Exfiltration Over Alternative Protocol,[],[],,SR-4,mitigates,1 +4716,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SR-4,mitigates,1 +4717,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SR-4,mitigates,1 +4718,,T1052,Exfiltration Over Physical Medium,[],[],,SR-4,mitigates,1 +4719,,T1052.001,Exfiltration over USB,[],[],,SR-4,mitigates,1 +4720,,T1059.002,AppleScript,[],[],,SR-4,mitigates,1 +4721,,T1204.003,Malicious Image,[],[],,SR-4,mitigates,1 +4722,,T1505,Server Software Component,[],[],,SR-4,mitigates,1 +4723,,T1505.001,SQL Stored Procedures,[],[],,SR-4,mitigates,1 +4724,,T1505.002,Transport Agent,[],[],,SR-4,mitigates,1 +4725,,T1505.004,IIS Components,[],[],,SR-4,mitigates,1 +4726,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-4,mitigates,1 +4727,,T1554,Compromise Client Software Binary,[],[],,SR-4,mitigates,1 +4728,,T1567,Exfiltration Over Web Service,[],[],,SR-4,mitigates,1 +4729,,T1601,Modify System Image,[],[],,SR-4,mitigates,1 +4730,,T1601.001,Patch System Image,[],[],,SR-4,mitigates,1 +4731,,T1601.002,Downgrade System Image,[],[],,SR-4,mitigates,1 +4732,,T1059.002,AppleScript,[],[],,SR-5,mitigates,1 +4733,,T1204.003,Malicious Image,[],[],,SR-5,mitigates,1 +4734,,T1505,Server Software Component,[],[],,SR-5,mitigates,1 +4735,,T1505.001,SQL Stored Procedures,[],[],,SR-5,mitigates,1 +4736,,T1505.002,Transport Agent,[],[],,SR-5,mitigates,1 +4737,,T1505.004,IIS Components,[],[],,SR-5,mitigates,1 +4738,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-5,mitigates,1 +4739,,T1554,Compromise Client Software Binary,[],[],,SR-5,mitigates,1 +4740,,T1601,Modify System Image,[],[],,SR-5,mitigates,1 +4741,,T1601.001,Patch System Image,[],[],,SR-5,mitigates,1 +4742,,T1601.002,Downgrade System Image,[],[],,SR-5,mitigates,1 +4743,,T1059.002,AppleScript,[],[],,SR-6,mitigates,1 +4744,,T1078,Valid Accounts,[],[],,SR-6,mitigates,1 +4745,,T1204.003,Malicious Image,[],[],,SR-6,mitigates,1 +4746,,T1505,Server Software Component,[],[],,SR-6,mitigates,1 +4747,,T1505.001,SQL Stored Procedures,[],[],,SR-6,mitigates,1 +4748,,T1505.002,Transport Agent,[],[],,SR-6,mitigates,1 +4749,,T1505.004,IIS Components,[],[],,SR-6,mitigates,1 +4750,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-6,mitigates,1 +4751,,T1554,Compromise Client Software Binary,[],[],,SR-6,mitigates,1 +4752,,T1601,Modify System Image,[],[],,SR-6,mitigates,1 +4753,,T1601.001,Patch System Image,[],[],,SR-6,mitigates,1 +4754,,T1601.002,Downgrade System Image,[],[],,SR-6,mitigates,1 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata.csv new file mode 100644 index 00000000..0e03cece --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,10.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,1 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata_object.csv new file mode 100644 index 00000000..0e03cece --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,10.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,1 diff --git a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_navigator_layer.json index e6d54ec5..d433feb7 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/10.1/r5/parsed_nist800-53-r5-10.1_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "10.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 13, "comment": "Related to Concurrent Session Control, Remote Access, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Detonation Chambers, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1137.002", "score": 10, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Mobile Code, Detonation Chambers, Spam Protection"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to Concurrent Session Control, Session Termination, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users), Session Authenticity, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Monitoring"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to Session Termination, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Key Establishment and Management, Public Key Infrastructure Certificates, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003", "score": 22, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Backup, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Backup, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1005", "score": 13, "comment": "Related to Security and Privacy Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information Location, System Backup, Security and Privacy Engineering Principles, Cryptographic Protection, Protection of Information at Rest, Operations Security, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Information Exchange, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1025", "score": 15, "comment": "Related to Security and Privacy Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information Location, System Backup, Media Use, Security and Privacy Engineering Principles, Cryptographic Protection, Protection of Information at Rest, Operations Security, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1041", "score": 18, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Security and Privacy Engineering Principles, External System Services, Cryptographic Protection, Protection of Information at Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1048", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security and Privacy Engineering Principles, External System Services, Protection of Information at Rest, Covert Channel Analysis, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1048.002", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security and Privacy Engineering Principles, External System Services, Protection of Information at Rest, Covert Channel Analysis, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1048.003", "score": 24, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security and Privacy Engineering Principles, External System Services, Cryptographic Protection, Protection of Information at Rest, Covert Channel Analysis, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1052", "score": 19, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Protection of Information at Rest, Port and I/O Device Access, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1052.001", "score": 19, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Protection of Information at Rest, Port and I/O Device Access, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.003", "score": 11, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Configuration Settings, Usage Restrictions, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Transmission of Security and Privacy Attributes, Non-persistence, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1505.002", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Transmission of Security and Privacy Attributes, Non-persistence, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Authentication Feedback, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Identification and Authentication (non-organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.011", "score": 15, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Developer Configuration Management, Developer Testing and Evaluation, Security and Privacy Engineering Principles, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Penetration Testing, Software Usage Restrictions, User-installed Software, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Protection of Information at Rest, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security and Privacy Attributes, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification and Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Session Authenticity, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1567", "score": 17, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Security and Privacy Engineering Principles, External System Services, Protection of Information at Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Security Function Isolation, Non-modifiable Executable Programs, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059", "score": 24, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1059.003", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.004", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.005", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.007", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.008", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to Remote Access, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.004", "score": 24, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Boundary Protection, Non-persistence, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.004", "score": 13, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Non-persistence, Memory Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, System Monitoring"}, {"techniqueID": "T1552.007", "score": 14, "comment": "Related to Remote Access, Account Management, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Session Authenticity, System Monitoring"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, System Monitoring"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Boundary Protection, System Monitoring"}, {"techniqueID": "T1613", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Usage Restrictions, Boundary Protection, System Monitoring"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.001", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Security Function Isolation, Process Isolation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.006", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053.007", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1068", "score": 25, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1078", "score": 23, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring, Supplier Assessments and Reviews"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Development Life Cycle, Security and Privacy Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1218", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1543.004", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Non-persistence, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.006", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Non-persistence, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Session Authenticity, Transmission Confidentiality and Integrity, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Software Usage Restrictions, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Session Authenticity, Transmission Confidentiality and Integrity, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Public Key Infrastructure Certificates, Flaw Remediation"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Flaw Remediation"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to Account Management, Access Enforcement, Least Privilege"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Mobile Code, Separation of System and User Functionality, Security Function Isolation, Non-modifiable Executable Programs, Process Isolation, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Testing and Evaluation, Developer Security and Privacy Architecture and Design, Acquisition Process, Security and Privacy Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Media Use, Port and I/O Device Access"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information in Shared System Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to Access Enforcement, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1218.002", "score": 11, "comment": "Related to Access Enforcement, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.012", "score": 16, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, System Backup, Protection of Information at Rest, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Memory Protection, System Monitoring"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Unsupported System Components, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1203", "score": 15, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, System Component Inventory, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.003", "score": 18, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Developer Security and Privacy Architecture and Design, Security and Privacy Engineering Principles, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to Information Flow Enforcement, Configuration Change Control, Access Restrictions for Change, Least Functionality, Incident Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1137.001", "score": 10, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Detonation Chambers, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1137.003", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.004", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.005", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.006", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Spam Protection"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1553", "score": 19, "comment": "Related to Least Privilege, Penetration Testing, Software Usage Restrictions, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Service Identification and Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Information Input Validation, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.006", "score": 13, "comment": "Related to Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions for Change"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions for Change, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.001", "score": 14, "comment": "Related to Penetration Testing, User-installed Software, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Non-persistence, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), System Monitoring"}, {"techniqueID": "T1218.001", "score": 10, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.003", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.004", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.005", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.008", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.009", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.013", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.014", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Developer Configuration Management, Information in Shared System Resources, Detonation Chambers, Resource Availability, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Service Identification and Authentication, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality and Integrity, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality and Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "10.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 13, "comment": "Related to AC-10, AC-17, AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SC-44, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.002", "score": 10, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5, CM-6, SC-18, SC-44, SI-8"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to AC-10, AC-12, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SC-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-46, SC-7, SI-2, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 22, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-39, SI-12, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1005", "score": 13, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CM-12, CP-9, SA-8, SC-13, SC-28, SC-38, SI-3, SI-4"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-4, CA-3, CM-2, CM-6, CM-8, SC-4, SC-7, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1025", "score": 15, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CM-12, CP-9, MP-7, SA-8, SC-13, SC-28, SC-38, SC-41, SI-3, SI-4"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1041", "score": 18, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-7, SI-3, SI-4, SR-4"}, {"techniqueID": "T1048", "score": 23, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4, SR-4"}, {"techniqueID": "T1048.002", "score": 23, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4, SR-4"}, {"techniqueID": "T1048.003", "score": 24, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4, SR-4"}, {"techniqueID": "T1052", "score": 19, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4, SR-4"}, {"techniqueID": "T1052.001", "score": 19, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4, SR-4"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 11, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, CM-6, SC-43, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1505", "score": 23, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, RA-5, SA-10, SA-11, SC-16, SI-14, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1505.002", "score": 23, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, RA-5, SA-10, SA-11, SC-16, SI-14, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.011", "score": 15, "comment": "Related to AC-16, AC-17, AC-3, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SA-10, SA-11, SA-8, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CA-8, CM-10, CM-11, CM-2, CM-6, IA-2, IA-4, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-46, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-46, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1567", "score": 17, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-3, SI-4, SR-4"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SC-3, SC-34, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059", "score": 24, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-8, IA-2, IA-8, IA-9, RA-5, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, IA-9, SI-10, SI-16, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1059.003", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.004", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.005", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-11, CM-2, CM-3, CM-5, CM-6, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-8, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.004", "score": 24, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-8, CM-11, CM-2, CM-6, CM-7, CM-8, IA-2, RA-5, SA-10, SA-11, SC-7, SI-14, SI-16, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1547.004", "score": 13, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-14, SI-16, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1552.007", "score": 14, "comment": "Related to AC-17, AC-2, AC-23, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SC-8"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, SC-7, SI-10, SI-7"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-8, CM-6, CM-7, RA-5, SA-11, SC-7, SI-4"}, {"techniqueID": "T1613", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-43, SC-7, SI-4"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1003.001", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-3, SC-39, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.006", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, IA-2, SI-4, SI-7"}, {"techniqueID": "T1053.007", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, IA-8"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1068", "score": 25, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078", "score": 23, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-12, IA-2, IA-5, RA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4, SR-6"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-12, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-12, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-12, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-46, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-46, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, IA-2, IA-9, RA-5, SA-10, SA-11, SA-15, SA-3, SA-8, SI-2"}, {"techniqueID": "T1218", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, RA-9, SA-10, SA-11, SI-2, SI-7"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1543.004", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SI-14, SI-3, SI-4"}, {"techniqueID": "T1547.006", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-10, SI-14, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, SC-18, SC-3, SC-7, SI-3"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-10, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-10, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-7"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, SC-17, SI-2"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to AC-2, AC-3, AC-6, SI-2"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to AC-2, AC-3, AC-6"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-18, SC-2, SC-3, SC-34, SC-39, SC-7, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to AC-3, CM-2, CM-6, CM-7, CM-8, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-46, SC-7"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 11, "comment": "Related to AC-3, CA-7, CM-11, CM-2, CM-6, CM-7, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.012", "score": 16, "comment": "Related to AC-3, AC-4, CA-7, CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-46, SC-7, SI-16, SI-4"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 15, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-44, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.003", "score": 18, "comment": "Related to AC-4, CA-7, CA-8, CM-2, CM-6, CM-7, RA-5, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to AC-4, CA-8, CM-6, CM-7, RA-5, SA-17, SA-8, SC-46, SC-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to AC-4, CM-3, CM-5, CM-7, IR-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, CM-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1137.001", "score": 10, "comment": "Related to AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SC-44, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.003", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-2, SI-8"}, {"techniqueID": "T1137.004", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-2, SI-8"}, {"techniqueID": "T1137.005", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-2, SI-8"}, {"techniqueID": "T1137.006", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-8"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1553", "score": 19, "comment": "Related to AC-6, CA-8, CM-10, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, IA-9, RA-9, SA-10, SA-11, SC-34, SI-10, SI-2, SI-4, SI-7"}, {"techniqueID": "T1553.006", "score": 13, "comment": "Related to AC-6, CA-8, CM-3, CM-5, CM-7, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to CA-7, CM-2, CM-6, CM-7, IA-2, SI-4"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1505.001", "score": 14, "comment": "Related to CA-8, CM-11, CM-2, CM-6, CM-8, RA-5, SA-10, SA-11, SI-14, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1218.001", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SC-18, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.003", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.013", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.014", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SA-10, SC-4, SC-44, SC-6, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to CM-2, CM-6, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to CM-2, CM-6, IA-9, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SI-10, SI-2, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to CM-2, CM-6, CM-7, IA-5, SI-4"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to CM-2, CM-6, IA-2, IA-5, SI-2, SI-4"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to CM-6, CM-7, SI-10, SI-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SI-2"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings.yaml index ff969064..9849e012 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Policy and Procedures + capability-id: AC-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Policy and Procedures + capability-id: AC-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification Or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1585.003 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1586.003 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1583.007 attack-object-name: Serverless - capability-id: Use of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1584.007 attack-object-name: Serverless - capability-id: Use of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1205.002 attack-object-name: Socket Filters - capability-id: Information Flow Enforncement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Policy and Procedures + capability-id: AU-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Policy and Procedures + capability-id: AU-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Event Logging + capability-id: AU-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Event Logging + capability-id: AU-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1593.003 attack-object-name: Code Repositories - capability-id: Response to Audit Processing Failure + capability-id: AU-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1649 attack-object-name: Steal or Forge Authentication Certificates - capability-id: 'Audit Review, Analysis, and Reporting ' + capability-id: AU-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1593.003 attack-object-name: Code Repositories - capability-id: Audit Review, Analysis, & Reporting + capability-id: AU-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: System Interconnections + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1564.010 attack-object-name: Process Argument Spoofing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Access Restriction for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1593.003 attack-object-name: Code Repositories - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Identification and Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Identification and Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1585.003 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1586.003 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: 'Identification and Authentication (Organizational Users) ' + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1649 attack-object-name: Steal or Forge Authentication Certificates - capability-id: 'Identification and Authentication (Organizational Users) ' + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: 'Device Identification and Authentication ' + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1649 attack-object-name: Steal or Forge Authentication Certificates - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Incident Monitoring + capability-id: IR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Trustworthiness + capability-id: SA-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SA-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: External Information System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1595.003 attack-object-name: Wordlist Scanning - capability-id: Information in Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Resource Availability + capability-id: SC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1583.007 attack-object-name: Serverless - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1584.007 attack-object-name: Serverless - capability-id: 'Boundary Protection ' + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Non-Persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1055.015 attack-object-name: ListPlanting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33529,7 +33529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33537,7 +33537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33545,7 +33545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33553,7 +33553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33561,7 +33561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33569,7 +33569,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33577,7 +33577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33585,7 +33585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33593,7 +33593,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33601,7 +33601,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33609,7 +33609,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33617,7 +33617,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33625,7 +33625,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33633,7 +33633,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33641,7 +33641,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33649,7 +33649,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33657,7 +33657,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33665,7 +33665,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33673,7 +33673,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33681,7 +33681,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33689,7 +33689,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33697,7 +33697,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33705,7 +33705,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33713,7 +33713,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33721,7 +33721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33729,7 +33729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33737,7 +33737,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33745,7 +33745,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33753,7 +33753,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33761,7 +33761,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33769,7 +33769,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33777,7 +33777,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33785,7 +33785,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33793,7 +33793,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33801,7 +33801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33809,7 +33809,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33817,7 +33817,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33825,7 +33825,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33833,7 +33833,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33841,7 +33841,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33849,7 +33849,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33857,7 +33857,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33865,7 +33865,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33873,7 +33873,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33881,7 +33881,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33889,7 +33889,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33897,7 +33897,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33905,7 +33905,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33913,7 +33913,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33921,7 +33921,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33929,7 +33929,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33937,7 +33937,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33945,7 +33945,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33953,7 +33953,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33961,7 +33961,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33969,7 +33969,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33977,7 +33977,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33985,7 +33985,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33993,7 +33993,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34001,7 +34001,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34009,7 +34009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34017,7 +34017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34025,7 +34025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34033,7 +34033,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34041,7 +34041,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34049,7 +34049,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34057,7 +34057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34065,7 +34065,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34073,7 +34073,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34081,7 +34081,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34089,7 +34089,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34097,7 +34097,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34105,7 +34105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34113,7 +34113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34121,7 +34121,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34129,7 +34129,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34137,7 +34137,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34145,7 +34145,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34153,7 +34153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34161,7 +34161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34169,7 +34169,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34177,7 +34177,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34185,7 +34185,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34193,7 +34193,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34201,7 +34201,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34209,7 +34209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34217,7 +34217,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34225,7 +34225,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34233,7 +34233,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34241,7 +34241,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34249,7 +34249,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34257,7 +34257,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34265,7 +34265,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34273,7 +34273,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34281,7 +34281,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34289,7 +34289,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34297,7 +34297,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34305,7 +34305,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34313,7 +34313,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34321,7 +34321,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34329,7 +34329,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34337,7 +34337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34345,7 +34345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34353,7 +34353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34361,7 +34361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34369,7 +34369,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34377,7 +34377,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34385,7 +34385,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34393,7 +34393,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34401,7 +34401,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34409,7 +34409,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34417,7 +34417,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34425,7 +34425,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34433,7 +34433,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34441,7 +34441,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34449,7 +34449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34457,7 +34457,7 @@ attack-objects: tags: [] - attack-object-id: T1205.002 attack-object-name: Socket Filters - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34465,7 +34465,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34473,7 +34473,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34481,7 +34481,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34489,7 +34489,7 @@ attack-objects: tags: [] - attack-object-id: T1564.010 attack-object-name: Process Argument Spoofing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34497,7 +34497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34505,7 +34505,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34513,7 +34513,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34521,7 +34521,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34529,7 +34529,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34537,7 +34537,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34545,7 +34545,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34553,7 +34553,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34561,7 +34561,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34569,7 +34569,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34577,7 +34577,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34585,7 +34585,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34593,7 +34593,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34601,7 +34601,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34609,7 +34609,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34617,7 +34617,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34625,7 +34625,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34633,7 +34633,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34641,7 +34641,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34649,7 +34649,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34657,7 +34657,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34665,7 +34665,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34673,7 +34673,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34681,7 +34681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34689,7 +34689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34697,7 +34697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34705,7 +34705,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34713,7 +34713,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34721,7 +34721,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34729,7 +34729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34737,7 +34737,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34745,7 +34745,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34753,7 +34753,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34761,7 +34761,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34769,7 +34769,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34777,7 +34777,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34785,7 +34785,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34793,7 +34793,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34801,7 +34801,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34809,7 +34809,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34817,7 +34817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34825,7 +34825,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34833,7 +34833,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34841,7 +34841,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34849,7 +34849,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34857,7 +34857,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34865,7 +34865,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34873,7 +34873,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34881,7 +34881,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34889,7 +34889,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34897,7 +34897,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34905,7 +34905,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34913,7 +34913,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34921,7 +34921,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34929,7 +34929,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34937,7 +34937,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34945,7 +34945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34953,7 +34953,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34961,7 +34961,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34969,7 +34969,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34977,7 +34977,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34985,7 +34985,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34993,7 +34993,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35001,7 +35001,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35009,7 +35009,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35017,7 +35017,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35025,7 +35025,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35033,7 +35033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35041,7 +35041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35049,7 +35049,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35057,7 +35057,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35065,7 +35065,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35073,7 +35073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35081,7 +35081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35089,7 +35089,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35097,7 +35097,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35105,7 +35105,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35113,7 +35113,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35121,7 +35121,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35129,7 +35129,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35137,7 +35137,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35145,7 +35145,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35153,7 +35153,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35161,7 +35161,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35169,7 +35169,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35177,7 +35177,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35185,7 +35185,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35193,7 +35193,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35201,7 +35201,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35209,7 +35209,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35217,7 +35217,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35225,7 +35225,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35233,7 +35233,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35241,7 +35241,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35249,7 +35249,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35257,7 +35257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35265,7 +35265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35273,7 +35273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35281,7 +35281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35289,7 +35289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35297,7 +35297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35305,7 +35305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35313,7 +35313,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35321,7 +35321,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35329,7 +35329,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35337,7 +35337,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35345,7 +35345,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35353,7 +35353,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35361,7 +35361,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35369,7 +35369,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35377,7 +35377,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35385,7 +35385,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35393,7 +35393,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35401,7 +35401,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35409,7 +35409,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35417,7 +35417,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35425,7 +35425,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35433,7 +35433,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35441,7 +35441,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35449,7 +35449,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35457,7 +35457,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35465,7 +35465,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35473,7 +35473,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35481,7 +35481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35489,7 +35489,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35497,7 +35497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35505,7 +35505,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35513,7 +35513,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35521,7 +35521,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35529,7 +35529,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35537,7 +35537,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35545,7 +35545,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35553,7 +35553,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35561,7 +35561,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35569,7 +35569,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35577,7 +35577,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35585,7 +35585,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35593,7 +35593,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35601,7 +35601,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35609,7 +35609,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35617,7 +35617,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35625,7 +35625,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35633,7 +35633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35641,7 +35641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35649,7 +35649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35657,7 +35657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35665,7 +35665,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35673,7 +35673,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35681,7 +35681,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35689,7 +35689,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35697,7 +35697,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35705,7 +35705,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35713,7 +35713,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35721,7 +35721,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35729,7 +35729,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35737,7 +35737,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35745,7 +35745,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35753,7 +35753,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35761,7 +35761,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35769,7 +35769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35777,7 +35777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35785,7 +35785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35793,7 +35793,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35801,7 +35801,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35809,7 +35809,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35817,7 +35817,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35825,7 +35825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35833,7 +35833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35841,7 +35841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35849,7 +35849,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35857,7 +35857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35865,7 +35865,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35873,7 +35873,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35881,7 +35881,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35889,7 +35889,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35897,7 +35897,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35905,7 +35905,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35913,7 +35913,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35921,7 +35921,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35929,7 +35929,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35937,7 +35937,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35945,7 +35945,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35953,7 +35953,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35961,7 +35961,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35969,7 +35969,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35977,7 +35977,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35985,7 +35985,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35993,7 +35993,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36001,7 +36001,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36009,7 +36009,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36017,7 +36017,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36025,7 +36025,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36033,7 +36033,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36041,7 +36041,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36049,7 +36049,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36057,7 +36057,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36065,7 +36065,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36073,7 +36073,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36081,7 +36081,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36089,7 +36089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36097,7 +36097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36105,7 +36105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36113,7 +36113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36121,7 +36121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36129,7 +36129,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36137,7 +36137,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36145,7 +36145,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36153,7 +36153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36161,7 +36161,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36169,7 +36169,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36177,7 +36177,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36185,7 +36185,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36193,7 +36193,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36201,7 +36201,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36209,7 +36209,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36217,7 +36217,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36225,7 +36225,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36233,7 +36233,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36241,7 +36241,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36249,7 +36249,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36257,7 +36257,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36265,7 +36265,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36273,7 +36273,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36281,7 +36281,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36289,7 +36289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36297,7 +36297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36305,7 +36305,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36313,7 +36313,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36321,7 +36321,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36329,7 +36329,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36337,7 +36337,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36345,7 +36345,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36353,7 +36353,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36361,7 +36361,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36369,7 +36369,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36377,7 +36377,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36385,7 +36385,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36393,7 +36393,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36401,7 +36401,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36409,7 +36409,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36417,7 +36417,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36425,7 +36425,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36433,7 +36433,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36441,7 +36441,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36449,7 +36449,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36457,7 +36457,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36465,7 +36465,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36473,7 +36473,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36481,7 +36481,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36489,7 +36489,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36497,7 +36497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36505,7 +36505,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36513,7 +36513,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36521,7 +36521,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36529,7 +36529,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36537,7 +36537,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36545,7 +36545,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36553,7 +36553,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36561,7 +36561,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36569,7 +36569,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36577,7 +36577,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36585,7 +36585,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36593,7 +36593,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36601,7 +36601,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36609,7 +36609,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36617,7 +36617,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36625,7 +36625,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36633,7 +36633,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36641,7 +36641,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36649,7 +36649,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36657,7 +36657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36665,7 +36665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36673,7 +36673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36681,7 +36681,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36689,7 +36689,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36697,7 +36697,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36705,7 +36705,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36713,7 +36713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36721,7 +36721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36729,7 +36729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36737,7 +36737,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36745,7 +36745,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36753,7 +36753,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36761,7 +36761,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36769,7 +36769,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36777,7 +36777,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36785,7 +36785,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36793,7 +36793,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36801,7 +36801,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36809,7 +36809,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36817,7 +36817,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36825,7 +36825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36833,7 +36833,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36841,7 +36841,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36849,7 +36849,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36857,7 +36857,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36865,7 +36865,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36873,7 +36873,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36881,7 +36881,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36889,7 +36889,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36897,7 +36897,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36905,7 +36905,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36913,7 +36913,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36921,7 +36921,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36929,7 +36929,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36937,7 +36937,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36945,7 +36945,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36953,7 +36953,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36961,7 +36961,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36969,7 +36969,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36977,7 +36977,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36985,7 +36985,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36993,7 +36993,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37001,7 +37001,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37009,7 +37009,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37017,7 +37017,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37025,7 +37025,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37033,7 +37033,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37041,7 +37041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37049,7 +37049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37057,7 +37057,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37065,7 +37065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37073,7 +37073,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37081,7 +37081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37089,7 +37089,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37097,7 +37097,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37105,7 +37105,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37113,7 +37113,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37121,7 +37121,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37129,7 +37129,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37137,7 +37137,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37145,7 +37145,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37153,7 +37153,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37161,7 +37161,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37169,7 +37169,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37177,7 +37177,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37185,7 +37185,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37193,7 +37193,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37201,7 +37201,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37209,7 +37209,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37217,7 +37217,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37225,7 +37225,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37233,7 +37233,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37241,7 +37241,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37249,7 +37249,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37257,7 +37257,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37265,7 +37265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37273,7 +37273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37281,7 +37281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37289,7 +37289,7 @@ attack-objects: tags: [] - attack-object-id: T1564.010 attack-object-name: Process Argument Spoofing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37297,7 +37297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37305,7 +37305,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37313,7 +37313,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37321,7 +37321,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37329,7 +37329,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37337,7 +37337,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37345,7 +37345,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37353,7 +37353,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37361,7 +37361,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37369,7 +37369,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37377,7 +37377,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37385,7 +37385,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37393,7 +37393,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37401,7 +37401,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37409,7 +37409,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37417,7 +37417,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37425,7 +37425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37433,7 +37433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37441,7 +37441,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37449,7 +37449,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37457,7 +37457,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37465,7 +37465,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37473,7 +37473,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37481,7 +37481,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37489,7 +37489,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37497,7 +37497,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37505,7 +37505,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37513,7 +37513,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37521,7 +37521,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37529,7 +37529,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37537,7 +37537,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37545,7 +37545,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37553,7 +37553,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37561,7 +37561,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37569,7 +37569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37577,7 +37577,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37585,7 +37585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37593,7 +37593,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37601,7 +37601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37609,7 +37609,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37617,7 +37617,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37625,7 +37625,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37633,7 +37633,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37641,7 +37641,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37649,7 +37649,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37657,7 +37657,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37665,7 +37665,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37673,7 +37673,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37681,7 +37681,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37689,7 +37689,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37697,7 +37697,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37705,7 +37705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37713,7 +37713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37721,7 +37721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37729,7 +37729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37737,7 +37737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37745,7 +37745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37753,7 +37753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37761,7 +37761,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37769,7 +37769,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37777,7 +37777,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37785,7 +37785,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37793,7 +37793,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37801,7 +37801,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37809,7 +37809,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37817,7 +37817,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37825,7 +37825,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37833,7 +37833,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37841,7 +37841,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37849,7 +37849,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37857,7 +37857,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37865,7 +37865,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37873,7 +37873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37881,7 +37881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37889,7 +37889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37897,7 +37897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37905,7 +37905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37913,7 +37913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37921,7 +37921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37929,7 +37929,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37937,7 +37937,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37945,7 +37945,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37953,7 +37953,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37961,7 +37961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37969,7 +37969,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37977,7 +37977,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37985,7 +37985,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37993,7 +37993,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38001,7 +38001,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38009,7 +38009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38017,7 +38017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38025,7 +38025,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38033,7 +38033,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38041,7 +38041,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38049,7 +38049,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38057,7 +38057,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38065,7 +38065,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38073,7 +38073,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38081,7 +38081,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38089,7 +38089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38097,7 +38097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38105,7 +38105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38113,7 +38113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38121,7 +38121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38129,7 +38129,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38137,7 +38137,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38145,7 +38145,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38153,7 +38153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38161,7 +38161,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38169,7 +38169,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38177,7 +38177,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38185,7 +38185,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38193,7 +38193,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38201,7 +38201,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38209,7 +38209,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38217,7 +38217,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38225,7 +38225,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38233,7 +38233,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38241,7 +38241,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38249,7 +38249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38257,7 +38257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38265,7 +38265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38273,7 +38273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38281,7 +38281,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38289,7 +38289,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38297,7 +38297,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38305,7 +38305,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38313,7 +38313,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38321,7 +38321,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38329,7 +38329,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38337,7 +38337,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38345,7 +38345,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38353,7 +38353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38361,7 +38361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38369,7 +38369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38377,7 +38377,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38385,7 +38385,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38393,7 +38393,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38401,7 +38401,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38409,7 +38409,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38417,7 +38417,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38425,7 +38425,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38433,7 +38433,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38441,7 +38441,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38449,7 +38449,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38457,7 +38457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38465,7 +38465,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38473,7 +38473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38481,7 +38481,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38489,7 +38489,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38497,7 +38497,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38505,7 +38505,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38513,7 +38513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38521,7 +38521,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38529,7 +38529,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38537,7 +38537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38545,7 +38545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38553,7 +38553,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38561,7 +38561,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38569,7 +38569,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38577,7 +38577,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38585,7 +38585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38593,7 +38593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38601,7 +38601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38609,7 +38609,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38617,7 +38617,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38625,7 +38625,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38633,7 +38633,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38641,7 +38641,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38649,7 +38649,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38657,7 +38657,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38665,7 +38665,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38673,7 +38673,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38681,7 +38681,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38689,7 +38689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38697,7 +38697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38705,7 +38705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38713,7 +38713,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38721,7 +38721,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38729,7 +38729,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38737,7 +38737,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38745,7 +38745,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38753,7 +38753,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38761,7 +38761,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38769,7 +38769,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38777,7 +38777,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38785,7 +38785,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38793,7 +38793,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38801,7 +38801,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38809,7 +38809,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38817,7 +38817,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38825,7 +38825,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38833,7 +38833,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38841,7 +38841,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38849,7 +38849,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38857,7 +38857,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38865,7 +38865,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38873,7 +38873,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38881,7 +38881,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38889,7 +38889,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38897,7 +38897,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38905,7 +38905,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38913,7 +38913,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_attack_objects.csv new file mode 100644 index 00000000..fd983d27 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_attack_objects.csv @@ -0,0 +1,4866 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1556.006,Multi-Factor Authentication,[],[],,AC-1,mitigates,4 +1,,T1556.007,Hybrid Identity,[],[],,AC-1,mitigates,4 +2,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,4 +3,,T1137,Office Application Startup,[],[],,AC-10,mitigates,4 +4,,T1137.002,Office Test,[],[],,AC-10,mitigates,4 +5,,T1185,Browser Session Hijacking,[],[],,AC-10,mitigates,4 +6,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,4 +7,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,4 +8,,T1505.005,Terminal Services DLL,[],[],,AC-12,mitigates,4 +9,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,4 +10,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,4 +11,,T1185,Browser Session Hijacking,[],[],,AC-12,mitigates,4 +12,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,4 +13,,T1137.002,Office Test,[],[],,AC-14,mitigates,4 +14,,T1070.008,Clear Mailbox Data,[],[],,AC-16,mitigates,4 +15,,T1647,Plist File Modification,[],[],,AC-16,mitigates,4 +16,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,4 +17,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,4 +18,,T1567,Exfiltration Over Web Service,[],[],,AC-16,mitigates,4 +19,,T1003.003,NTDS,[],[],,AC-16,mitigates,4 +20,,T1005,Data from Local System,[],[],,AC-16,mitigates,4 +21,,T1040,Network Sniffing,[],[],,AC-16,mitigates,4 +22,,T1119,Automated Collection,[],[],,AC-16,mitigates,4 +23,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,4 +24,,T1557,Adversary-in-the-Middle,[],[],,AC-16,mitigates,4 +25,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,4 +26,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,4 +27,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,4 +28,,T1505,Server Software Component,[],[],,AC-16,mitigates,4 +29,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,4 +30,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,4 +31,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,4 +32,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,4 +33,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,4 +34,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,4 +35,,T1565,Data Manipulation,[],[],,AC-16,mitigates,4 +36,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,4 +37,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,4 +38,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,4 +39,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,4 +40,,T1025,Data from Removable Media,[],[],,AC-16,mitigates,4 +41,,T1041,Exfiltration Over C2 Channel,[],[],,AC-16,mitigates,4 +42,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-16,mitigates,4 +43,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-16,mitigates,4 +44,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-16,mitigates,4 +45,,T1052,Exfiltration Over Physical Medium,[],[],,AC-16,mitigates,4 +46,,T1052.001,Exfiltration over USB,[],[],,AC-16,mitigates,4 +47,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,4 +48,,T1114,Email Collection,[],[],,AC-16,mitigates,4 +49,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,4 +50,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,4 +51,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,4 +52,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,4 +53,,T1213.001,Confluence,[],[],,AC-16,mitigates,4 +54,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,4 +55,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,4 +56,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,4 +57,,T1505.002,Transport Agent,[],[],,AC-16,mitigates,4 +58,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,4 +59,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,4 +60,,T1552.004,Private Keys,[],[],,AC-16,mitigates,4 +61,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,4 +62,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,4 +63,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,4 +64,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,4 +65,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,4 +66,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,4 +67,,T1070.008,Clear Mailbox Data,[],[],,AC-17,mitigates,4 +68,,T1505.005,Terminal Services DLL,[],[],,AC-17,mitigates,4 +69,,T1647,Plist File Modification,[],[],,AC-17,mitigates,4 +70,,T1552.007,Container API,[],[],,AC-17,mitigates,4 +71,,T1609,Container Administration Command,[],[],,AC-17,mitigates,4 +72,,T1610,Deploy Container,[],[],,AC-17,mitigates,4 +73,,T1133,External Remote Services,[],[],,AC-17,mitigates,4 +74,,T1059,Command and Scripting Interpreter,[],[],,AC-17,mitigates,4 +75,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,4 +76,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,4 +77,,T1040,Network Sniffing,[],[],,AC-17,mitigates,4 +78,,T1119,Automated Collection,[],[],,AC-17,mitigates,4 +79,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,4 +80,,T1557,Adversary-in-the-Middle,[],[],,AC-17,mitigates,4 +81,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,4 +82,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,4 +83,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,4 +84,,T1059.001,PowerShell,[],[],,AC-17,mitigates,4 +85,,T1059.002,AppleScript,[],[],,AC-17,mitigates,4 +86,,T1059.005,Visual Basic,[],[],,AC-17,mitigates,4 +87,,T1059.008,Network Device CLI,[],[],,AC-17,mitigates,4 +88,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,4 +89,,T1219,Remote Access Software,[],[],,AC-17,mitigates,4 +90,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,4 +91,,T1543.003,Windows Service,[],[],,AC-17,mitigates,4 +92,,T1547.003,Time Providers,[],[],,AC-17,mitigates,4 +93,,T1547.004,Winlogon Helper DLL,[],[],,AC-17,mitigates,4 +94,,T1547.009,Shortcut Modification,[],[],,AC-17,mitigates,4 +95,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,4 +96,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,4 +97,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,4 +98,,T1565,Data Manipulation,[],[],,AC-17,mitigates,4 +99,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,4 +100,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,4 +101,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,4 +102,,T1021,Remote Services,[],[],,AC-17,mitigates,4 +103,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,4 +104,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,4 +105,,T1021.004,SSH,[],[],,AC-17,mitigates,4 +106,,T1021.005,VNC,[],[],,AC-17,mitigates,4 +107,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,4 +108,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,4 +109,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,4 +110,,T1059.003,Windows Command Shell,[],[],,AC-17,mitigates,4 +111,,T1059.004,Unix Shell,[],[],,AC-17,mitigates,4 +112,,T1059.006,Python,[],[],,AC-17,mitigates,4 +113,,T1059.007,JavaScript,[],[],,AC-17,mitigates,4 +114,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,4 +115,,T1114,Email Collection,[],[],,AC-17,mitigates,4 +116,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,4 +117,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,4 +118,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,4 +119,,T1137,Office Application Startup,[],[],,AC-17,mitigates,4 +120,,T1137.002,Office Test,[],[],,AC-17,mitigates,4 +121,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,4 +122,,T1213.001,Confluence,[],[],,AC-17,mitigates,4 +123,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,4 +124,,T1505.004,IIS Components,[],[],,AC-17,mitigates,4 +125,,T1543.004,Launch Daemon,[],[],,AC-17,mitigates,4 +126,,T1547.012,Print Processors,[],[],,AC-17,mitigates,4 +127,,T1547.013,XDG Autostart Entries,[],[],,AC-17,mitigates,4 +128,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,4 +129,,T1552.002,Credentials in Registry,[],[],,AC-17,mitigates,4 +130,,T1552.004,Private Keys,[],[],,AC-17,mitigates,4 +131,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,4 +132,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,4 +133,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,4 +134,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,4 +135,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,4 +136,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,4 +137,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,4 +138,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,4 +139,,T1612,Build Image on Host,[],[],,AC-17,mitigates,4 +140,,T1613,Container and Resource Discovery,[],[],,AC-17,mitigates,4 +141,,T1619,Cloud Storage Object Discovery,[],[],,AC-17,mitigates,4 +142,,T1070.008,Clear Mailbox Data,[],[],,AC-18,mitigates,4 +143,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,4 +144,,T1040,Network Sniffing,[],[],,AC-18,mitigates,4 +145,,T1119,Automated Collection,[],[],,AC-18,mitigates,4 +146,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,4 +147,,T1557,Adversary-in-the-Middle,[],[],,AC-18,mitigates,4 +148,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,4 +149,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,4 +150,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,4 +151,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,4 +152,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,4 +153,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,4 +154,,T1565,Data Manipulation,[],[],,AC-18,mitigates,4 +155,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,4 +156,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,4 +157,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,4 +158,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,4 +159,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,4 +160,,T1552.004,Private Keys,[],[],,AC-18,mitigates,4 +161,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,4 +162,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,4 +163,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,4 +164,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,4 +165,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,4 +166,,T1070.008,Clear Mailbox Data,[],[],,AC-19,mitigates,4 +167,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,4 +168,,T1040,Network Sniffing,[],[],,AC-19,mitigates,4 +169,,T1119,Automated Collection,[],[],,AC-19,mitigates,4 +170,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,4 +171,,T1557,Adversary-in-the-Middle,[],[],,AC-19,mitigates,4 +172,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,4 +173,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,4 +174,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,4 +175,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,4 +176,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,4 +177,,T1565,Data Manipulation,[],[],,AC-19,mitigates,4 +178,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,4 +179,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,4 +180,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,4 +181,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,4 +182,,T1114,Email Collection,[],[],,AC-19,mitigates,4 +183,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,4 +184,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,4 +185,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,4 +186,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,4 +187,,T1552.004,Private Keys,[],[],,AC-19,mitigates,4 +188,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,4 +189,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,4 +190,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,4 +191,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,4 +192,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,4 +193,,T1556.005,Reversible Encryption,[],[],,AC-2,mitigates,4 +194,,T1556.006,Multi-Factor Authentication,[],[],,AC-2,mitigates,4 +195,,T1556.007,Hybrid Identity,[],[],,AC-2,mitigates,4 +196,,T1585.003,Cloud Accounts,[],[],,AC-2,mitigates,4 +197,,T1586.003,Cloud Accounts,[],[],,AC-2,mitigates,4 +198,,T1621,Multi-Factor Authentication Request Generation,[],[],,AC-2,mitigates,4 +199,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-2,mitigates,4 +200,,T1070.008,Clear Mailbox Data,[],[],,AC-2,mitigates,4 +201,,T1070.009,Clear Persistence,[],[],,AC-2,mitigates,4 +202,,T1098.005,Device Registration,[],[],,AC-2,mitigates,4 +203,,T1505.005,Terminal Services DLL,[],[],,AC-2,mitigates,4 +204,,T1648,Serverless Execution,[],[],,AC-2,mitigates,4 +205,,T1552.007,Container API,[],[],,AC-2,mitigates,4 +206,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,4 +207,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,4 +208,,T1562,Impair Defenses,[],[],,AC-2,mitigates,4 +209,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,4 +210,,T1609,Container Administration Command,[],[],,AC-2,mitigates,4 +211,,T1610,Deploy Container,[],[],,AC-2,mitigates,4 +212,,T1055,Process Injection,[],[],,AC-2,mitigates,4 +213,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,4 +214,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,4 +215,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,4 +216,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,4 +217,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,4 +218,,T1567,Exfiltration Over Web Service,[],[],,AC-2,mitigates,4 +219,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,4 +220,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,4 +221,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,4 +222,,T1003.003,NTDS,[],[],,AC-2,mitigates,4 +223,,T1005,Data from Local System,[],[],,AC-2,mitigates,4 +224,,T1078,Valid Accounts,[],[],,AC-2,mitigates,4 +225,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,4 +226,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,4 +227,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,4 +228,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,4 +229,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,4 +230,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,4 +231,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,4 +232,,T1611,Escape to Host,[],[],,AC-2,mitigates,4 +233,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,4 +234,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,4 +235,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,4 +236,,T1053.002,At (Windows),[],[],,AC-2,mitigates,4 +237,,T1053.003,Cron,[],[],,AC-2,mitigates,4 +238,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,4 +239,,T1059.001,PowerShell,[],[],,AC-2,mitigates,4 +240,,T1059.002,AppleScript,[],[],,AC-2,mitigates,4 +241,,T1059.005,Visual Basic,[],[],,AC-2,mitigates,4 +242,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,4 +243,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,4 +244,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,4 +245,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,4 +246,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,4 +247,,T1098,Account Manipulation,[],[],,AC-2,mitigates,4 +248,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,4 +249,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,4 +250,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,4 +251,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,4 +252,,T1197,BITS Jobs,[],[],,AC-2,mitigates,4 +253,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,4 +254,,T1213.003,Code Repositories,[],[],,AC-2,mitigates,4 +255,,T1218.007,Msiexec,[],[],,AC-2,mitigates,4 +256,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,4 +257,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,4 +258,,T1505,Server Software Component,[],[],,AC-2,mitigates,4 +259,,T1505.003,Web Shell,[],[],,AC-2,mitigates,4 +260,,T1525,Implant Internal Image,[],[],,AC-2,mitigates,4 +261,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,4 +262,,T1543.003,Windows Service,[],[],,AC-2,mitigates,4 +263,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,4 +264,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,4 +265,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,4 +266,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,4 +267,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,4 +268,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,4 +269,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,4 +270,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,4 +271,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,4 +272,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,4 +273,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,4 +274,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,4 +275,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,4 +276,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,4 +277,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,4 +278,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,4 +279,,T1003.006,DCSync,[],[],,AC-2,mitigates,4 +280,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,4 +281,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,4 +282,,T1021,Remote Services,[],[],,AC-2,mitigates,4 +283,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,4 +284,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,4 +285,,T1021.004,SSH,[],[],,AC-2,mitigates,4 +286,,T1021.005,VNC,[],[],,AC-2,mitigates,4 +287,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,4 +288,,T1025,Data from Removable Media,[],[],,AC-2,mitigates,4 +289,,T1036,Masquerading,[],[],,AC-2,mitigates,4 +290,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,4 +291,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,4 +292,,T1041,Exfiltration Over C2 Channel,[],[],,AC-2,mitigates,4 +293,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-2,mitigates,4 +294,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-2,mitigates,4 +295,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-2,mitigates,4 +296,,T1052,Exfiltration Over Physical Medium,[],[],,AC-2,mitigates,4 +297,,T1052.001,Exfiltration over USB,[],[],,AC-2,mitigates,4 +298,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,4 +299,,T1053.007,Container Orchestration Job,[],[],,AC-2,mitigates,4 +300,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,4 +301,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,4 +302,,T1059.003,Windows Command Shell,[],[],,AC-2,mitigates,4 +303,,T1059.004,Unix Shell,[],[],,AC-2,mitigates,4 +304,,T1059.006,Python,[],[],,AC-2,mitigates,4 +305,,T1059.007,JavaScript,[],[],,AC-2,mitigates,4 +306,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,4 +307,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,4 +308,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,4 +309,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,4 +310,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,4 +311,,T1110,Brute Force,[],[],,AC-2,mitigates,4 +312,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,4 +313,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,4 +314,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,4 +315,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,4 +316,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,4 +317,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,4 +318,,T1136,Create Account,[],[],,AC-2,mitigates,4 +319,,T1136.001,Local Account,[],[],,AC-2,mitigates,4 +320,,T1136.002,Domain Account,[],[],,AC-2,mitigates,4 +321,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,4 +322,,T1185,Browser Session Hijacking,[],[],,AC-2,mitigates,4 +323,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,4 +324,,T1213.001,Confluence,[],[],,AC-2,mitigates,4 +325,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,4 +326,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,4 +327,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,4 +328,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,4 +329,,T1489,Service Stop,[],[],,AC-2,mitigates,4 +330,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,4 +331,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,4 +332,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,4 +333,,T1542.001,System Firmware,[],[],,AC-2,mitigates,4 +334,,T1542.003,Bootkit,[],[],,AC-2,mitigates,4 +335,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,4 +336,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,4 +337,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,4 +338,,T1547.012,Print Processors,[],[],,AC-2,mitigates,4 +339,,T1547.013,XDG Autostart Entries,[],[],,AC-2,mitigates,4 +340,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,4 +341,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,4 +342,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,4 +343,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,4 +344,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,4 +345,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,4 +346,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,4 +347,,T1552.004,Private Keys,[],[],,AC-2,mitigates,4 +348,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,4 +349,,T1553,Subvert Trust Controls,[],[],,AC-2,mitigates,4 +350,,T1553.006,Code Signing Policy Modification,[],[],,AC-2,mitigates,4 +351,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,4 +352,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,4 +353,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,4 +354,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,4 +355,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,4 +356,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,4 +357,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,4 +358,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,4 +359,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,4 +360,,T1562.009,Safe Mode Boot,[],[],,AC-2,mitigates,4 +361,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,4 +362,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,4 +363,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,4 +364,,T1569,System Services,[],[],,AC-2,mitigates,4 +365,,T1569.001,Launchctl,[],[],,AC-2,mitigates,4 +366,,T1569.002,Service Execution,[],[],,AC-2,mitigates,4 +367,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,4 +368,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,4 +369,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,4 +370,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,4 +371,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,4 +372,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,4 +373,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,4 +374,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,4 +375,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,4 +376,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,4 +377,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,4 +378,,T1601,Modify System Image,[],[],,AC-2,mitigates,4 +379,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,4 +380,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,4 +381,,T1606,Forge Web Credentials,[],[],,AC-2,mitigates,4 +382,,T1606.001,Web Cookies,[],[],,AC-2,mitigates,4 +383,,T1606.002,SAML Tokens,[],[],,AC-2,mitigates,4 +384,,T1612,Build Image on Host,[],[],,AC-2,mitigates,4 +385,,T1613,Container and Resource Discovery,[],[],,AC-2,mitigates,4 +386,,T1619,Cloud Storage Object Discovery,[],[],,AC-2,mitigates,4 +387,,T1583.007,Serverless,[],[],,AC-20,mitigates,4 +388,,T1584.007,Serverless,[],[],,AC-20,mitigates,4 +389,,T1098.005,Device Registration,[],[],,AC-20,mitigates,4 +390,,T1505.005,Terminal Services DLL,[],[],,AC-20,mitigates,4 +391,,T1098.004,SSH Authorized Keys,[],[],,AC-20,mitigates,4 +392,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,4 +393,,T1133,External Remote Services,[],[],,AC-20,mitigates,4 +394,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,4 +395,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,4 +396,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,4 +397,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,4 +398,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,4 +399,,T1119,Automated Collection,[],[],,AC-20,mitigates,4 +400,,T1200,Hardware Additions,[],[],,AC-20,mitigates,4 +401,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,4 +402,,T1557,Adversary-in-the-Middle,[],[],,AC-20,mitigates,4 +403,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,4 +404,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,4 +405,,T1053,Scheduled Task/Job,[],[],,AC-20,mitigates,4 +406,,T1053.002,At (Windows),[],[],,AC-20,mitigates,4 +407,,T1053.005,Scheduled Task,[],[],,AC-20,mitigates,4 +408,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,4 +409,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,4 +410,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,4 +411,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,4 +412,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,4 +413,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,4 +414,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,4 +415,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,4 +416,,T1565,Data Manipulation,[],[],,AC-20,mitigates,4 +417,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,4 +418,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,4 +419,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,4 +420,,T1021,Remote Services,[],[],,AC-20,mitigates,4 +421,,T1021.004,SSH,[],[],,AC-20,mitigates,4 +422,,T1041,Exfiltration Over C2 Channel,[],[],,AC-20,mitigates,4 +423,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-20,mitigates,4 +424,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-20,mitigates,4 +425,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-20,mitigates,4 +426,,T1052,Exfiltration Over Physical Medium,[],[],,AC-20,mitigates,4 +427,,T1052.001,Exfiltration over USB,[],[],,AC-20,mitigates,4 +428,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,4 +429,,T1110,Brute Force,[],[],,AC-20,mitigates,4 +430,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,4 +431,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,4 +432,,T1114,Email Collection,[],[],,AC-20,mitigates,4 +433,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,4 +434,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,4 +435,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,4 +436,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,4 +437,,T1136,Create Account,[],[],,AC-20,mitigates,4 +438,,T1136.001,Local Account,[],[],,AC-20,mitigates,4 +439,,T1136.002,Domain Account,[],[],,AC-20,mitigates,4 +440,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,4 +441,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,4 +442,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,4 +443,,T1552.004,Private Keys,[],[],,AC-20,mitigates,4 +444,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,4 +445,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,4 +446,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,4 +447,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,4 +448,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,4 +449,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,4 +450,,T1053,Scheduled Task/Job,[],[],,AC-21,mitigates,4 +451,,T1053.002,At (Windows),[],[],,AC-21,mitigates,4 +452,,T1053.005,Scheduled Task,[],[],,AC-21,mitigates,4 +453,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,4 +454,,T1213.001,Confluence,[],[],,AC-21,mitigates,4 +455,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,4 +456,,T1053,Scheduled Task/Job,[],[],,AC-22,mitigates,4 +457,,T1053.002,At (Windows),[],[],,AC-22,mitigates,4 +458,,T1053.005,Scheduled Task,[],[],,AC-22,mitigates,4 +459,,T1552.007,Container API,[],[],,AC-23,mitigates,4 +460,,T1133,External Remote Services,[],[],,AC-23,mitigates,4 +461,,T1567,Exfiltration Over Web Service,[],[],,AC-23,mitigates,4 +462,,T1005,Data from Local System,[],[],,AC-23,mitigates,4 +463,,T1053,Scheduled Task/Job,[],[],,AC-23,mitigates,4 +464,,T1053.002,At (Windows),[],[],,AC-23,mitigates,4 +465,,T1053.005,Scheduled Task,[],[],,AC-23,mitigates,4 +466,,T1025,Data from Removable Media,[],[],,AC-23,mitigates,4 +467,,T1041,Exfiltration Over C2 Channel,[],[],,AC-23,mitigates,4 +468,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-23,mitigates,4 +469,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-23,mitigates,4 +470,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-23,mitigates,4 +471,,T1052,Exfiltration Over Physical Medium,[],[],,AC-23,mitigates,4 +472,,T1052.001,Exfiltration over USB,[],[],,AC-23,mitigates,4 +473,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,4 +474,,T1213.001,Confluence,[],[],,AC-23,mitigates,4 +475,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,4 +476,,T1053,Scheduled Task/Job,[],[],,AC-24,mitigates,4 +477,,T1053.002,At (Windows),[],[],,AC-24,mitigates,4 +478,,T1053.005,Scheduled Task,[],[],,AC-24,mitigates,4 +479,,T1053,Scheduled Task/Job,[],[],,AC-25,mitigates,4 +480,,T1053.002,At (Windows),[],[],,AC-25,mitigates,4 +481,,T1053.005,Scheduled Task,[],[],,AC-25,mitigates,4 +482,,T1556.006,Multi-Factor Authentication,[],[],,AC-3,mitigates,4 +483,,T1556.007,Hybrid Identity,[],[],,AC-3,mitigates,4 +484,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-3,mitigates,4 +485,,T1070.008,Clear Mailbox Data,[],[],,AC-3,mitigates,4 +486,,T1070.009,Clear Persistence,[],[],,AC-3,mitigates,4 +487,,T1098.005,Device Registration,[],[],,AC-3,mitigates,4 +488,,T1505.005,Terminal Services DLL,[],[],,AC-3,mitigates,4 +489,,T1648,Serverless Execution,[],[],,AC-3,mitigates,4 +490,,T1557.003,DHCP Spoofing,[],[],,AC-3,mitigates,4 +491,,T1622,Debugger Evasion,[],[],,AC-3,mitigates,4 +492,,T1647,Plist File Modification,[],[],,AC-3,mitigates,4 +493,,T1552.007,Container API,[],[],,AC-3,mitigates,4 +494,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,4 +495,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,4 +496,,T1562,Impair Defenses,[],[],,AC-3,mitigates,4 +497,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,4 +498,,T1609,Container Administration Command,[],[],,AC-3,mitigates,4 +499,,T1610,Deploy Container,[],[],,AC-3,mitigates,4 +500,,T1055,Process Injection,[],[],,AC-3,mitigates,4 +501,,T1133,External Remote Services,[],[],,AC-3,mitigates,4 +502,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,4 +503,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,4 +504,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,4 +505,,T1567,Exfiltration Over Web Service,[],[],,AC-3,mitigates,4 +506,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,4 +507,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,4 +508,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,4 +509,,T1003.003,NTDS,[],[],,AC-3,mitigates,4 +510,,T1005,Data from Local System,[],[],,AC-3,mitigates,4 +511,,T1078,Valid Accounts,[],[],,AC-3,mitigates,4 +512,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,4 +513,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,4 +514,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,4 +515,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,4 +516,,T1200,Hardware Additions,[],[],,AC-3,mitigates,4 +517,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,4 +518,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,4 +519,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,4 +520,,T1557,Adversary-in-the-Middle,[],[],,AC-3,mitigates,4 +521,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,4 +522,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,4 +523,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,4 +524,,T1611,Escape to Host,[],[],,AC-3,mitigates,4 +525,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,4 +526,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,4 +527,,T1037.005,Startup Items,[],[],,AC-3,mitigates,4 +528,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,4 +529,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,4 +530,,T1053.002,At (Windows),[],[],,AC-3,mitigates,4 +531,,T1053.003,Cron,[],[],,AC-3,mitigates,4 +532,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,4 +533,,T1059.001,PowerShell,[],[],,AC-3,mitigates,4 +534,,T1059.002,AppleScript,[],[],,AC-3,mitigates,4 +535,,T1059.005,Visual Basic,[],[],,AC-3,mitigates,4 +536,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,4 +537,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,4 +538,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,4 +539,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,4 +540,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,4 +541,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,4 +542,,T1098,Account Manipulation,[],[],,AC-3,mitigates,4 +543,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,4 +544,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,4 +545,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,4 +546,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,4 +547,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,4 +548,,T1197,BITS Jobs,[],[],,AC-3,mitigates,4 +549,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,4 +550,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,4 +551,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,4 +552,,T1213.003,Code Repositories,[],[],,AC-3,mitigates,4 +553,,T1218.007,Msiexec,[],[],,AC-3,mitigates,4 +554,,T1218.012,Verclsid,[],[],,AC-3,mitigates,4 +555,,T1219,Remote Access Software,[],[],,AC-3,mitigates,4 +556,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,4 +557,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,4 +558,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,4 +559,,T1491,Defacement,[],[],,AC-3,mitigates,4 +560,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,4 +561,,T1491.002,External Defacement,[],[],,AC-3,mitigates,4 +562,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,4 +563,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,4 +564,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,4 +565,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,4 +566,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,4 +567,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,4 +568,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,4 +569,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,4 +570,,T1505,Server Software Component,[],[],,AC-3,mitigates,4 +571,,T1505.003,Web Shell,[],[],,AC-3,mitigates,4 +572,,T1525,Implant Internal Image,[],[],,AC-3,mitigates,4 +573,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,4 +574,,T1543.003,Windows Service,[],[],,AC-3,mitigates,4 +575,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,4 +576,,T1547.003,Time Providers,[],[],,AC-3,mitigates,4 +577,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,4 +578,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,4 +579,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,4 +580,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,4 +581,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,4 +582,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,4 +583,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,4 +584,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,4 +585,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,4 +586,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,4 +587,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,4 +588,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,4 +589,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,4 +590,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,4 +591,,T1565,Data Manipulation,[],[],,AC-3,mitigates,4 +592,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,4 +593,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,4 +594,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,4 +595,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,4 +596,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,4 +597,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,4 +598,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,4 +599,,T1003.006,DCSync,[],[],,AC-3,mitigates,4 +600,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,4 +601,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,4 +602,,T1021,Remote Services,[],[],,AC-3,mitigates,4 +603,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,4 +604,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,4 +605,,T1021.004,SSH,[],[],,AC-3,mitigates,4 +606,,T1021.005,VNC,[],[],,AC-3,mitigates,4 +607,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,4 +608,,T1025,Data from Removable Media,[],[],,AC-3,mitigates,4 +609,,T1036,Masquerading,[],[],,AC-3,mitigates,4 +610,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,4 +611,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,4 +612,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,4 +613,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,4 +614,,T1037.004,RC Scripts,[],[],,AC-3,mitigates,4 +615,,T1041,Exfiltration Over C2 Channel,[],[],,AC-3,mitigates,4 +616,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,4 +617,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,4 +618,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,4 +619,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,4 +620,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,4 +621,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,4 +622,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,4 +623,,T1053.007,Container Orchestration Job,[],[],,AC-3,mitigates,4 +624,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,4 +625,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,4 +626,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,4 +627,,T1059.003,Windows Command Shell,[],[],,AC-3,mitigates,4 +628,,T1059.004,Unix Shell,[],[],,AC-3,mitigates,4 +629,,T1059.006,Python,[],[],,AC-3,mitigates,4 +630,,T1059.007,JavaScript,[],[],,AC-3,mitigates,4 +631,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,4 +632,,T1071.004,DNS,[],[],,AC-3,mitigates,4 +633,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,4 +634,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,4 +635,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,4 +636,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,4 +637,,T1090,Proxy,[],[],,AC-3,mitigates,4 +638,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,4 +639,,T1110,Brute Force,[],[],,AC-3,mitigates,4 +640,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,4 +641,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,4 +642,,T1114,Email Collection,[],[],,AC-3,mitigates,4 +643,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,4 +644,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,4 +645,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,4 +646,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,4 +647,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,4 +648,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,4 +649,,T1136,Create Account,[],[],,AC-3,mitigates,4 +650,,T1136.001,Local Account,[],[],,AC-3,mitigates,4 +651,,T1136.002,Domain Account,[],[],,AC-3,mitigates,4 +652,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,4 +653,,T1185,Browser Session Hijacking,[],[],,AC-3,mitigates,4 +654,,T1187,Forced Authentication,[],[],,AC-3,mitigates,4 +655,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,4 +656,,T1213.001,Confluence,[],[],,AC-3,mitigates,4 +657,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,4 +658,,T1218.002,Control Panel,[],[],,AC-3,mitigates,4 +659,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,4 +660,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,4 +661,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,4 +662,,T1485,Data Destruction,[],[],,AC-3,mitigates,4 +663,,T1489,Service Stop,[],[],,AC-3,mitigates,4 +664,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,4 +665,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,4 +666,,T1505.004,IIS Components,[],[],,AC-3,mitigates,4 +667,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,4 +668,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,4 +669,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,4 +670,,T1542.001,System Firmware,[],[],,AC-3,mitigates,4 +671,,T1542.003,Bootkit,[],[],,AC-3,mitigates,4 +672,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,4 +673,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,4 +674,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,4 +675,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,4 +676,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-3,mitigates,4 +677,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,4 +678,,T1547.012,Print Processors,[],[],,AC-3,mitigates,4 +679,,T1547.013,XDG Autostart Entries,[],[],,AC-3,mitigates,4 +680,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,4 +681,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,4 +682,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,4 +683,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,4 +684,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,4 +685,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,4 +686,,T1553,Subvert Trust Controls,[],[],,AC-3,mitigates,4 +687,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,4 +688,,T1553.006,Code Signing Policy Modification,[],[],,AC-3,mitigates,4 +689,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,4 +690,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,4 +691,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,4 +692,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,4 +693,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,4 +694,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,4 +695,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,4 +696,,T1561,Disk Wipe,[],[],,AC-3,mitigates,4 +697,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,4 +698,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,4 +699,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,4 +700,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,4 +701,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,4 +702,,T1562.009,Safe Mode Boot,[],[],,AC-3,mitigates,4 +703,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,4 +704,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,4 +705,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,4 +706,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,4 +707,,T1569,System Services,[],[],,AC-3,mitigates,4 +708,,T1569.001,Launchctl,[],[],,AC-3,mitigates,4 +709,,T1569.002,Service Execution,[],[],,AC-3,mitigates,4 +710,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,4 +711,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,4 +712,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,4 +713,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,4 +714,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,4 +715,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,4 +716,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,4 +717,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,4 +718,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,4 +719,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,4 +720,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,4 +721,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,4 +722,,T1601,Modify System Image,[],[],,AC-3,mitigates,4 +723,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,4 +724,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,4 +725,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,4 +726,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,4 +727,,T1606,Forge Web Credentials,[],[],,AC-3,mitigates,4 +728,,T1606.001,Web Cookies,[],[],,AC-3,mitigates,4 +729,,T1606.002,SAML Tokens,[],[],,AC-3,mitigates,4 +730,,T1612,Build Image on Host,[],[],,AC-3,mitigates,4 +731,,T1613,Container and Resource Discovery,[],[],,AC-3,mitigates,4 +732,,T1619,Cloud Storage Object Discovery,[],[],,AC-3,mitigates,4 +733,,T1205.002,Socket Filters,[],[],,AC-4,mitigates,4 +734,,T1557.003,DHCP Spoofing,[],[],,AC-4,mitigates,4 +735,,T1609,Container Administration Command,[],[],,AC-4,mitigates,4 +736,,T1622,Debugger Evasion,[],[],,AC-4,mitigates,4 +737,,T1552.007,Container API,[],[],,AC-4,mitigates,4 +738,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,4 +739,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,4 +740,,T1133,External Remote Services,[],[],,AC-4,mitigates,4 +741,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,4 +742,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,4 +743,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,4 +744,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,4 +745,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,4 +746,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,4 +747,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,4 +748,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,4 +749,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,4 +750,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,4 +751,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,4 +752,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,4 +753,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,4 +754,,T1557,Adversary-in-the-Middle,[],[],,AC-4,mitigates,4 +755,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,4 +756,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,4 +757,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,4 +758,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,4 +759,,T1611,Escape to Host,[],[],,AC-4,mitigates,4 +760,,T1020.001,Traffic Duplication,[],[],,AC-4,mitigates,4 +761,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,4 +762,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,4 +763,,T1098,Account Manipulation,[],[],,AC-4,mitigates,4 +764,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,4 +765,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,4 +766,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,4 +767,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,4 +768,,T1197,BITS Jobs,[],[],,AC-4,mitigates,4 +769,,T1204,User Execution,[],[],,AC-4,mitigates,4 +770,,T1204.002,Malicious File,[],[],,AC-4,mitigates,4 +771,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,4 +772,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,4 +773,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,4 +774,,T1218.012,Verclsid,[],[],,AC-4,mitigates,4 +775,,T1219,Remote Access Software,[],[],,AC-4,mitigates,4 +776,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,4 +777,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,4 +778,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,4 +779,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,4 +780,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,4 +781,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,4 +782,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,4 +783,,T1547.003,Time Providers,[],[],,AC-4,mitigates,4 +784,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,4 +785,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,4 +786,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,4 +787,,T1565,Data Manipulation,[],[],,AC-4,mitigates,4 +788,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,4 +789,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,4 +790,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,4 +791,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,4 +792,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,4 +793,,T1001.001,Junk Data,[],[],,AC-4,mitigates,4 +794,,T1001.002,Steganography,[],[],,AC-4,mitigates,4 +795,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,4 +796,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,4 +797,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,4 +798,,T1003.006,DCSync,[],[],,AC-4,mitigates,4 +799,,T1008,Fallback Channels,[],[],,AC-4,mitigates,4 +800,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,4 +801,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,4 +802,,T1021.005,VNC,[],[],,AC-4,mitigates,4 +803,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,4 +804,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,4 +805,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,4 +806,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,4 +807,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,4 +808,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,4 +809,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,4 +810,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,4 +811,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,4 +812,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,4 +813,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,4 +814,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,4 +815,,T1071.004,DNS,[],[],,AC-4,mitigates,4 +816,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,4 +817,,T1090,Proxy,[],[],,AC-4,mitigates,4 +818,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,4 +819,,T1090.002,External Proxy,[],[],,AC-4,mitigates,4 +820,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,4 +821,,T1102,Web Service,[],[],,AC-4,mitigates,4 +822,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,4 +823,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,4 +824,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,4 +825,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,4 +826,,T1114,Email Collection,[],[],,AC-4,mitigates,4 +827,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,4 +828,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,4 +829,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,4 +830,,T1132,Data Encoding,[],[],,AC-4,mitigates,4 +831,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,4 +832,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,4 +833,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,4 +834,,T1136,Create Account,[],[],,AC-4,mitigates,4 +835,,T1136.002,Domain Account,[],[],,AC-4,mitigates,4 +836,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,4 +837,,T1187,Forced Authentication,[],[],,AC-4,mitigates,4 +838,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,4 +839,,T1204.003,Malicious Image,[],[],,AC-4,mitigates,4 +840,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,4 +841,,T1213.001,Confluence,[],[],,AC-4,mitigates,4 +842,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,4 +843,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,4 +844,,T1489,Service Stop,[],[],,AC-4,mitigates,4 +845,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,4 +846,,T1505.004,IIS Components,[],[],,AC-4,mitigates,4 +847,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,4 +848,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,4 +849,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,4 +850,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,4 +851,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,4 +852,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,4 +853,,T1564.008,Email Hiding Rules,[],[],,AC-4,mitigates,4 +854,,T1566,Phishing,[],[],,AC-4,mitigates,4 +855,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,4 +856,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,4 +857,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,4 +858,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,4 +859,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,4 +860,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,4 +861,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,4 +862,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,4 +863,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,4 +864,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,4 +865,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,4 +866,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,4 +867,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,4 +868,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,4 +869,,T1598,Phishing for Information,[],[],,AC-4,mitigates,4 +870,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,4 +871,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,4 +872,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,4 +873,,T1601,Modify System Image,[],[],,AC-4,mitigates,4 +874,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,4 +875,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,4 +876,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,4 +877,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,4 +878,,T1556.005,Reversible Encryption,[],[],,AC-5,mitigates,4 +879,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-5,mitigates,4 +880,,T1070.008,Clear Mailbox Data,[],[],,AC-5,mitigates,4 +881,,T1070.009,Clear Persistence,[],[],,AC-5,mitigates,4 +882,,T1098.005,Device Registration,[],[],,AC-5,mitigates,4 +883,,T1505.005,Terminal Services DLL,[],[],,AC-5,mitigates,4 +884,,T1098.004,SSH Authorized Keys,[],[],,AC-5,mitigates,4 +885,,T1609,Container Administration Command,[],[],,AC-5,mitigates,4 +886,,T1552.007,Container API,[],[],,AC-5,mitigates,4 +887,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,4 +888,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,4 +889,,T1562,Impair Defenses,[],[],,AC-5,mitigates,4 +890,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,4 +891,,T1055,Process Injection,[],[],,AC-5,mitigates,4 +892,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,4 +893,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,4 +894,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,4 +895,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,4 +896,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,4 +897,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,4 +898,,T1003.003,NTDS,[],[],,AC-5,mitigates,4 +899,,T1078,Valid Accounts,[],[],,AC-5,mitigates,4 +900,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,4 +901,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,4 +902,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,4 +903,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,4 +904,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,4 +905,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,4 +906,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,4 +907,,T1611,Escape to Host,[],[],,AC-5,mitigates,4 +908,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,4 +909,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,4 +910,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,4 +911,,T1053.002,At (Windows),[],[],,AC-5,mitigates,4 +912,,T1053.003,Cron,[],[],,AC-5,mitigates,4 +913,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,4 +914,,T1059.001,PowerShell,[],[],,AC-5,mitigates,4 +915,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,4 +916,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,4 +917,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,4 +918,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,4 +919,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,4 +920,,T1098,Account Manipulation,[],[],,AC-5,mitigates,4 +921,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,4 +922,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,4 +923,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,4 +924,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,4 +925,,T1197,BITS Jobs,[],[],,AC-5,mitigates,4 +926,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,4 +927,,T1213.003,Code Repositories,[],[],,AC-5,mitigates,4 +928,,T1218.007,Msiexec,[],[],,AC-5,mitigates,4 +929,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,4 +930,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,4 +931,,T1505,Server Software Component,[],[],,AC-5,mitigates,4 +932,,T1505.003,Web Shell,[],[],,AC-5,mitigates,4 +933,,T1525,Implant Internal Image,[],[],,AC-5,mitigates,4 +934,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,4 +935,,T1543.003,Windows Service,[],[],,AC-5,mitigates,4 +936,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,4 +937,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,4 +938,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,4 +939,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,4 +940,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,4 +941,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,4 +942,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,4 +943,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,4 +944,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,4 +945,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,4 +946,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,4 +947,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,4 +948,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,4 +949,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,4 +950,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,4 +951,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,4 +952,,T1003.006,DCSync,[],[],,AC-5,mitigates,4 +953,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,4 +954,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,4 +955,,T1021,Remote Services,[],[],,AC-5,mitigates,4 +956,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,4 +957,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,4 +958,,T1021.004,SSH,[],[],,AC-5,mitigates,4 +959,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,4 +960,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,4 +961,,T1053.007,Container Orchestration Job,[],[],,AC-5,mitigates,4 +962,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,4 +963,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,4 +964,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,4 +965,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,4 +966,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,4 +967,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,4 +968,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,4 +969,,T1110,Brute Force,[],[],,AC-5,mitigates,4 +970,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,4 +971,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,4 +972,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,4 +973,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,4 +974,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,4 +975,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,4 +976,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,4 +977,,T1136,Create Account,[],[],,AC-5,mitigates,4 +978,,T1136.001,Local Account,[],[],,AC-5,mitigates,4 +979,,T1136.002,Domain Account,[],[],,AC-5,mitigates,4 +980,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,4 +981,,T1185,Browser Session Hijacking,[],[],,AC-5,mitigates,4 +982,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,4 +983,,T1213.001,Confluence,[],[],,AC-5,mitigates,4 +984,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,4 +985,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,4 +986,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,4 +987,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,4 +988,,T1489,Service Stop,[],[],,AC-5,mitigates,4 +989,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,4 +990,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,4 +991,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,4 +992,,T1542.001,System Firmware,[],[],,AC-5,mitigates,4 +993,,T1542.003,Bootkit,[],[],,AC-5,mitigates,4 +994,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,4 +995,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,4 +996,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,4 +997,,T1547.012,Print Processors,[],[],,AC-5,mitigates,4 +998,,T1547.013,XDG Autostart Entries,[],[],,AC-5,mitigates,4 +999,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,4 +1000,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,4 +1001,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,4 +1002,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,4 +1003,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,4 +1004,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,4 +1005,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,4 +1006,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,4 +1007,,T1553,Subvert Trust Controls,[],[],,AC-5,mitigates,4 +1008,,T1553.006,Code Signing Policy Modification,[],[],,AC-5,mitigates,4 +1009,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,4 +1010,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,4 +1011,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,4 +1012,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,4 +1013,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,4 +1014,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,4 +1015,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,4 +1016,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,4 +1017,,T1562.009,Safe Mode Boot,[],[],,AC-5,mitigates,4 +1018,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,4 +1019,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,4 +1020,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,4 +1021,,T1569,System Services,[],[],,AC-5,mitigates,4 +1022,,T1569.001,Launchctl,[],[],,AC-5,mitigates,4 +1023,,T1569.002,Service Execution,[],[],,AC-5,mitigates,4 +1024,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,4 +1025,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,4 +1026,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,4 +1027,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,4 +1028,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,4 +1029,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,4 +1030,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,4 +1031,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,4 +1032,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,4 +1033,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,4 +1034,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,4 +1035,,T1601,Modify System Image,[],[],,AC-5,mitigates,4 +1036,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,4 +1037,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,4 +1038,,T1606,Forge Web Credentials,[],[],,AC-5,mitigates,4 +1039,,T1619,Cloud Storage Object Discovery,[],[],,AC-5,mitigates,4 +1040,,T1556.005,Reversible Encryption,[],[],,AC-6,mitigates,4 +1041,,T1556.006,Multi-Factor Authentication,[],[],,AC-6,mitigates,4 +1042,,T1556.007,Hybrid Identity,[],[],,AC-6,mitigates,4 +1043,,T1621,Multi-Factor Authentication Request Generation,[],[],,AC-6,mitigates,4 +1044,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-6,mitigates,4 +1045,,T1070.008,Clear Mailbox Data,[],[],,AC-6,mitigates,4 +1046,,T1070.009,Clear Persistence,[],[],,AC-6,mitigates,4 +1047,,T1098.005,Device Registration,[],[],,AC-6,mitigates,4 +1048,,T1505.005,Terminal Services DLL,[],[],,AC-6,mitigates,4 +1049,,T1546.016,Installer Packages,[],[],,AC-6,mitigates,4 +1050,,T1648,Serverless Execution,[],[],,AC-6,mitigates,4 +1051,,T1098.004,SSH Authorized Keys,[],[],,AC-6,mitigates,4 +1052,,T1647,Plist File Modification,[],[],,AC-6,mitigates,4 +1053,,T1552.007,Container API,[],[],,AC-6,mitigates,4 +1054,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,4 +1055,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,4 +1056,,T1562,Impair Defenses,[],[],,AC-6,mitigates,4 +1057,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,4 +1058,,T1609,Container Administration Command,[],[],,AC-6,mitigates,4 +1059,,T1610,Deploy Container,[],[],,AC-6,mitigates,4 +1060,,T1055,Process Injection,[],[],,AC-6,mitigates,4 +1061,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,4 +1062,,T1133,External Remote Services,[],[],,AC-6,mitigates,4 +1063,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,4 +1064,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,4 +1065,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,4 +1066,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,4 +1067,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,4 +1068,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,4 +1069,,T1567,Exfiltration Over Web Service,[],[],,AC-6,mitigates,4 +1070,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,4 +1071,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,4 +1072,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,4 +1073,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,4 +1074,,T1003.003,NTDS,[],[],,AC-6,mitigates,4 +1075,,T1005,Data from Local System,[],[],,AC-6,mitigates,4 +1076,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,4 +1077,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,4 +1078,,T1078,Valid Accounts,[],[],,AC-6,mitigates,4 +1079,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,4 +1080,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,4 +1081,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,4 +1082,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,4 +1083,,T1200,Hardware Additions,[],[],,AC-6,mitigates,4 +1084,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,4 +1085,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,4 +1086,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,4 +1087,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,4 +1088,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,4 +1089,,T1611,Escape to Host,[],[],,AC-6,mitigates,4 +1090,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,4 +1091,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,4 +1092,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,4 +1093,,T1053.002,At (Windows),[],[],,AC-6,mitigates,4 +1094,,T1053.003,Cron,[],[],,AC-6,mitigates,4 +1095,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,4 +1096,,T1059.001,PowerShell,[],[],,AC-6,mitigates,4 +1097,,T1059.002,AppleScript,[],[],,AC-6,mitigates,4 +1098,,T1059.005,Visual Basic,[],[],,AC-6,mitigates,4 +1099,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,4 +1100,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,4 +1101,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,4 +1102,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,4 +1103,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,4 +1104,,T1098,Account Manipulation,[],[],,AC-6,mitigates,4 +1105,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,4 +1106,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,4 +1107,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,4 +1108,,T1106,Native API,[],[],,AC-6,mitigates,4 +1109,,T1176,Browser Extensions,[],[],,AC-6,mitigates,4 +1110,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,4 +1111,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,4 +1112,,T1197,BITS Jobs,[],[],,AC-6,mitigates,4 +1113,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,4 +1114,,T1213.003,Code Repositories,[],[],,AC-6,mitigates,4 +1115,,T1218.007,Msiexec,[],[],,AC-6,mitigates,4 +1116,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,4 +1117,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,4 +1118,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,4 +1119,,T1491,Defacement,[],[],,AC-6,mitigates,4 +1120,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,4 +1121,,T1491.002,External Defacement,[],[],,AC-6,mitigates,4 +1122,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,4 +1123,,T1505,Server Software Component,[],[],,AC-6,mitigates,4 +1124,,T1505.003,Web Shell,[],[],,AC-6,mitigates,4 +1125,,T1525,Implant Internal Image,[],[],,AC-6,mitigates,4 +1126,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,4 +1127,,T1543.003,Windows Service,[],[],,AC-6,mitigates,4 +1128,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,4 +1129,,T1547.003,Time Providers,[],[],,AC-6,mitigates,4 +1130,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,4 +1131,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,4 +1132,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,4 +1133,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,4 +1134,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,4 +1135,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,4 +1136,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,4 +1137,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,4 +1138,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,4 +1139,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,4 +1140,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,4 +1141,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,4 +1142,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,4 +1143,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,4 +1144,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,4 +1145,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,4 +1146,,T1003.006,DCSync,[],[],,AC-6,mitigates,4 +1147,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,4 +1148,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,4 +1149,,T1021,Remote Services,[],[],,AC-6,mitigates,4 +1150,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,4 +1151,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,4 +1152,,T1021.004,SSH,[],[],,AC-6,mitigates,4 +1153,,T1021.005,VNC,[],[],,AC-6,mitigates,4 +1154,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,4 +1155,,T1025,Data from Removable Media,[],[],,AC-6,mitigates,4 +1156,,T1036,Masquerading,[],[],,AC-6,mitigates,4 +1157,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,4 +1158,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,4 +1159,,T1041,Exfiltration Over C2 Channel,[],[],,AC-6,mitigates,4 +1160,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-6,mitigates,4 +1161,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-6,mitigates,4 +1162,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-6,mitigates,4 +1163,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,4 +1164,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,4 +1165,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,4 +1166,,T1053.007,Container Orchestration Job,[],[],,AC-6,mitigates,4 +1167,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,4 +1168,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,4 +1169,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,4 +1170,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,4 +1171,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,4 +1172,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,4 +1173,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,4 +1174,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,4 +1175,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,4 +1176,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,4 +1177,,T1059.003,Windows Command Shell,[],[],,AC-6,mitigates,4 +1178,,T1059.004,Unix Shell,[],[],,AC-6,mitigates,4 +1179,,T1059.006,Python,[],[],,AC-6,mitigates,4 +1180,,T1059.007,JavaScript,[],[],,AC-6,mitigates,4 +1181,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,4 +1182,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,4 +1183,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,4 +1184,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,4 +1185,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,4 +1186,,T1110,Brute Force,[],[],,AC-6,mitigates,4 +1187,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,4 +1188,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,4 +1189,,T1112,Modify Registry,[],[],,AC-6,mitigates,4 +1190,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,4 +1191,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,4 +1192,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,4 +1193,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,4 +1194,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,4 +1195,,T1136,Create Account,[],[],,AC-6,mitigates,4 +1196,,T1136.001,Local Account,[],[],,AC-6,mitigates,4 +1197,,T1136.002,Domain Account,[],[],,AC-6,mitigates,4 +1198,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,4 +1199,,T1137,Office Application Startup,[],[],,AC-6,mitigates,4 +1200,,T1137.001,Office Template Macros,[],[],,AC-6,mitigates,4 +1201,,T1137.002,Office Test,[],[],,AC-6,mitigates,4 +1202,,T1137.003,Outlook Forms,[],[],,AC-6,mitigates,4 +1203,,T1137.004,Outlook Home Page,[],[],,AC-6,mitigates,4 +1204,,T1137.005,Outlook Rules,[],[],,AC-6,mitigates,4 +1205,,T1137.006,Add-ins,[],[],,AC-6,mitigates,4 +1206,,T1185,Browser Session Hijacking,[],[],,AC-6,mitigates,4 +1207,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,4 +1208,,T1213.001,Confluence,[],[],,AC-6,mitigates,4 +1209,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,4 +1210,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,4 +1211,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,4 +1212,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,4 +1213,,T1485,Data Destruction,[],[],,AC-6,mitigates,4 +1214,,T1489,Service Stop,[],[],,AC-6,mitigates,4 +1215,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,4 +1216,,T1505.004,IIS Components,[],[],,AC-6,mitigates,4 +1217,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,4 +1218,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,4 +1219,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,4 +1220,,T1542.001,System Firmware,[],[],,AC-6,mitigates,4 +1221,,T1542.003,Bootkit,[],[],,AC-6,mitigates,4 +1222,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,4 +1223,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,4 +1224,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,4 +1225,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,4 +1226,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-6,mitigates,4 +1227,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,4 +1228,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,4 +1229,,T1547.012,Print Processors,[],[],,AC-6,mitigates,4 +1230,,T1547.013,XDG Autostart Entries,[],[],,AC-6,mitigates,4 +1231,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,4 +1232,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,4 +1233,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,4 +1234,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,4 +1235,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,4 +1236,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,4 +1237,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,4 +1238,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,4 +1239,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,4 +1240,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,4 +1241,,T1553.006,Code Signing Policy Modification,[],[],,AC-6,mitigates,4 +1242,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,4 +1243,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,4 +1244,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,4 +1245,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,4 +1246,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,4 +1247,,T1561,Disk Wipe,[],[],,AC-6,mitigates,4 +1248,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,4 +1249,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,4 +1250,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,4 +1251,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,4 +1252,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,4 +1253,,T1562.009,Safe Mode Boot,[],[],,AC-6,mitigates,4 +1254,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,4 +1255,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,4 +1256,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,4 +1257,,T1569,System Services,[],[],,AC-6,mitigates,4 +1258,,T1569.001,Launchctl,[],[],,AC-6,mitigates,4 +1259,,T1569.002,Service Execution,[],[],,AC-6,mitigates,4 +1260,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,4 +1261,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,4 +1262,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,4 +1263,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,4 +1264,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,4 +1265,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,4 +1266,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,4 +1267,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,4 +1268,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,4 +1269,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,4 +1270,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,4 +1271,,T1601,Modify System Image,[],[],,AC-6,mitigates,4 +1272,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,4 +1273,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,4 +1274,,T1606,Forge Web Credentials,[],[],,AC-6,mitigates,4 +1275,,T1606.001,Web Cookies,[],[],,AC-6,mitigates,4 +1276,,T1606.002,SAML Tokens,[],[],,AC-6,mitigates,4 +1277,,T1612,Build Image on Host,[],[],,AC-6,mitigates,4 +1278,,T1613,Container and Resource Discovery,[],[],,AC-6,mitigates,4 +1279,,T1619,Cloud Storage Object Discovery,[],[],,AC-6,mitigates,4 +1280,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,4 +1281,,T1133,External Remote Services,[],[],,AC-7,mitigates,4 +1282,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,4 +1283,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,4 +1284,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,4 +1285,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,4 +1286,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,4 +1287,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,4 +1288,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,4 +1289,,T1021,Remote Services,[],[],,AC-7,mitigates,4 +1290,,T1021.004,SSH,[],[],,AC-7,mitigates,4 +1291,,T1110,Brute Force,[],[],,AC-7,mitigates,4 +1292,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,4 +1293,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,4 +1294,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,4 +1295,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,4 +1296,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,4 +1297,,T1556.006,Multi-Factor Authentication,[],[],,AU-1,mitigates,4 +1298,,T1556.007,Hybrid Identity,[],[],,AU-1,mitigates,4 +1299,,T1556.006,Multi-Factor Authentication,[],[],,AU-2,mitigates,4 +1300,,T1556.007,Hybrid Identity,[],[],,AU-2,mitigates,4 +1301,,T1593.003,Code Repositories,[],[],,AU-5,mitigates,4 +1302,,T1649,Steal or Forge Authentication Certificates,[],[],,AU-5,mitigates,4 +1303,,T1593.003,Code Repositories,[],[],,AU-6,mitigates,4 +1304,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,4 +1305,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,4 +1306,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,4 +1307,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,4 +1308,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,4 +1309,,T1567,Exfiltration Over Web Service,[],[],,CA-3,mitigates,4 +1310,,T1020.001,Traffic Duplication,[],[],,CA-3,mitigates,4 +1311,,T1041,Exfiltration Over C2 Channel,[],[],,CA-3,mitigates,4 +1312,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-3,mitigates,4 +1313,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-3,mitigates,4 +1314,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-3,mitigates,4 +1315,,T1070.007,Clear Network Connection History and Configurations,[],[],,CA-7,mitigates,4 +1316,,T1070.008,Clear Mailbox Data,[],[],,CA-7,mitigates,4 +1317,,T1070.009,Clear Persistence,[],[],,CA-7,mitigates,4 +1318,,T1546.016,Installer Packages,[],[],,CA-7,mitigates,4 +1319,,T1564.010,Process Argument Spoofing,[],[],,CA-7,mitigates,4 +1320,,T1574.013,KernelCallbackTable,[],[],,CA-7,mitigates,4 +1321,,T1557.003,DHCP Spoofing,[],[],,CA-7,mitigates,4 +1322,,T1622,Debugger Evasion,[],[],,CA-7,mitigates,4 +1323,,T1647,Plist File Modification,[],[],,CA-7,mitigates,4 +1324,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,4 +1325,,T1562,Impair Defenses,[],[],,CA-7,mitigates,4 +1326,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,4 +1327,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,4 +1328,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,4 +1329,,T1059,Command and Scripting Interpreter,[],[],,CA-7,mitigates,4 +1330,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,4 +1331,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,4 +1332,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,4 +1333,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,4 +1334,,T1567,Exfiltration Over Web Service,[],[],,CA-7,mitigates,4 +1335,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,4 +1336,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,4 +1337,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,4 +1338,,T1003.003,NTDS,[],[],,CA-7,mitigates,4 +1339,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,4 +1340,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,4 +1341,,T1078,Valid Accounts,[],[],,CA-7,mitigates,4 +1342,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,4 +1343,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,4 +1344,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,4 +1345,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,4 +1346,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,4 +1347,,T1218.011,Rundll32,[],[],,CA-7,mitigates,4 +1348,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,4 +1349,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,4 +1350,,T1555.001,Keychain,[],[],,CA-7,mitigates,4 +1351,,T1557,Adversary-in-the-Middle,[],[],,CA-7,mitigates,4 +1352,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,4 +1353,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,4 +1354,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,4 +1355,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,4 +1356,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,4 +1357,,T1037.005,Startup Items,[],[],,CA-7,mitigates,4 +1358,,T1059.005,Visual Basic,[],[],,CA-7,mitigates,4 +1359,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,4 +1360,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,4 +1361,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,4 +1362,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,4 +1363,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,4 +1364,,T1176,Browser Extensions,[],[],,CA-7,mitigates,4 +1365,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,4 +1366,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,4 +1367,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,4 +1368,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,4 +1369,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,4 +1370,,T1197,BITS Jobs,[],[],,CA-7,mitigates,4 +1371,,T1204,User Execution,[],[],,CA-7,mitigates,4 +1372,,T1204.002,Malicious File,[],[],,CA-7,mitigates,4 +1373,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,4 +1374,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,4 +1375,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,4 +1376,,T1213.003,Code Repositories,[],[],,CA-7,mitigates,4 +1377,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,4 +1378,,T1218.012,Verclsid,[],[],,CA-7,mitigates,4 +1379,,T1219,Remote Access Software,[],[],,CA-7,mitigates,4 +1380,,T1221,Template Injection,[],[],,CA-7,mitigates,4 +1381,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,4 +1382,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,4 +1383,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,4 +1384,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,4 +1385,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,4 +1386,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,4 +1387,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,4 +1388,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,4 +1389,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,4 +1390,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CA-7,mitigates,4 +1391,,T1547.003,Time Providers,[],[],,CA-7,mitigates,4 +1392,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,4 +1393,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,4 +1394,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,4 +1395,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,4 +1396,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,4 +1397,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,4 +1398,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,4 +1399,,T1565,Data Manipulation,[],[],,CA-7,mitigates,4 +1400,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,4 +1401,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,4 +1402,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,4 +1403,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,4 +1404,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,4 +1405,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,4 +1406,,T1001.001,Junk Data,[],[],,CA-7,mitigates,4 +1407,,T1001.002,Steganography,[],[],,CA-7,mitigates,4 +1408,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,4 +1409,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,4 +1410,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,4 +1411,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,4 +1412,,T1003.006,DCSync,[],[],,CA-7,mitigates,4 +1413,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,4 +1414,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,4 +1415,,T1008,Fallback Channels,[],[],,CA-7,mitigates,4 +1416,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,4 +1417,,T1021.005,VNC,[],[],,CA-7,mitigates,4 +1418,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,4 +1419,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,4 +1420,,T1036,Masquerading,[],[],,CA-7,mitigates,4 +1421,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,4 +1422,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,4 +1423,,T1036.007,Double File Extension,[],[],,CA-7,mitigates,4 +1424,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,4 +1425,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,4 +1426,,T1037.004,RC Scripts,[],[],,CA-7,mitigates,4 +1427,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,4 +1428,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,4 +1429,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,4 +1430,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,4 +1431,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,4 +1432,,T1052,Exfiltration Over Physical Medium,[],[],,CA-7,mitigates,4 +1433,,T1052.001,Exfiltration over USB,[],[],,CA-7,mitigates,4 +1434,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,4 +1435,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,4 +1436,,T1059.007,JavaScript,[],[],,CA-7,mitigates,4 +1437,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,4 +1438,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,4 +1439,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,4 +1440,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,4 +1441,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,4 +1442,,T1071.004,DNS,[],[],,CA-7,mitigates,4 +1443,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,4 +1444,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,4 +1445,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,4 +1446,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,4 +1447,,T1090,Proxy,[],[],,CA-7,mitigates,4 +1448,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,4 +1449,,T1090.002,External Proxy,[],[],,CA-7,mitigates,4 +1450,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,4 +1451,,T1102,Web Service,[],[],,CA-7,mitigates,4 +1452,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,4 +1453,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,4 +1454,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,4 +1455,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,4 +1456,,T1110,Brute Force,[],[],,CA-7,mitigates,4 +1457,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,4 +1458,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,4 +1459,,T1132,Data Encoding,[],[],,CA-7,mitigates,4 +1460,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,4 +1461,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,4 +1462,,T1185,Browser Session Hijacking,[],[],,CA-7,mitigates,4 +1463,,T1187,Forced Authentication,[],[],,CA-7,mitigates,4 +1464,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,4 +1465,,T1204.003,Malicious Image,[],[],,CA-7,mitigates,4 +1466,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,4 +1467,,T1213.001,Confluence,[],[],,CA-7,mitigates,4 +1468,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,4 +1469,,T1218.002,Control Panel,[],[],,CA-7,mitigates,4 +1470,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,4 +1471,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,4 +1472,,T1489,Service Stop,[],[],,CA-7,mitigates,4 +1473,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,4 +1474,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,4 +1475,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,4 +1476,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,4 +1477,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,4 +1478,,T1546.004,Unix Shell Configuration Modification,[],[],,CA-7,mitigates,4 +1479,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,4 +1480,,T1547.013,XDG Autostart Entries,[],[],,CA-7,mitigates,4 +1481,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,4 +1482,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,4 +1483,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,4 +1484,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,4 +1485,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,4 +1486,,T1552.004,Private Keys,[],[],,CA-7,mitigates,4 +1487,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,4 +1488,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,4 +1489,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,4 +1490,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,4 +1491,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,4 +1492,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,4 +1493,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,4 +1494,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,4 +1495,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,4 +1496,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,4 +1497,,T1566,Phishing,[],[],,CA-7,mitigates,4 +1498,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,4 +1499,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,4 +1500,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,4 +1501,,T1569,System Services,[],[],,CA-7,mitigates,4 +1502,,T1569.002,Service Execution,[],[],,CA-7,mitigates,4 +1503,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,4 +1504,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,4 +1505,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,4 +1506,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,4 +1507,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,4 +1508,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,4 +1509,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,4 +1510,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,4 +1511,,T1598,Phishing for Information,[],[],,CA-7,mitigates,4 +1512,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,4 +1513,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,4 +1514,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,4 +1515,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,4 +1516,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,4 +1517,,T1574.013,KernelCallbackTable,[],[],,CA-8,mitigates,4 +1518,,T1562,Impair Defenses,[],[],,CA-8,mitigates,4 +1519,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,4 +1520,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,4 +1521,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,4 +1522,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,4 +1523,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,4 +1524,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,4 +1525,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,4 +1526,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,4 +1527,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,4 +1528,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,4 +1529,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,4 +1530,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,4 +1531,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,4 +1532,,T1053.002,At (Windows),[],[],,CA-8,mitigates,4 +1533,,T1053.003,Cron,[],[],,CA-8,mitigates,4 +1534,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,4 +1535,,T1176,Browser Extensions,[],[],,CA-8,mitigates,4 +1536,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,4 +1537,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,4 +1538,,T1505,Server Software Component,[],[],,CA-8,mitigates,4 +1539,,T1525,Implant Internal Image,[],[],,CA-8,mitigates,4 +1540,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,4 +1541,,T1543.003,Windows Service,[],[],,CA-8,mitigates,4 +1542,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,4 +1543,,T1550.001,Application Access Token,[],[],,CA-8,mitigates,4 +1544,,T1021.005,VNC,[],[],,CA-8,mitigates,4 +1545,,T1204.003,Malicious Image,[],[],,CA-8,mitigates,4 +1546,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,4 +1547,,T1213.001,Confluence,[],[],,CA-8,mitigates,4 +1548,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,4 +1549,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,4 +1550,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,4 +1551,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,4 +1552,,T1505.004,IIS Components,[],[],,CA-8,mitigates,4 +1553,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,4 +1554,,T1542.001,System Firmware,[],[],,CA-8,mitigates,4 +1555,,T1542.003,Bootkit,[],[],,CA-8,mitigates,4 +1556,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,4 +1557,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,4 +1558,,T1543.004,Launch Daemon,[],[],,CA-8,mitigates,4 +1559,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,4 +1560,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,4 +1561,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,4 +1562,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,4 +1563,,T1552.004,Private Keys,[],[],,CA-8,mitigates,4 +1564,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,4 +1565,,T1553,Subvert Trust Controls,[],[],,CA-8,mitigates,4 +1566,,T1553.006,Code Signing Policy Modification,[],[],,CA-8,mitigates,4 +1567,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,4 +1568,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,4 +1569,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,4 +1570,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,4 +1571,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,4 +1572,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,4 +1573,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,4 +1574,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,4 +1575,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,4 +1576,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,4 +1577,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,4 +1578,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,4 +1579,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,4 +1580,,T1601,Modify System Image,[],[],,CA-8,mitigates,4 +1581,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,4 +1582,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,4 +1583,,T1612,Build Image on Host,[],[],,CA-8,mitigates,4 +1584,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,4 +1585,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,4 +1586,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,4 +1587,,T1562.006,Indicator Blocking,[],[],,CM-10,mitigates,4 +1588,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,4 +1589,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,4 +1590,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,4 +1591,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,4 +1592,,T1562.009,Safe Mode Boot,[],[],,CM-10,mitigates,4 +1593,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,4 +1594,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,4 +1595,,T1218,Signed Binary Proxy Execution,[],[],,CM-11,mitigates,4 +1596,,T1176,Browser Extensions,[],[],,CM-11,mitigates,4 +1597,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,4 +1598,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,4 +1599,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,4 +1600,,T1218.003,CMSTP,[],[],,CM-11,mitigates,4 +1601,,T1218.004,InstallUtil,[],[],,CM-11,mitigates,4 +1602,,T1218.008,Odbcconf,[],[],,CM-11,mitigates,4 +1603,,T1218.009,Regsvcs/Regasm,[],[],,CM-11,mitigates,4 +1604,,T1218.012,Verclsid,[],[],,CM-11,mitigates,4 +1605,,T1218.013,Mavinject,[],[],,CM-11,mitigates,4 +1606,,T1218.014,MMC,[],[],,CM-11,mitigates,4 +1607,,T1505,Server Software Component,[],[],,CM-11,mitigates,4 +1608,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,4 +1609,,T1543.003,Windows Service,[],[],,CM-11,mitigates,4 +1610,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,4 +1611,,T1021.005,VNC,[],[],,CM-11,mitigates,4 +1612,,T1059.006,Python,[],[],,CM-11,mitigates,4 +1613,,T1218.001,Compiled HTML File,[],[],,CM-11,mitigates,4 +1614,,T1218.002,Control Panel,[],[],,CM-11,mitigates,4 +1615,,T1218.005,Mshta,[],[],,CM-11,mitigates,4 +1616,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,4 +1617,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,4 +1618,,T1505.004,IIS Components,[],[],,CM-11,mitigates,4 +1619,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,4 +1620,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,4 +1621,,T1547.013,XDG Autostart Entries,[],[],,CM-11,mitigates,4 +1622,,T1564.009,Resource Forking,[],[],,CM-11,mitigates,4 +1623,,T1569,System Services,[],[],,CM-11,mitigates,4 +1624,,T1569.001,Launchctl,[],[],,CM-11,mitigates,4 +1625,,T1070.007,Clear Network Connection History and Configurations,[],[],,CM-2,mitigates,4 +1626,,T1070.008,Clear Mailbox Data,[],[],,CM-2,mitigates,4 +1627,,T1070.009,Clear Persistence,[],[],,CM-2,mitigates,4 +1628,,T1505.005,Terminal Services DLL,[],[],,CM-2,mitigates,4 +1629,,T1557.003,DHCP Spoofing,[],[],,CM-2,mitigates,4 +1630,,T1622,Debugger Evasion,[],[],,CM-2,mitigates,4 +1631,,T1647,Plist File Modification,[],[],,CM-2,mitigates,4 +1632,,T1556,Modify Authentication Process,[],[],,CM-2,mitigates,4 +1633,,T1543.001,Launch Agent,[],[],,CM-2,mitigates,4 +1634,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-2,mitigates,4 +1635,,T1562,Impair Defenses,[],[],,CM-2,mitigates,4 +1636,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,4 +1637,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,4 +1638,,T1133,External Remote Services,[],[],,CM-2,mitigates,4 +1639,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,4 +1640,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,4 +1641,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,4 +1642,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,4 +1643,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,4 +1644,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,4 +1645,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,4 +1646,,T1003.003,NTDS,[],[],,CM-2,mitigates,4 +1647,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,4 +1648,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,4 +1649,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,4 +1650,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,4 +1651,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,4 +1652,,T1119,Automated Collection,[],[],,CM-2,mitigates,4 +1653,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,4 +1654,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,4 +1655,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,4 +1656,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,4 +1657,,T1555.004,Windows Credential Manager,[],[],,CM-2,mitigates,4 +1658,,T1557,Adversary-in-the-Middle,[],[],,CM-2,mitigates,4 +1659,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,4 +1660,,T1566.002,Spearphishing Link,[],[],,CM-2,mitigates,4 +1661,,T1598.003,Spearphishing Link,[],[],,CM-2,mitigates,4 +1662,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,4 +1663,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,4 +1664,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,4 +1665,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,4 +1666,,T1027,Obfuscated Files or Information,[],[],,CM-2,mitigates,4 +1667,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,4 +1668,,T1037.005,Startup Items,[],[],,CM-2,mitigates,4 +1669,,T1047,Windows Management Instrumentation,[],[],,CM-2,mitigates,4 +1670,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,4 +1671,,T1053.002,At (Windows),[],[],,CM-2,mitigates,4 +1672,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,4 +1673,,T1059.001,PowerShell,[],[],,CM-2,mitigates,4 +1674,,T1059.002,AppleScript,[],[],,CM-2,mitigates,4 +1675,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,4 +1676,,T1059.008,Network Device CLI,[],[],,CM-2,mitigates,4 +1677,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,4 +1678,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,4 +1679,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,4 +1680,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,4 +1681,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,4 +1682,,T1106,Native API,[],[],,CM-2,mitigates,4 +1683,,T1129,Shared Modules,[],[],,CM-2,mitigates,4 +1684,,T1176,Browser Extensions,[],[],,CM-2,mitigates,4 +1685,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,4 +1686,,T1204,User Execution,[],[],,CM-2,mitigates,4 +1687,,T1204.002,Malicious File,[],[],,CM-2,mitigates,4 +1688,,T1205,Traffic Signaling,[],[],,CM-2,mitigates,4 +1689,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,4 +1690,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,4 +1691,,T1216.001,PubPrn,[],[],,CM-2,mitigates,4 +1692,,T1218.003,CMSTP,[],[],,CM-2,mitigates,4 +1693,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,4 +1694,,T1218.007,Msiexec,[],[],,CM-2,mitigates,4 +1695,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,4 +1696,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,4 +1697,,T1218.012,Verclsid,[],[],,CM-2,mitigates,4 +1698,,T1218.013,Mavinject,[],[],,CM-2,mitigates,4 +1699,,T1218.014,MMC,[],[],,CM-2,mitigates,4 +1700,,T1219,Remote Access Software,[],[],,CM-2,mitigates,4 +1701,,T1221,Template Injection,[],[],,CM-2,mitigates,4 +1702,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,4 +1703,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,4 +1704,,T1491,Defacement,[],[],,CM-2,mitigates,4 +1705,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,4 +1706,,T1491.002,External Defacement,[],[],,CM-2,mitigates,4 +1707,,T1505,Server Software Component,[],[],,CM-2,mitigates,4 +1708,,T1505.003,Web Shell,[],[],,CM-2,mitigates,4 +1709,,T1525,Implant Internal Image,[],[],,CM-2,mitigates,4 +1710,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,4 +1711,,T1543.003,Windows Service,[],[],,CM-2,mitigates,4 +1712,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,4 +1713,,T1546.002,Screensaver,[],[],,CM-2,mitigates,4 +1714,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-2,mitigates,4 +1715,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,4 +1716,,T1547.003,Time Providers,[],[],,CM-2,mitigates,4 +1717,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,4 +1718,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,4 +1719,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,4 +1720,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,4 +1721,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,4 +1722,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,4 +1723,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,4 +1724,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,4 +1725,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,4 +1726,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,4 +1727,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,4 +1728,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,4 +1729,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,4 +1730,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,4 +1731,,T1562.010,Downgrade Attack,[],[],,CM-2,mitigates,4 +1732,,T1565,Data Manipulation,[],[],,CM-2,mitigates,4 +1733,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,4 +1734,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,4 +1735,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,4 +1736,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,4 +1737,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,4 +1738,,T1001.001,Junk Data,[],[],,CM-2,mitigates,4 +1739,,T1001.002,Steganography,[],[],,CM-2,mitigates,4 +1740,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,4 +1741,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,4 +1742,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,4 +1743,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,4 +1744,,T1003.006,DCSync,[],[],,CM-2,mitigates,4 +1745,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,4 +1746,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,4 +1747,,T1008,Fallback Channels,[],[],,CM-2,mitigates,4 +1748,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,4 +1749,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,4 +1750,,T1021.004,SSH,[],[],,CM-2,mitigates,4 +1751,,T1021.005,VNC,[],[],,CM-2,mitigates,4 +1752,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,4 +1753,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,4 +1754,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,4 +1755,,T1036,Masquerading,[],[],,CM-2,mitigates,4 +1756,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,4 +1757,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,4 +1758,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,4 +1759,,T1036.007,Double File Extension,[],[],,CM-2,mitigates,4 +1760,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,4 +1761,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,4 +1762,,T1037.004,RC Scripts,[],[],,CM-2,mitigates,4 +1763,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,4 +1764,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,4 +1765,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,4 +1766,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,4 +1767,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,4 +1768,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,4 +1769,,T1059.003,Windows Command Shell,[],[],,CM-2,mitigates,4 +1770,,T1059.004,Unix Shell,[],[],,CM-2,mitigates,4 +1771,,T1059.006,Python,[],[],,CM-2,mitigates,4 +1772,,T1059.007,JavaScript,[],[],,CM-2,mitigates,4 +1773,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,4 +1774,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,4 +1775,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,4 +1776,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,4 +1777,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,4 +1778,,T1071.004,DNS,[],[],,CM-2,mitigates,4 +1779,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,4 +1780,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,4 +1781,,T1090,Proxy,[],[],,CM-2,mitigates,4 +1782,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,4 +1783,,T1090.002,External Proxy,[],[],,CM-2,mitigates,4 +1784,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,4 +1785,,T1102,Web Service,[],[],,CM-2,mitigates,4 +1786,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,4 +1787,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,4 +1788,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,4 +1789,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,4 +1790,,T1110,Brute Force,[],[],,CM-2,mitigates,4 +1791,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,4 +1792,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,4 +1793,,T1114,Email Collection,[],[],,CM-2,mitigates,4 +1794,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,4 +1795,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,4 +1796,,T1127.001,MSBuild,[],[],,CM-2,mitigates,4 +1797,,T1132,Data Encoding,[],[],,CM-2,mitigates,4 +1798,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,4 +1799,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,4 +1800,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,4 +1801,,T1137,Office Application Startup,[],[],,CM-2,mitigates,4 +1802,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,4 +1803,,T1137.002,Office Test,[],[],,CM-2,mitigates,4 +1804,,T1137.003,Outlook Forms,[],[],,CM-2,mitigates,4 +1805,,T1137.004,Outlook Home Page,[],[],,CM-2,mitigates,4 +1806,,T1137.005,Outlook Rules,[],[],,CM-2,mitigates,4 +1807,,T1137.006,Add-ins,[],[],,CM-2,mitigates,4 +1808,,T1185,Browser Session Hijacking,[],[],,CM-2,mitigates,4 +1809,,T1187,Forced Authentication,[],[],,CM-2,mitigates,4 +1810,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,4 +1811,,T1204.003,Malicious Image,[],[],,CM-2,mitigates,4 +1812,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,4 +1813,,T1213.001,Confluence,[],[],,CM-2,mitigates,4 +1814,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,4 +1815,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,4 +1816,,T1218.002,Control Panel,[],[],,CM-2,mitigates,4 +1817,,T1218.005,Mshta,[],[],,CM-2,mitigates,4 +1818,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,4 +1819,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,4 +1820,,T1485,Data Destruction,[],[],,CM-2,mitigates,4 +1821,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,4 +1822,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,4 +1823,,T1505.004,IIS Components,[],[],,CM-2,mitigates,4 +1824,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,4 +1825,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,4 +1826,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,4 +1827,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,4 +1828,,T1543.004,Launch Daemon,[],[],,CM-2,mitigates,4 +1829,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-2,mitigates,4 +1830,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,4 +1831,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,4 +1832,,T1546.014,Emond,[],[],,CM-2,mitigates,4 +1833,,T1547.013,XDG Autostart Entries,[],[],,CM-2,mitigates,4 +1834,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,4 +1835,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,4 +1836,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,4 +1837,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,4 +1838,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,4 +1839,,T1552.004,Private Keys,[],[],,CM-2,mitigates,4 +1840,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,4 +1841,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,4 +1842,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,4 +1843,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,4 +1844,,T1555.005,Password Managers,[],[],,CM-2,mitigates,4 +1845,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,4 +1846,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,4 +1847,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,4 +1848,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,4 +1849,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,4 +1850,,T1561,Disk Wipe,[],[],,CM-2,mitigates,4 +1851,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,4 +1852,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,4 +1853,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,4 +1854,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,4 +1855,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,4 +1856,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,4 +1857,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,4 +1858,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,4 +1859,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,4 +1860,,T1564.009,Resource Forking,[],[],,CM-2,mitigates,4 +1861,,T1566,Phishing,[],[],,CM-2,mitigates,4 +1862,,T1566.001,Spearphishing Attachment,[],[],,CM-2,mitigates,4 +1863,,T1569,System Services,[],[],,CM-2,mitigates,4 +1864,,T1569.002,Service Execution,[],[],,CM-2,mitigates,4 +1865,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,4 +1866,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,4 +1867,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,4 +1868,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,4 +1869,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,4 +1870,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,4 +1871,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,4 +1872,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,4 +1873,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,4 +1874,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,4 +1875,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,4 +1876,,T1598,Phishing for Information,[],[],,CM-2,mitigates,4 +1877,,T1598.002,Spearphishing Attachment,[],[],,CM-2,mitigates,4 +1878,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,4 +1879,,T1601,Modify System Image,[],[],,CM-2,mitigates,4 +1880,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,4 +1881,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,4 +1882,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,4 +1883,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,4 +1884,,T1647,Plist File Modification,[],[],,CM-3,mitigates,4 +1885,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,4 +1886,,T1176,Browser Extensions,[],[],,CM-3,mitigates,4 +1887,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,4 +1888,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,4 +1889,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,4 +1890,,T1021.005,VNC,[],[],,CM-3,mitigates,4 +1891,,T1059.006,Python,[],[],,CM-3,mitigates,4 +1892,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,4 +1893,,T1213.001,Confluence,[],[],,CM-3,mitigates,4 +1894,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,4 +1895,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,4 +1896,,T1542.001,System Firmware,[],[],,CM-3,mitigates,4 +1897,,T1542.003,Bootkit,[],[],,CM-3,mitigates,4 +1898,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,4 +1899,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,4 +1900,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,4 +1901,,T1547.013,XDG Autostart Entries,[],[],,CM-3,mitigates,4 +1902,,T1553,Subvert Trust Controls,[],[],,CM-3,mitigates,4 +1903,,T1553.006,Code Signing Policy Modification,[],[],,CM-3,mitigates,4 +1904,,T1564.008,Email Hiding Rules,[],[],,CM-3,mitigates,4 +1905,,T1601,Modify System Image,[],[],,CM-3,mitigates,4 +1906,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,4 +1907,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,4 +1908,,T1621,Multi-Factor Authentication Request Generation,[],[],,CM-5,mitigates,4 +1909,,T1098.005,Device Registration,[],[],,CM-5,mitigates,4 +1910,,T1546.016,Installer Packages,[],[],,CM-5,mitigates,4 +1911,,T1559.003,XPC Services,[],[],,CM-5,mitigates,4 +1912,,T1098.004,SSH Authorized Keys,[],[],,CM-5,mitigates,4 +1913,,T1647,Plist File Modification,[],[],,CM-5,mitigates,4 +1914,,T1552.007,Container API,[],[],,CM-5,mitigates,4 +1915,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,4 +1916,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,4 +1917,,T1562,Impair Defenses,[],[],,CM-5,mitigates,4 +1918,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,4 +1919,,T1055,Process Injection,[],[],,CM-5,mitigates,4 +1920,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,4 +1921,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,4 +1922,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,4 +1923,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,4 +1924,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,4 +1925,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,4 +1926,,T1003.003,NTDS,[],[],,CM-5,mitigates,4 +1927,,T1078,Valid Accounts,[],[],,CM-5,mitigates,4 +1928,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,4 +1929,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,4 +1930,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,4 +1931,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,4 +1932,,T1611,Escape to Host,[],[],,CM-5,mitigates,4 +1933,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,4 +1934,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,4 +1935,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,4 +1936,,T1053.002,At (Windows),[],[],,CM-5,mitigates,4 +1937,,T1053.003,Cron,[],[],,CM-5,mitigates,4 +1938,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,4 +1939,,T1059.001,PowerShell,[],[],,CM-5,mitigates,4 +1940,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,4 +1941,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,4 +1942,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,4 +1943,,T1098,Account Manipulation,[],[],,CM-5,mitigates,4 +1944,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,4 +1945,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,4 +1946,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,4 +1947,,T1176,Browser Extensions,[],[],,CM-5,mitigates,4 +1948,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,4 +1949,,T1197,BITS Jobs,[],[],,CM-5,mitigates,4 +1950,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,4 +1951,,T1218.007,Msiexec,[],[],,CM-5,mitigates,4 +1952,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,4 +1953,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,4 +1954,,T1505,Server Software Component,[],[],,CM-5,mitigates,4 +1955,,T1525,Implant Internal Image,[],[],,CM-5,mitigates,4 +1956,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,4 +1957,,T1543.003,Windows Service,[],[],,CM-5,mitigates,4 +1958,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,4 +1959,,T1547.003,Time Providers,[],[],,CM-5,mitigates,4 +1960,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,4 +1961,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,4 +1962,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,4 +1963,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,4 +1964,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,4 +1965,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,4 +1966,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,4 +1967,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,4 +1968,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,4 +1969,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,4 +1970,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,4 +1971,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,4 +1972,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,4 +1973,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,4 +1974,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,4 +1975,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,4 +1976,,T1003.006,DCSync,[],[],,CM-5,mitigates,4 +1977,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,4 +1978,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,4 +1979,,T1021,Remote Services,[],[],,CM-5,mitigates,4 +1980,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,4 +1981,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,4 +1982,,T1021.004,SSH,[],[],,CM-5,mitigates,4 +1983,,T1021.005,VNC,[],[],,CM-5,mitigates,4 +1984,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,4 +1985,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,4 +1986,,T1053.007,Container Orchestration Job,[],[],,CM-5,mitigates,4 +1987,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,4 +1988,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,4 +1989,,T1059.006,Python,[],[],,CM-5,mitigates,4 +1990,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,4 +1991,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,4 +1992,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,4 +1993,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,4 +1994,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,4 +1995,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,4 +1996,,T1136,Create Account,[],[],,CM-5,mitigates,4 +1997,,T1136.001,Local Account,[],[],,CM-5,mitigates,4 +1998,,T1136.002,Domain Account,[],[],,CM-5,mitigates,4 +1999,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,4 +2000,,T1137.002,Office Test,[],[],,CM-5,mitigates,4 +2001,,T1185,Browser Session Hijacking,[],[],,CM-5,mitigates,4 +2002,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,4 +2003,,T1213.001,Confluence,[],[],,CM-5,mitigates,4 +2004,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,4 +2005,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,4 +2006,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,4 +2007,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,4 +2008,,T1489,Service Stop,[],[],,CM-5,mitigates,4 +2009,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,4 +2010,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,4 +2011,,T1542.001,System Firmware,[],[],,CM-5,mitigates,4 +2012,,T1542.003,Bootkit,[],[],,CM-5,mitigates,4 +2013,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,4 +2014,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,4 +2015,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,4 +2016,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,4 +2017,,T1547.012,Print Processors,[],[],,CM-5,mitigates,4 +2018,,T1547.013,XDG Autostart Entries,[],[],,CM-5,mitigates,4 +2019,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,4 +2020,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,4 +2021,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,4 +2022,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,4 +2023,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,4 +2024,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,4 +2025,,T1553,Subvert Trust Controls,[],[],,CM-5,mitigates,4 +2026,,T1553.006,Code Signing Policy Modification,[],[],,CM-5,mitigates,4 +2027,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,4 +2028,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,4 +2029,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,4 +2030,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,4 +2031,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,4 +2032,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,4 +2033,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,4 +2034,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,4 +2035,,T1562.009,Safe Mode Boot,[],[],,CM-5,mitigates,4 +2036,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,4 +2037,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,4 +2038,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,4 +2039,,T1564.008,Email Hiding Rules,[],[],,CM-5,mitigates,4 +2040,,T1569,System Services,[],[],,CM-5,mitigates,4 +2041,,T1569.001,Launchctl,[],[],,CM-5,mitigates,4 +2042,,T1569.002,Service Execution,[],[],,CM-5,mitigates,4 +2043,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,4 +2044,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,4 +2045,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,4 +2046,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,4 +2047,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,4 +2048,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,4 +2049,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,4 +2050,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,4 +2051,,T1601,Modify System Image,[],[],,CM-5,mitigates,4 +2052,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,4 +2053,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,4 +2054,,T1619,Cloud Storage Object Discovery,[],[],,CM-5,mitigates,4 +2055,,T1070.007,Clear Network Connection History and Configurations,[],[],,CM-6,mitigates,4 +2056,,T1070.008,Clear Mailbox Data,[],[],,CM-6,mitigates,4 +2057,,T1070.009,Clear Persistence,[],[],,CM-6,mitigates,4 +2058,,T1098.005,Device Registration,[],[],,CM-6,mitigates,4 +2059,,T1505.005,Terminal Services DLL,[],[],,CM-6,mitigates,4 +2060,,T1546.016,Installer Packages,[],[],,CM-6,mitigates,4 +2061,,T1559.003,XPC Services,[],[],,CM-6,mitigates,4 +2062,,T1648,Serverless Execution,[],[],,CM-6,mitigates,4 +2063,,T1557.003,DHCP Spoofing,[],[],,CM-6,mitigates,4 +2064,,T1622,Debugger Evasion,[],[],,CM-6,mitigates,4 +2065,,T1647,Plist File Modification,[],[],,CM-6,mitigates,4 +2066,,T1552.007,Container API,[],[],,CM-6,mitigates,4 +2067,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,4 +2068,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-6,mitigates,4 +2069,,T1562,Impair Defenses,[],[],,CM-6,mitigates,4 +2070,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,4 +2071,,T1609,Container Administration Command,[],[],,CM-6,mitigates,4 +2072,,T1610,Deploy Container,[],[],,CM-6,mitigates,4 +2073,,T1055,Process Injection,[],[],,CM-6,mitigates,4 +2074,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,4 +2075,,T1087.001,Local Account,[],[],,CM-6,mitigates,4 +2076,,T1087.002,Domain Account,[],[],,CM-6,mitigates,4 +2077,,T1133,External Remote Services,[],[],,CM-6,mitigates,4 +2078,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,4 +2079,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,4 +2080,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,4 +2081,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,4 +2082,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,4 +2083,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,4 +2084,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,4 +2085,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,4 +2086,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,4 +2087,,T1003.003,NTDS,[],[],,CM-6,mitigates,4 +2088,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,4 +2089,,T1078,Valid Accounts,[],[],,CM-6,mitigates,4 +2090,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,4 +2091,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,4 +2092,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,4 +2093,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,4 +2094,,T1119,Automated Collection,[],[],,CM-6,mitigates,4 +2095,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,4 +2096,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,4 +2097,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,4 +2098,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,4 +2099,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,4 +2100,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,4 +2101,,T1555.004,Windows Credential Manager,[],[],,CM-6,mitigates,4 +2102,,T1557,Adversary-in-the-Middle,[],[],,CM-6,mitigates,4 +2103,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,4 +2104,,T1566.002,Spearphishing Link,[],[],,CM-6,mitigates,4 +2105,,T1598.003,Spearphishing Link,[],[],,CM-6,mitigates,4 +2106,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,4 +2107,,T1611,Escape to Host,[],[],,CM-6,mitigates,4 +2108,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,4 +2109,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,4 +2110,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,4 +2111,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,4 +2112,,T1027,Obfuscated Files or Information,[],[],,CM-6,mitigates,4 +2113,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,4 +2114,,T1037.005,Startup Items,[],[],,CM-6,mitigates,4 +2115,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,4 +2116,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,4 +2117,,T1053.002,At (Windows),[],[],,CM-6,mitigates,4 +2118,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,4 +2119,,T1059.001,PowerShell,[],[],,CM-6,mitigates,4 +2120,,T1059.002,AppleScript,[],[],,CM-6,mitigates,4 +2121,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,4 +2122,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,4 +2123,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,4 +2124,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,4 +2125,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,4 +2126,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,4 +2127,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,4 +2128,,T1098,Account Manipulation,[],[],,CM-6,mitigates,4 +2129,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,4 +2130,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,4 +2131,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,4 +2132,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,4 +2133,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,4 +2134,,T1106,Native API,[],[],,CM-6,mitigates,4 +2135,,T1176,Browser Extensions,[],[],,CM-6,mitigates,4 +2136,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,4 +2137,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,4 +2138,,T1197,BITS Jobs,[],[],,CM-6,mitigates,4 +2139,,T1204,User Execution,[],[],,CM-6,mitigates,4 +2140,,T1204.002,Malicious File,[],[],,CM-6,mitigates,4 +2141,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,4 +2142,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,4 +2143,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,4 +2144,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,4 +2145,,T1216.001,PubPrn,[],[],,CM-6,mitigates,4 +2146,,T1218.003,CMSTP,[],[],,CM-6,mitigates,4 +2147,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,4 +2148,,T1218.007,Msiexec,[],[],,CM-6,mitigates,4 +2149,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,4 +2150,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,4 +2151,,T1218.012,Verclsid,[],[],,CM-6,mitigates,4 +2152,,T1218.013,Mavinject,[],[],,CM-6,mitigates,4 +2153,,T1218.014,MMC,[],[],,CM-6,mitigates,4 +2154,,T1219,Remote Access Software,[],[],,CM-6,mitigates,4 +2155,,T1221,Template Injection,[],[],,CM-6,mitigates,4 +2156,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,4 +2157,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,4 +2158,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,4 +2159,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,4 +2160,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,4 +2161,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,4 +2162,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,4 +2163,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,4 +2164,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,4 +2165,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,4 +2166,,T1505,Server Software Component,[],[],,CM-6,mitigates,4 +2167,,T1505.003,Web Shell,[],[],,CM-6,mitigates,4 +2168,,T1525,Implant Internal Image,[],[],,CM-6,mitigates,4 +2169,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,4 +2170,,T1543.003,Windows Service,[],[],,CM-6,mitigates,4 +2171,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,4 +2172,,T1546.002,Screensaver,[],[],,CM-6,mitigates,4 +2173,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,4 +2174,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,4 +2175,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,4 +2176,,T1547.003,Time Providers,[],[],,CM-6,mitigates,4 +2177,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,4 +2178,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,4 +2179,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,4 +2180,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,4 +2181,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,4 +2182,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,4 +2183,,T1552.003,Bash History,[],[],,CM-6,mitigates,4 +2184,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,4 +2185,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,4 +2186,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,4 +2187,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,4 +2188,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,4 +2189,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,4 +2190,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,4 +2191,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,4 +2192,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,4 +2193,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,4 +2194,,T1562.010,Downgrade Attack,[],[],,CM-6,mitigates,4 +2195,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,4 +2196,,T1565,Data Manipulation,[],[],,CM-6,mitigates,4 +2197,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,4 +2198,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,4 +2199,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,4 +2200,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,4 +2201,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,4 +2202,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,4 +2203,,T1001.001,Junk Data,[],[],,CM-6,mitigates,4 +2204,,T1001.002,Steganography,[],[],,CM-6,mitigates,4 +2205,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,4 +2206,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,4 +2207,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,4 +2208,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,4 +2209,,T1003.006,DCSync,[],[],,CM-6,mitigates,4 +2210,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,4 +2211,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,4 +2212,,T1008,Fallback Channels,[],[],,CM-6,mitigates,4 +2213,,T1021,Remote Services,[],[],,CM-6,mitigates,4 +2214,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,4 +2215,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,4 +2216,,T1021.004,SSH,[],[],,CM-6,mitigates,4 +2217,,T1021.005,VNC,[],[],,CM-6,mitigates,4 +2218,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,4 +2219,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,4 +2220,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,4 +2221,,T1036,Masquerading,[],[],,CM-6,mitigates,4 +2222,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,4 +2223,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,4 +2224,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,4 +2225,,T1036.007,Double File Extension,[],[],,CM-6,mitigates,4 +2226,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,4 +2227,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,4 +2228,,T1037.004,RC Scripts,[],[],,CM-6,mitigates,4 +2229,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,4 +2230,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,4 +2231,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,4 +2232,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,4 +2233,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,4 +2234,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,4 +2235,,T1053.006,Systemd Timers,[],[],,CM-6,mitigates,4 +2236,,T1053.007,Container Orchestration Job,[],[],,CM-6,mitigates,4 +2237,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,4 +2238,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,4 +2239,,T1059.003,Windows Command Shell,[],[],,CM-6,mitigates,4 +2240,,T1059.004,Unix Shell,[],[],,CM-6,mitigates,4 +2241,,T1059.006,Python,[],[],,CM-6,mitigates,4 +2242,,T1059.007,JavaScript,[],[],,CM-6,mitigates,4 +2243,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,4 +2244,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,4 +2245,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,4 +2246,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,4 +2247,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,4 +2248,,T1071.004,DNS,[],[],,CM-6,mitigates,4 +2249,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,4 +2250,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,4 +2251,,T1087,Account Discovery,[],[],,CM-6,mitigates,4 +2252,,T1090,Proxy,[],[],,CM-6,mitigates,4 +2253,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,4 +2254,,T1090.002,External Proxy,[],[],,CM-6,mitigates,4 +2255,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,4 +2256,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,4 +2257,,T1102,Web Service,[],[],,CM-6,mitigates,4 +2258,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,4 +2259,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,4 +2260,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,4 +2261,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,4 +2262,,T1110,Brute Force,[],[],,CM-6,mitigates,4 +2263,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,4 +2264,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,4 +2265,,T1114,Email Collection,[],[],,CM-6,mitigates,4 +2266,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,4 +2267,,T1114.003,Email Forwarding Rule,[],[],,CM-6,mitigates,4 +2268,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,4 +2269,,T1127.001,MSBuild,[],[],,CM-6,mitigates,4 +2270,,T1132,Data Encoding,[],[],,CM-6,mitigates,4 +2271,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,4 +2272,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,4 +2273,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,4 +2274,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,4 +2275,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,4 +2276,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,4 +2277,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,4 +2278,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,4 +2279,,T1136,Create Account,[],[],,CM-6,mitigates,4 +2280,,T1136.001,Local Account,[],[],,CM-6,mitigates,4 +2281,,T1136.002,Domain Account,[],[],,CM-6,mitigates,4 +2282,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,4 +2283,,T1137,Office Application Startup,[],[],,CM-6,mitigates,4 +2284,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,4 +2285,,T1137.002,Office Test,[],[],,CM-6,mitigates,4 +2286,,T1137.003,Outlook Forms,[],[],,CM-6,mitigates,4 +2287,,T1137.004,Outlook Home Page,[],[],,CM-6,mitigates,4 +2288,,T1137.005,Outlook Rules,[],[],,CM-6,mitigates,4 +2289,,T1137.006,Add-ins,[],[],,CM-6,mitigates,4 +2290,,T1187,Forced Authentication,[],[],,CM-6,mitigates,4 +2291,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,4 +2292,,T1204.003,Malicious Image,[],[],,CM-6,mitigates,4 +2293,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,4 +2294,,T1213.001,Confluence,[],[],,CM-6,mitigates,4 +2295,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,4 +2296,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,4 +2297,,T1218.002,Control Panel,[],[],,CM-6,mitigates,4 +2298,,T1218.005,Mshta,[],[],,CM-6,mitigates,4 +2299,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,4 +2300,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,4 +2301,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,4 +2302,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,4 +2303,,T1489,Service Stop,[],[],,CM-6,mitigates,4 +2304,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,4 +2305,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,4 +2306,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,4 +2307,,T1505.004,IIS Components,[],[],,CM-6,mitigates,4 +2308,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,4 +2309,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,4 +2310,,T1542.001,System Firmware,[],[],,CM-6,mitigates,4 +2311,,T1542.003,Bootkit,[],[],,CM-6,mitigates,4 +2312,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,4 +2313,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,4 +2314,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,4 +2315,,T1543.004,Launch Daemon,[],[],,CM-6,mitigates,4 +2316,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-6,mitigates,4 +2317,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,4 +2318,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,4 +2319,,T1546.014,Emond,[],[],,CM-6,mitigates,4 +2320,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,4 +2321,,T1547.013,XDG Autostart Entries,[],[],,CM-6,mitigates,4 +2322,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,4 +2323,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,4 +2324,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,4 +2325,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,4 +2326,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,4 +2327,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,4 +2328,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,4 +2329,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,4 +2330,,T1552.004,Private Keys,[],[],,CM-6,mitigates,4 +2331,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,4 +2332,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,4 +2333,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,4 +2334,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,4 +2335,,T1553.006,Code Signing Policy Modification,[],[],,CM-6,mitigates,4 +2336,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,4 +2337,,T1555.005,Password Managers,[],[],,CM-6,mitigates,4 +2338,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,4 +2339,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,4 +2340,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,4 +2341,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,4 +2342,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,4 +2343,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,4 +2344,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,4 +2345,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,4 +2346,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,4 +2347,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,4 +2348,,T1562.009,Safe Mode Boot,[],[],,CM-6,mitigates,4 +2349,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,4 +2350,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,4 +2351,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,4 +2352,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,4 +2353,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,4 +2354,,T1564.009,Resource Forking,[],[],,CM-6,mitigates,4 +2355,,T1566,Phishing,[],[],,CM-6,mitigates,4 +2356,,T1566.001,Spearphishing Attachment,[],[],,CM-6,mitigates,4 +2357,,T1569,System Services,[],[],,CM-6,mitigates,4 +2358,,T1569.002,Service Execution,[],[],,CM-6,mitigates,4 +2359,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,4 +2360,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,4 +2361,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,4 +2362,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,4 +2363,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,4 +2364,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,4 +2365,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,4 +2366,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,4 +2367,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-6,mitigates,4 +2368,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,4 +2369,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,4 +2370,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,4 +2371,,T1598,Phishing for Information,[],[],,CM-6,mitigates,4 +2372,,T1598.002,Spearphishing Attachment,[],[],,CM-6,mitigates,4 +2373,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,4 +2374,,T1601,Modify System Image,[],[],,CM-6,mitigates,4 +2375,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,4 +2376,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,4 +2377,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,4 +2378,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,4 +2379,,T1612,Build Image on Host,[],[],,CM-6,mitigates,4 +2380,,T1613,Container and Resource Discovery,[],[],,CM-6,mitigates,4 +2381,,T1559.003,XPC Services,[],[],,CM-7,mitigates,4 +2382,,T1648,Serverless Execution,[],[],,CM-7,mitigates,4 +2383,,T1557.003,DHCP Spoofing,[],[],,CM-7,mitigates,4 +2384,,T1622,Debugger Evasion,[],[],,CM-7,mitigates,4 +2385,,T1647,Plist File Modification,[],[],,CM-7,mitigates,4 +2386,,T1552.007,Container API,[],[],,CM-7,mitigates,4 +2387,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,4 +2388,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-7,mitigates,4 +2389,,T1562,Impair Defenses,[],[],,CM-7,mitigates,4 +2390,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,4 +2391,,T1609,Container Administration Command,[],[],,CM-7,mitigates,4 +2392,,T1610,Deploy Container,[],[],,CM-7,mitigates,4 +2393,,T1068,Exploitation for Privilege Escalation,[],[],,CM-7,mitigates,4 +2394,,T1087.001,Local Account,[],[],,CM-7,mitigates,4 +2395,,T1087.002,Domain Account,[],[],,CM-7,mitigates,4 +2396,,T1133,External Remote Services,[],[],,CM-7,mitigates,4 +2397,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,4 +2398,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,4 +2399,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,4 +2400,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,4 +2401,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,4 +2402,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,4 +2403,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,4 +2404,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,4 +2405,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,4 +2406,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,4 +2407,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,4 +2408,,T1555.004,Windows Credential Manager,[],[],,CM-7,mitigates,4 +2409,,T1557,Adversary-in-the-Middle,[],[],,CM-7,mitigates,4 +2410,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,4 +2411,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,4 +2412,,T1611,Escape to Host,[],[],,CM-7,mitigates,4 +2413,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,4 +2414,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,4 +2415,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,4 +2416,,T1047,Windows Management Instrumentation,[],[],,CM-7,mitigates,4 +2417,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,4 +2418,,T1053.002,At (Windows),[],[],,CM-7,mitigates,4 +2419,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,4 +2420,,T1059.001,PowerShell,[],[],,CM-7,mitigates,4 +2421,,T1059.002,AppleScript,[],[],,CM-7,mitigates,4 +2422,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,4 +2423,,T1059.008,Network Device CLI,[],[],,CM-7,mitigates,4 +2424,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,4 +2425,,T1098,Account Manipulation,[],[],,CM-7,mitigates,4 +2426,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,4 +2427,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,4 +2428,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,4 +2429,,T1106,Native API,[],[],,CM-7,mitigates,4 +2430,,T1129,Shared Modules,[],[],,CM-7,mitigates,4 +2431,,T1176,Browser Extensions,[],[],,CM-7,mitigates,4 +2432,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,4 +2433,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,4 +2434,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,4 +2435,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,4 +2436,,T1197,BITS Jobs,[],[],,CM-7,mitigates,4 +2437,,T1204,User Execution,[],[],,CM-7,mitigates,4 +2438,,T1204.002,Malicious File,[],[],,CM-7,mitigates,4 +2439,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,4 +2440,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,4 +2441,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,4 +2442,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,4 +2443,,T1216.001,PubPrn,[],[],,CM-7,mitigates,4 +2444,,T1218.003,CMSTP,[],[],,CM-7,mitigates,4 +2445,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,4 +2446,,T1218.007,Msiexec,[],[],,CM-7,mitigates,4 +2447,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,4 +2448,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,4 +2449,,T1218.012,Verclsid,[],[],,CM-7,mitigates,4 +2450,,T1218.013,Mavinject,[],[],,CM-7,mitigates,4 +2451,,T1218.014,MMC,[],[],,CM-7,mitigates,4 +2452,,T1219,Remote Access Software,[],[],,CM-7,mitigates,4 +2453,,T1221,Template Injection,[],[],,CM-7,mitigates,4 +2454,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,4 +2455,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,4 +2456,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,4 +2457,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,4 +2458,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,4 +2459,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,4 +2460,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,4 +2461,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,4 +2462,,T1525,Implant Internal Image,[],[],,CM-7,mitigates,4 +2463,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,4 +2464,,T1543.003,Windows Service,[],[],,CM-7,mitigates,4 +2465,,T1546.002,Screensaver,[],[],,CM-7,mitigates,4 +2466,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,4 +2467,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,4 +2468,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,4 +2469,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,4 +2470,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,4 +2471,,T1552.003,Bash History,[],[],,CM-7,mitigates,4 +2472,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,4 +2473,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,4 +2474,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,4 +2475,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,4 +2476,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,4 +2477,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,4 +2478,,T1562.006,Indicator Blocking,[],[],,CM-7,mitigates,4 +2479,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,4 +2480,,T1565,Data Manipulation,[],[],,CM-7,mitigates,4 +2481,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,4 +2482,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,4 +2483,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,4 +2484,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,4 +2485,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,4 +2486,,T1008,Fallback Channels,[],[],,CM-7,mitigates,4 +2487,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,4 +2488,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,4 +2489,,T1021.005,VNC,[],[],,CM-7,mitigates,4 +2490,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,4 +2491,,T1036,Masquerading,[],[],,CM-7,mitigates,4 +2492,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,4 +2493,,T1036.007,Double File Extension,[],[],,CM-7,mitigates,4 +2494,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,4 +2495,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,4 +2496,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,4 +2497,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,4 +2498,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,4 +2499,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,4 +2500,,T1052,Exfiltration Over Physical Medium,[],[],,CM-7,mitigates,4 +2501,,T1052.001,Exfiltration over USB,[],[],,CM-7,mitigates,4 +2502,,T1059.003,Windows Command Shell,[],[],,CM-7,mitigates,4 +2503,,T1059.004,Unix Shell,[],[],,CM-7,mitigates,4 +2504,,T1059.006,Python,[],[],,CM-7,mitigates,4 +2505,,T1059.007,JavaScript,[],[],,CM-7,mitigates,4 +2506,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,4 +2507,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,4 +2508,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,4 +2509,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,4 +2510,,T1071.004,DNS,[],[],,CM-7,mitigates,4 +2511,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,4 +2512,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,4 +2513,,T1087,Account Discovery,[],[],,CM-7,mitigates,4 +2514,,T1090,Proxy,[],[],,CM-7,mitigates,4 +2515,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,4 +2516,,T1090.002,External Proxy,[],[],,CM-7,mitigates,4 +2517,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,4 +2518,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,4 +2519,,T1102,Web Service,[],[],,CM-7,mitigates,4 +2520,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,4 +2521,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,4 +2522,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,4 +2523,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,4 +2524,,T1112,Modify Registry,[],[],,CM-7,mitigates,4 +2525,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,4 +2526,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,4 +2527,,T1136,Create Account,[],[],,CM-7,mitigates,4 +2528,,T1136.002,Domain Account,[],[],,CM-7,mitigates,4 +2529,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,4 +2530,,T1187,Forced Authentication,[],[],,CM-7,mitigates,4 +2531,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,4 +2532,,T1204.003,Malicious Image,[],[],,CM-7,mitigates,4 +2533,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,4 +2534,,T1213.001,Confluence,[],[],,CM-7,mitigates,4 +2535,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,4 +2536,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,4 +2537,,T1218.002,Control Panel,[],[],,CM-7,mitigates,4 +2538,,T1218.005,Mshta,[],[],,CM-7,mitigates,4 +2539,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,4 +2540,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,4 +2541,,T1489,Service Stop,[],[],,CM-7,mitigates,4 +2542,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,4 +2543,,T1505.004,IIS Components,[],[],,CM-7,mitigates,4 +2544,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,4 +2545,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,4 +2546,,T1543.004,Launch Daemon,[],[],,CM-7,mitigates,4 +2547,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,4 +2548,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,4 +2549,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,4 +2550,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,4 +2551,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,4 +2552,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,4 +2553,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,4 +2554,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,4 +2555,,T1553.006,Code Signing Policy Modification,[],[],,CM-7,mitigates,4 +2556,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,4 +2557,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,4 +2558,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,4 +2559,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,4 +2560,,T1562.009,Safe Mode Boot,[],[],,CM-7,mitigates,4 +2561,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,4 +2562,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,4 +2563,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,4 +2564,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,4 +2565,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,4 +2566,,T1564.008,Email Hiding Rules,[],[],,CM-7,mitigates,4 +2567,,T1564.009,Resource Forking,[],[],,CM-7,mitigates,4 +2568,,T1569,System Services,[],[],,CM-7,mitigates,4 +2569,,T1569.002,Service Execution,[],[],,CM-7,mitigates,4 +2570,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,4 +2571,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,4 +2572,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,4 +2573,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,4 +2574,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,4 +2575,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,4 +2576,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-7,mitigates,4 +2577,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,4 +2578,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,4 +2579,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,4 +2580,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,4 +2581,,T1601,Modify System Image,[],[],,CM-7,mitigates,4 +2582,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,4 +2583,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,4 +2584,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,4 +2585,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,4 +2586,,T1612,Build Image on Host,[],[],,CM-7,mitigates,4 +2587,,T1613,Container and Resource Discovery,[],[],,CM-7,mitigates,4 +2588,,T1593.003,Code Repositories,[],[],,CM-8,mitigates,4 +2589,,T1557.003,DHCP Spoofing,[],[],,CM-8,mitigates,4 +2590,,T1622,Debugger Evasion,[],[],,CM-8,mitigates,4 +2591,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,4 +2592,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,4 +2593,,T1133,External Remote Services,[],[],,CM-8,mitigates,4 +2594,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,4 +2595,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,4 +2596,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,4 +2597,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,4 +2598,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,4 +2599,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,4 +2600,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,4 +2601,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,4 +2602,,T1119,Automated Collection,[],[],,CM-8,mitigates,4 +2603,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,4 +2604,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,4 +2605,,T1557,Adversary-in-the-Middle,[],[],,CM-8,mitigates,4 +2606,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,4 +2607,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,4 +2608,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,4 +2609,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,4 +2610,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,4 +2611,,T1053.002,At (Windows),[],[],,CM-8,mitigates,4 +2612,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,4 +2613,,T1059.001,PowerShell,[],[],,CM-8,mitigates,4 +2614,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,4 +2615,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,4 +2616,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,4 +2617,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,4 +2618,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,4 +2619,,T1218.003,CMSTP,[],[],,CM-8,mitigates,4 +2620,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,4 +2621,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,4 +2622,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,4 +2623,,T1218.012,Verclsid,[],[],,CM-8,mitigates,4 +2624,,T1218.013,Mavinject,[],[],,CM-8,mitigates,4 +2625,,T1218.014,MMC,[],[],,CM-8,mitigates,4 +2626,,T1221,Template Injection,[],[],,CM-8,mitigates,4 +2627,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,4 +2628,,T1505,Server Software Component,[],[],,CM-8,mitigates,4 +2629,,T1546.002,Screensaver,[],[],,CM-8,mitigates,4 +2630,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,4 +2631,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,4 +2632,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,4 +2633,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,4 +2634,,T1565,Data Manipulation,[],[],,CM-8,mitigates,4 +2635,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,4 +2636,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,4 +2637,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,4 +2638,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,4 +2639,,T1021.004,SSH,[],[],,CM-8,mitigates,4 +2640,,T1021.005,VNC,[],[],,CM-8,mitigates,4 +2641,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,4 +2642,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,4 +2643,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,4 +2644,,T1059.007,JavaScript,[],[],,CM-8,mitigates,4 +2645,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,4 +2646,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,4 +2647,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,4 +2648,,T1127.001,MSBuild,[],[],,CM-8,mitigates,4 +2649,,T1137,Office Application Startup,[],[],,CM-8,mitigates,4 +2650,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,4 +2651,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,4 +2652,,T1213.001,Confluence,[],[],,CM-8,mitigates,4 +2653,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,4 +2654,,T1218.005,Mshta,[],[],,CM-8,mitigates,4 +2655,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,4 +2656,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,4 +2657,,T1505.004,IIS Components,[],[],,CM-8,mitigates,4 +2658,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,4 +2659,,T1542.001,System Firmware,[],[],,CM-8,mitigates,4 +2660,,T1542.003,Bootkit,[],[],,CM-8,mitigates,4 +2661,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,4 +2662,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,4 +2663,,T1546.014,Emond,[],[],,CM-8,mitigates,4 +2664,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,4 +2665,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,4 +2666,,T1553,Subvert Trust Controls,[],[],,CM-8,mitigates,4 +2667,,T1553.006,Code Signing Policy Modification,[],[],,CM-8,mitigates,4 +2668,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,4 +2669,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,4 +2670,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,4 +2671,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,4 +2672,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,4 +2673,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,4 +2674,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,4 +2675,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,4 +2676,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,4 +2677,,T1601,Modify System Image,[],[],,CM-8,mitigates,4 +2678,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,4 +2679,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,4 +2680,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,4 +2681,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,4 +2682,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,4 +2683,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,4 +2684,,T1491,Defacement,[],[],,CP-10,mitigates,4 +2685,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,4 +2686,,T1491.002,External Defacement,[],[],,CP-10,mitigates,4 +2687,,T1565,Data Manipulation,[],[],,CP-10,mitigates,4 +2688,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,4 +2689,,T1485,Data Destruction,[],[],,CP-10,mitigates,4 +2690,,T1561,Disk Wipe,[],[],,CP-10,mitigates,4 +2691,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,4 +2692,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,4 +2693,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,4 +2694,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,4 +2695,,T1491,Defacement,[],[],,CP-2,mitigates,4 +2696,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,4 +2697,,T1491.002,External Defacement,[],[],,CP-2,mitigates,4 +2698,,T1485,Data Destruction,[],[],,CP-2,mitigates,4 +2699,,T1561,Disk Wipe,[],[],,CP-2,mitigates,4 +2700,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,4 +2701,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,4 +2702,,T1070.008,Clear Mailbox Data,[],[],,CP-6,mitigates,4 +2703,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,4 +2704,,T1119,Automated Collection,[],[],,CP-6,mitigates,4 +2705,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,4 +2706,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,4 +2707,,T1565,Data Manipulation,[],[],,CP-6,mitigates,4 +2708,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,4 +2709,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,4 +2710,,T1070.008,Clear Mailbox Data,[],[],,CP-7,mitigates,4 +2711,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,4 +2712,,T1119,Automated Collection,[],[],,CP-7,mitigates,4 +2713,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,4 +2714,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,4 +2715,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,4 +2716,,T1491,Defacement,[],[],,CP-7,mitigates,4 +2717,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,4 +2718,,T1491.002,External Defacement,[],[],,CP-7,mitigates,4 +2719,,T1565,Data Manipulation,[],[],,CP-7,mitigates,4 +2720,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,4 +2721,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,4 +2722,,T1485,Data Destruction,[],[],,CP-7,mitigates,4 +2723,,T1561,Disk Wipe,[],[],,CP-7,mitigates,4 +2724,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,4 +2725,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,4 +2726,,T1070.008,Clear Mailbox Data,[],[],,CP-9,mitigates,4 +2727,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,4 +2728,,T1003.003,NTDS,[],[],,CP-9,mitigates,4 +2729,,T1005,Data from Local System,[],[],,CP-9,mitigates,4 +2730,,T1119,Automated Collection,[],[],,CP-9,mitigates,4 +2731,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,4 +2732,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,4 +2733,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,4 +2734,,T1491,Defacement,[],[],,CP-9,mitigates,4 +2735,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,4 +2736,,T1491.002,External Defacement,[],[],,CP-9,mitigates,4 +2737,,T1565,Data Manipulation,[],[],,CP-9,mitigates,4 +2738,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,4 +2739,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,4 +2740,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,4 +2741,,T1025,Data from Removable Media,[],[],,CP-9,mitigates,4 +2742,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,4 +2743,,T1485,Data Destruction,[],[],,CP-9,mitigates,4 +2744,,T1561,Disk Wipe,[],[],,CP-9,mitigates,4 +2745,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,4 +2746,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,4 +2747,,T1556.006,Multi-Factor Authentication,[],[],,IA-11,mitigates,4 +2748,,T1556.007,Hybrid Identity,[],[],,IA-11,mitigates,4 +2749,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,4 +2750,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,4 +2751,,T1110,Brute Force,[],[],,IA-11,mitigates,4 +2752,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,4 +2753,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,4 +2754,,T1556.006,Multi-Factor Authentication,[],[],,IA-2,mitigates,4 +2755,,T1556.007,Hybrid Identity,[],[],,IA-2,mitigates,4 +2756,,T1585.003,Cloud Accounts,[],[],,IA-2,mitigates,4 +2757,,T1586.003,Cloud Accounts,[],[],,IA-2,mitigates,4 +2758,,T1621,Multi-Factor Authentication Request Generation,[],[],,IA-2,mitigates,4 +2759,,T1649,Steal or Forge Authentication Certificates,[],[],,IA-2,mitigates,4 +2760,,T1648,Serverless Execution,[],[],,IA-2,mitigates,4 +2761,,T1098.004,SSH Authorized Keys,[],[],,IA-2,mitigates,4 +2762,,T1552.007,Container API,[],[],,IA-2,mitigates,4 +2763,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,4 +2764,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,4 +2765,,T1562,Impair Defenses,[],[],,IA-2,mitigates,4 +2766,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,4 +2767,,T1610,Deploy Container,[],[],,IA-2,mitigates,4 +2768,,T1055,Process Injection,[],[],,IA-2,mitigates,4 +2769,,T1133,External Remote Services,[],[],,IA-2,mitigates,4 +2770,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,4 +2771,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,4 +2772,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,4 +2773,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,4 +2774,,T1003.003,NTDS,[],[],,IA-2,mitigates,4 +2775,,T1040,Network Sniffing,[],[],,IA-2,mitigates,4 +2776,,T1078,Valid Accounts,[],[],,IA-2,mitigates,4 +2777,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,4 +2778,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,4 +2779,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,4 +2780,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,4 +2781,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,4 +2782,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,4 +2783,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,4 +2784,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,4 +2785,,T1611,Escape to Host,[],[],,IA-2,mitigates,4 +2786,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,4 +2787,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,4 +2788,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,4 +2789,,T1053.002,At (Windows),[],[],,IA-2,mitigates,4 +2790,,T1053.003,Cron,[],[],,IA-2,mitigates,4 +2791,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,4 +2792,,T1059.001,PowerShell,[],[],,IA-2,mitigates,4 +2793,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,4 +2794,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,4 +2795,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,4 +2796,,T1098,Account Manipulation,[],[],,IA-2,mitigates,4 +2797,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,4 +2798,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,4 +2799,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,4 +2800,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,4 +2801,,T1197,BITS Jobs,[],[],,IA-2,mitigates,4 +2802,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,4 +2803,,T1213.003,Code Repositories,[],[],,IA-2,mitigates,4 +2804,,T1218.007,Msiexec,[],[],,IA-2,mitigates,4 +2805,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,4 +2806,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,4 +2807,,T1505,Server Software Component,[],[],,IA-2,mitigates,4 +2808,,T1525,Implant Internal Image,[],[],,IA-2,mitigates,4 +2809,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,4 +2810,,T1543.003,Windows Service,[],[],,IA-2,mitigates,4 +2811,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,4 +2812,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,4 +2813,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,4 +2814,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,4 +2815,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,4 +2816,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,4 +2817,,T1550.001,Application Access Token,[],[],,IA-2,mitigates,4 +2818,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,4 +2819,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,4 +2820,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,4 +2821,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,4 +2822,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,4 +2823,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,4 +2824,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,4 +2825,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,4 +2826,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,4 +2827,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,4 +2828,,T1003.006,DCSync,[],[],,IA-2,mitigates,4 +2829,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,4 +2830,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,4 +2831,,T1021,Remote Services,[],[],,IA-2,mitigates,4 +2832,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,4 +2833,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,4 +2834,,T1021.004,SSH,[],[],,IA-2,mitigates,4 +2835,,T1021.005,VNC,[],[],,IA-2,mitigates,4 +2836,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,4 +2837,,T1036.007,Double File Extension,[],[],,IA-2,mitigates,4 +2838,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,4 +2839,,T1053.007,Container Orchestration Job,[],[],,IA-2,mitigates,4 +2840,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,4 +2841,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,4 +2842,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,4 +2843,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,4 +2844,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,4 +2845,,T1110,Brute Force,[],[],,IA-2,mitigates,4 +2846,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,4 +2847,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,4 +2848,,T1114,Email Collection,[],[],,IA-2,mitigates,4 +2849,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,4 +2850,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,4 +2851,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,4 +2852,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,4 +2853,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,4 +2854,,T1136,Create Account,[],[],,IA-2,mitigates,4 +2855,,T1136.001,Local Account,[],[],,IA-2,mitigates,4 +2856,,T1136.002,Domain Account,[],[],,IA-2,mitigates,4 +2857,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,4 +2858,,T1185,Browser Session Hijacking,[],[],,IA-2,mitigates,4 +2859,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,4 +2860,,T1213.001,Confluence,[],[],,IA-2,mitigates,4 +2861,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,4 +2862,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,4 +2863,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,4 +2864,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,4 +2865,,T1489,Service Stop,[],[],,IA-2,mitigates,4 +2866,,T1505.001,SQL Stored Procedures,[],[],,IA-2,mitigates,4 +2867,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,4 +2868,,T1505.004,IIS Components,[],[],,IA-2,mitigates,4 +2869,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,4 +2870,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,4 +2871,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,4 +2872,,T1542.001,System Firmware,[],[],,IA-2,mitigates,4 +2873,,T1542.003,Bootkit,[],[],,IA-2,mitigates,4 +2874,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,4 +2875,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,4 +2876,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,4 +2877,,T1547.012,Print Processors,[],[],,IA-2,mitigates,4 +2878,,T1547.013,XDG Autostart Entries,[],[],,IA-2,mitigates,4 +2879,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,4 +2880,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,4 +2881,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,4 +2882,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,4 +2883,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,4 +2884,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,4 +2885,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,4 +2886,,T1552.004,Private Keys,[],[],,IA-2,mitigates,4 +2887,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,4 +2888,,T1553,Subvert Trust Controls,[],[],,IA-2,mitigates,4 +2889,,T1553.006,Code Signing Policy Modification,[],[],,IA-2,mitigates,4 +2890,,T1555.005,Password Managers,[],[],,IA-2,mitigates,4 +2891,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,4 +2892,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,4 +2893,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,4 +2894,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,4 +2895,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,4 +2896,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,4 +2897,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,4 +2898,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,4 +2899,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,4 +2900,,T1562.009,Safe Mode Boot,[],[],,IA-2,mitigates,4 +2901,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,4 +2902,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,4 +2903,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,4 +2904,,T1569,System Services,[],[],,IA-2,mitigates,4 +2905,,T1569.001,Launchctl,[],[],,IA-2,mitigates,4 +2906,,T1569.002,Service Execution,[],[],,IA-2,mitigates,4 +2907,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,4 +2908,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,4 +2909,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,4 +2910,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,4 +2911,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,4 +2912,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,4 +2913,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,4 +2914,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,4 +2915,,T1601,Modify System Image,[],[],,IA-2,mitigates,4 +2916,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,4 +2917,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,4 +2918,,T1613,Container and Resource Discovery,[],[],,IA-2,mitigates,4 +2919,,T1619,Cloud Storage Object Discovery,[],[],,IA-2,mitigates,4 +2920,,T1621,Multi-Factor Authentication Request Generation,[],[],,IA-3,mitigates,4 +2921,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,4 +2922,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,4 +2923,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,4 +2924,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,4 +2925,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,4 +2926,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,4 +2927,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,4 +2928,,T1562,Impair Defenses,[],[],,IA-4,mitigates,4 +2929,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,4 +2930,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,4 +2931,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,4 +2932,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,4 +2933,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,4 +2934,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,4 +2935,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,4 +2936,,T1053.002,At (Windows),[],[],,IA-4,mitigates,4 +2937,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,4 +2938,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,4 +2939,,T1543.003,Windows Service,[],[],,IA-4,mitigates,4 +2940,,T1547.006,Kernel Modules and Extensions,[],[],,IA-4,mitigates,4 +2941,,T1550.001,Application Access Token,[],[],,IA-4,mitigates,4 +2942,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,4 +2943,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,4 +2944,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,4 +2945,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,4 +2946,,T1003.006,DCSync,[],[],,IA-4,mitigates,4 +2947,,T1021.005,VNC,[],[],,IA-4,mitigates,4 +2948,,T1110,Brute Force,[],[],,IA-4,mitigates,4 +2949,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,4 +2950,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,4 +2951,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,4 +2952,,T1213.001,Confluence,[],[],,IA-4,mitigates,4 +2953,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,4 +2954,,T1543.004,Launch Daemon,[],[],,IA-4,mitigates,4 +2955,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,4 +2956,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,4 +2957,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,4 +2958,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,4 +2959,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,4 +2960,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,4 +2961,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,4 +2962,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,4 +2963,,T1556.005,Reversible Encryption,[],[],,IA-5,mitigates,4 +2964,,T1621,Multi-Factor Authentication Request Generation,[],[],,IA-5,mitigates,4 +2965,,T1649,Steal or Forge Authentication Certificates,[],[],,IA-5,mitigates,4 +2966,,T1098.004,SSH Authorized Keys,[],[],,IA-5,mitigates,4 +2967,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,4 +2968,,T1133,External Remote Services,[],[],,IA-5,mitigates,4 +2969,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,4 +2970,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,4 +2971,,T1003.003,NTDS,[],[],,IA-5,mitigates,4 +2972,,T1040,Network Sniffing,[],[],,IA-5,mitigates,4 +2973,,T1078,Valid Accounts,[],[],,IA-5,mitigates,4 +2974,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,4 +2975,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,4 +2976,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,4 +2977,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,4 +2978,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,4 +2979,,T1555.001,Keychain,[],[],,IA-5,mitigates,4 +2980,,T1555.004,Windows Credential Manager,[],[],,IA-5,mitigates,4 +2981,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,4 +2982,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,4 +2983,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,4 +2984,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,4 +2985,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,4 +2986,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,4 +2987,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,4 +2988,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,4 +2989,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,4 +2990,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,4 +2991,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,4 +2992,,T1559,Inter-Process Communication,[],[],,IA-5,mitigates,4 +2993,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,4 +2994,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,4 +2995,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,4 +2996,,T1003.006,DCSync,[],[],,IA-5,mitigates,4 +2997,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,4 +2998,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,4 +2999,,T1021,Remote Services,[],[],,IA-5,mitigates,4 +3000,,T1021.004,SSH,[],[],,IA-5,mitigates,4 +3001,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,4 +3002,,T1110,Brute Force,[],[],,IA-5,mitigates,4 +3003,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,4 +3004,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,4 +3005,,T1114,Email Collection,[],[],,IA-5,mitigates,4 +3006,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,4 +3007,,T1136,Create Account,[],[],,IA-5,mitigates,4 +3008,,T1136.001,Local Account,[],[],,IA-5,mitigates,4 +3009,,T1136.002,Domain Account,[],[],,IA-5,mitigates,4 +3010,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,4 +3011,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,4 +3012,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,4 +3013,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,4 +3014,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,4 +3015,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,4 +3016,,T1552.004,Private Keys,[],[],,IA-5,mitigates,4 +3017,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,4 +3018,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,4 +3019,,T1555.005,Password Managers,[],[],,IA-5,mitigates,4 +3020,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,4 +3021,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,4 +3022,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,4 +3023,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,4 +3024,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,4 +3025,,T1559.001,Component Object Model,[],[],,IA-5,mitigates,4 +3026,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,4 +3027,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,4 +3028,,T1601,Modify System Image,[],[],,IA-5,mitigates,4 +3029,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,4 +3030,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,4 +3031,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,4 +3032,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,4 +3033,,T1021.005,VNC,[],[],,IA-6,mitigates,4 +3034,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,4 +3035,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,4 +3036,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,4 +3037,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,4 +3038,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,4 +3039,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,4 +3040,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,4 +3041,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,4 +3042,,T1542.001,System Firmware,[],[],,IA-7,mitigates,4 +3043,,T1542.003,Bootkit,[],[],,IA-7,mitigates,4 +3044,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,4 +3045,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,4 +3046,,T1553,Subvert Trust Controls,[],[],,IA-7,mitigates,4 +3047,,T1553.006,Code Signing Policy Modification,[],[],,IA-7,mitigates,4 +3048,,T1601,Modify System Image,[],[],,IA-7,mitigates,4 +3049,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,4 +3050,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,4 +3051,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,4 +3052,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,4 +3053,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,4 +3054,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,4 +3055,,T1053,Scheduled Task/Job,[],[],,IA-8,mitigates,4 +3056,,T1059.001,PowerShell,[],[],,IA-8,mitigates,4 +3057,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,4 +3058,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,4 +3059,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,4 +3060,,T1547.006,Kernel Modules and Extensions,[],[],,IA-8,mitigates,4 +3061,,T1053.007,Container Orchestration Job,[],[],,IA-8,mitigates,4 +3062,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,4 +3063,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,4 +3064,,T1213.001,Confluence,[],[],,IA-8,mitigates,4 +3065,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,4 +3066,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,4 +3067,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,4 +3068,,T1542.001,System Firmware,[],[],,IA-8,mitigates,4 +3069,,T1542.003,Bootkit,[],[],,IA-8,mitigates,4 +3070,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,4 +3071,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,4 +3072,,T1566.002,Spearphishing Link,[],[],,IA-9,mitigates,4 +3073,,T1598.003,Spearphishing Link,[],[],,IA-9,mitigates,4 +3074,,T1059.001,PowerShell,[],[],,IA-9,mitigates,4 +3075,,T1059.002,AppleScript,[],[],,IA-9,mitigates,4 +3076,,T1213.003,Code Repositories,[],[],,IA-9,mitigates,4 +3077,,T1505,Server Software Component,[],[],,IA-9,mitigates,4 +3078,,T1525,Implant Internal Image,[],[],,IA-9,mitigates,4 +3079,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,4 +3080,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,4 +3081,,T1562.006,Indicator Blocking,[],[],,IA-9,mitigates,4 +3082,,T1036,Masquerading,[],[],,IA-9,mitigates,4 +3083,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,4 +3084,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,4 +3085,,T1505.001,SQL Stored Procedures,[],[],,IA-9,mitigates,4 +3086,,T1505.002,Transport Agent,[],[],,IA-9,mitigates,4 +3087,,T1505.004,IIS Components,[],[],,IA-9,mitigates,4 +3088,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,4 +3089,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,4 +3090,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,4 +3091,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,4 +3092,,T1562.009,Safe Mode Boot,[],[],,IA-9,mitigates,4 +3093,,T1566,Phishing,[],[],,IA-9,mitigates,4 +3094,,T1566.001,Spearphishing Attachment,[],[],,IA-9,mitigates,4 +3095,,T1598,Phishing for Information,[],[],,IA-9,mitigates,4 +3096,,T1598.002,Spearphishing Attachment,[],[],,IA-9,mitigates,4 +3097,,T1564.008,Email Hiding Rules,[],[],,IR-5,mitigates,4 +3098,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,4 +3099,,T1200,Hardware Additions,[],[],,MP-7,mitigates,4 +3100,,T1025,Data from Removable Media,[],[],,MP-7,mitigates,4 +3101,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,4 +3102,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,4 +3103,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,4 +3104,,T1505.005,Terminal Services DLL,[],[],,RA-5,mitigates,4 +3105,,T1562,Impair Defenses,[],[],,RA-5,mitigates,4 +3106,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,4 +3107,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,4 +3108,,T1133,External Remote Services,[],[],,RA-5,mitigates,4 +3109,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,4 +3110,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,4 +3111,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,4 +3112,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,4 +3113,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,4 +3114,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,4 +3115,,T1078,Valid Accounts,[],[],,RA-5,mitigates,4 +3116,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,4 +3117,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,4 +3118,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,4 +3119,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,4 +3120,,T1557,Adversary-in-the-Middle,[],[],,RA-5,mitigates,4 +3121,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,RA-5,mitigates,4 +3122,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,4 +3123,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,4 +3124,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,4 +3125,,T1047,Windows Management Instrumentation,[],[],,RA-5,mitigates,4 +3126,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,4 +3127,,T1053.002,At (Windows),[],[],,RA-5,mitigates,4 +3128,,T1053.003,Cron,[],[],,RA-5,mitigates,4 +3129,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,4 +3130,,T1059.001,PowerShell,[],[],,RA-5,mitigates,4 +3131,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,4 +3132,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,4 +3133,,T1176,Browser Extensions,[],[],,RA-5,mitigates,4 +3134,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,4 +3135,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,4 +3136,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,4 +3137,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,4 +3138,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,4 +3139,,T1213.003,Code Repositories,[],[],,RA-5,mitigates,4 +3140,,T1218.003,CMSTP,[],[],,RA-5,mitigates,4 +3141,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,4 +3142,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,4 +3143,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,4 +3144,,T1218.012,Verclsid,[],[],,RA-5,mitigates,4 +3145,,T1218.013,Mavinject,[],[],,RA-5,mitigates,4 +3146,,T1218.014,MMC,[],[],,RA-5,mitigates,4 +3147,,T1221,Template Injection,[],[],,RA-5,mitigates,4 +3148,,T1505,Server Software Component,[],[],,RA-5,mitigates,4 +3149,,T1505.003,Web Shell,[],[],,RA-5,mitigates,4 +3150,,T1525,Implant Internal Image,[],[],,RA-5,mitigates,4 +3151,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,4 +3152,,T1543.003,Windows Service,[],[],,RA-5,mitigates,4 +3153,,T1546.002,Screensaver,[],[],,RA-5,mitigates,4 +3154,,T1547.006,Kernel Modules and Extensions,[],[],,RA-5,mitigates,4 +3155,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,4 +3156,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,4 +3157,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,4 +3158,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,4 +3159,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,4 +3160,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,4 +3161,,T1562.010,Downgrade Attack,[],[],,RA-5,mitigates,4 +3162,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,4 +3163,,T1021.004,SSH,[],[],,RA-5,mitigates,4 +3164,,T1021.005,VNC,[],[],,RA-5,mitigates,4 +3165,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,4 +3166,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,4 +3167,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,4 +3168,,T1059.007,JavaScript,[],[],,RA-5,mitigates,4 +3169,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,4 +3170,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,4 +3171,,T1127.001,MSBuild,[],[],,RA-5,mitigates,4 +3172,,T1137,Office Application Startup,[],[],,RA-5,mitigates,4 +3173,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,4 +3174,,T1204.003,Malicious Image,[],[],,RA-5,mitigates,4 +3175,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,4 +3176,,T1213.001,Confluence,[],[],,RA-5,mitigates,4 +3177,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,4 +3178,,T1218.005,Mshta,[],[],,RA-5,mitigates,4 +3179,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,4 +3180,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,4 +3181,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,4 +3182,,T1505.004,IIS Components,[],[],,RA-5,mitigates,4 +3183,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,4 +3184,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,4 +3185,,T1543.004,Launch Daemon,[],[],,RA-5,mitigates,4 +3186,,T1546.014,Emond,[],[],,RA-5,mitigates,4 +3187,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,4 +3188,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,4 +3189,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,4 +3190,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,4 +3191,,T1552.004,Private Keys,[],[],,RA-5,mitigates,4 +3192,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,4 +3193,,T1557.002,ARP Cache Poisoning,[],[],,RA-5,mitigates,4 +3194,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,4 +3195,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,4 +3196,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,4 +3197,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,4 +3198,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,4 +3199,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,4 +3200,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,4 +3201,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,4 +3202,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,4 +3203,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,4 +3204,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,4 +3205,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,4 +3206,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,4 +3207,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,4 +3208,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,4 +3209,,T1612,Build Image on Host,[],[],,RA-5,mitigates,4 +3210,,T1559.003,XPC Services,[],[],,SA-10,mitigates,4 +3211,,T1647,Plist File Modification,[],[],,SA-10,mitigates,4 +3212,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,4 +3213,,T1078,Valid Accounts,[],[],,SA-10,mitigates,4 +3214,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,4 +3215,,T1213.003,Code Repositories,[],[],,SA-10,mitigates,4 +3216,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,4 +3217,,T1505,Server Software Component,[],[],,SA-10,mitigates,4 +3218,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,4 +3219,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,4 +3220,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,4 +3221,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,4 +3222,,T1505.004,IIS Components,[],[],,SA-10,mitigates,4 +3223,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,4 +3224,,T1542.001,System Firmware,[],[],,SA-10,mitigates,4 +3225,,T1542.003,Bootkit,[],[],,SA-10,mitigates,4 +3226,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,4 +3227,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,4 +3228,,T1553,Subvert Trust Controls,[],[],,SA-10,mitigates,4 +3229,,T1553.006,Code Signing Policy Modification,[],[],,SA-10,mitigates,4 +3230,,T1564.009,Resource Forking,[],[],,SA-10,mitigates,4 +3231,,T1574.002,DLL Side-Loading,[],[],,SA-10,mitigates,4 +3232,,T1601,Modify System Image,[],[],,SA-10,mitigates,4 +3233,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,4 +3234,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,4 +3235,,T1559.003,XPC Services,[],[],,SA-11,mitigates,4 +3236,,T1647,Plist File Modification,[],[],,SA-11,mitigates,4 +3237,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,4 +3238,,T1078,Valid Accounts,[],[],,SA-11,mitigates,4 +3239,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,4 +3240,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,4 +3241,,T1213.003,Code Repositories,[],[],,SA-11,mitigates,4 +3242,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,4 +3243,,T1505,Server Software Component,[],[],,SA-11,mitigates,4 +3244,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,4 +3245,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,4 +3246,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,4 +3247,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,4 +3248,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,4 +3249,,T1505.004,IIS Components,[],[],,SA-11,mitigates,4 +3250,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,4 +3251,,T1542.001,System Firmware,[],[],,SA-11,mitigates,4 +3252,,T1542.003,Bootkit,[],[],,SA-11,mitigates,4 +3253,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,4 +3254,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,4 +3255,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,4 +3256,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,4 +3257,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,4 +3258,,T1552.004,Private Keys,[],[],,SA-11,mitigates,4 +3259,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,4 +3260,,T1553,Subvert Trust Controls,[],[],,SA-11,mitigates,4 +3261,,T1553.006,Code Signing Policy Modification,[],[],,SA-11,mitigates,4 +3262,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,4 +3263,,T1574.002,DLL Side-Loading,[],[],,SA-11,mitigates,4 +3264,,T1601,Modify System Image,[],[],,SA-11,mitigates,4 +3265,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,4 +3266,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,4 +3267,,T1612,Build Image on Host,[],[],,SA-11,mitigates,4 +3268,,T1078,Valid Accounts,[],[],,SA-12,mitigates,4 +3269,,T1059.002,AppleScript,[],[],,SA-12,mitigates,4 +3270,,T1505,Server Software Component,[],[],,SA-12,mitigates,4 +3271,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SA-12,mitigates,4 +3272,,T1204.003,Malicious Image,[],[],,SA-12,mitigates,4 +3273,,T1505.001,SQL Stored Procedures,[],[],,SA-12,mitigates,4 +3274,,T1505.002,Transport Agent,[],[],,SA-12,mitigates,4 +3275,,T1505.004,IIS Components,[],[],,SA-12,mitigates,4 +3276,,T1554,Compromise Client Software Binary,[],[],,SA-12,mitigates,4 +3277,,T1601,Modify System Image,[],[],,SA-12,mitigates,4 +3278,,T1601.001,Patch System Image,[],[],,SA-12,mitigates,4 +3279,,T1601.002,Downgrade System Image,[],[],,SA-12,mitigates,4 +3280,,T1482,Domain Trust Discovery,[],[],,SA-13,mitigates,4 +3281,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-14,mitigates,4 +3282,,T1495,Firmware Corruption,[],[],,SA-14,mitigates,4 +3283,,T1542,Pre-OS Boot,[],[],,SA-14,mitigates,4 +3284,,T1542.001,System Firmware,[],[],,SA-14,mitigates,4 +3285,,T1542.003,Bootkit,[],[],,SA-14,mitigates,4 +3286,,T1542.004,ROMMONkit,[],[],,SA-14,mitigates,4 +3287,,T1542.005,TFTP Boot,[],[],,SA-14,mitigates,4 +3288,,T1553,Subvert Trust Controls,[],[],,SA-14,mitigates,4 +3289,,T1553.006,Code Signing Policy Modification,[],[],,SA-14,mitigates,4 +3290,,T1601,Modify System Image,[],[],,SA-14,mitigates,4 +3291,,T1601.001,Patch System Image,[],[],,SA-14,mitigates,4 +3292,,T1601.002,Downgrade System Image,[],[],,SA-14,mitigates,4 +3293,,T1078,Valid Accounts,[],[],,SA-15,mitigates,4 +3294,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,4 +3295,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,4 +3296,,T1213.003,Code Repositories,[],[],,SA-15,mitigates,4 +3297,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,4 +3298,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,4 +3299,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,4 +3300,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,4 +3301,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,4 +3302,,T1552.004,Private Keys,[],[],,SA-15,mitigates,4 +3303,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,4 +3304,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,4 +3305,,T1574.002,DLL Side-Loading,[],[],,SA-15,mitigates,4 +3306,,T1078,Valid Accounts,[],[],,SA-16,mitigates,4 +3307,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,4 +3308,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,4 +3309,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,4 +3310,,T1574.002,DLL Side-Loading,[],[],,SA-16,mitigates,4 +3311,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,4 +3312,,T1078,Valid Accounts,[],[],,SA-17,mitigates,4 +3313,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,4 +3314,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,4 +3315,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,4 +3316,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,4 +3317,,T1574.002,DLL Side-Loading,[],[],,SA-17,mitigates,4 +3318,,T1554,Compromise Client Software Binary,[],[],,SA-19,mitigates,4 +3319,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,4 +3320,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,4 +3321,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,4 +3322,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,4 +3323,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,4 +3324,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,4 +3325,,T1078,Valid Accounts,[],[],,SA-3,mitigates,4 +3326,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,4 +3327,,T1213.003,Code Repositories,[],[],,SA-3,mitigates,4 +3328,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,4 +3329,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,4 +3330,,T1574.002,DLL Side-Loading,[],[],,SA-3,mitigates,4 +3331,,T1078,Valid Accounts,[],[],,SA-4,mitigates,4 +3332,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,4 +3333,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,4 +3334,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,4 +3335,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,4 +3336,,T1574.002,DLL Side-Loading,[],[],,SA-4,mitigates,4 +3337,,T1559.003,XPC Services,[],[],,SA-8,mitigates,4 +3338,,T1647,Plist File Modification,[],[],,SA-8,mitigates,4 +3339,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,4 +3340,,T1567,Exfiltration Over Web Service,[],[],,SA-8,mitigates,4 +3341,,T1005,Data from Local System,[],[],,SA-8,mitigates,4 +3342,,T1078,Valid Accounts,[],[],,SA-8,mitigates,4 +3343,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,4 +3344,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,4 +3345,,T1213.003,Code Repositories,[],[],,SA-8,mitigates,4 +3346,,T1025,Data from Removable Media,[],[],,SA-8,mitigates,4 +3347,,T1041,Exfiltration Over C2 Channel,[],[],,SA-8,mitigates,4 +3348,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-8,mitigates,4 +3349,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-8,mitigates,4 +3350,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-8,mitigates,4 +3351,,T1052,Exfiltration Over Physical Medium,[],[],,SA-8,mitigates,4 +3352,,T1052.001,Exfiltration over USB,[],[],,SA-8,mitigates,4 +3353,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,4 +3354,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,4 +3355,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,4 +3356,,T1574.002,DLL Side-Loading,[],[],,SA-8,mitigates,4 +3357,,T1567,Exfiltration Over Web Service,[],[],,SA-9,mitigates,4 +3358,,T1041,Exfiltration Over C2 Channel,[],[],,SA-9,mitigates,4 +3359,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-9,mitigates,4 +3360,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-9,mitigates,4 +3361,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-9,mitigates,4 +3362,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,4 +3363,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,4 +3364,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,4 +3365,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,4 +3366,,T1071.004,DNS,[],[],,SC-10,mitigates,4 +3367,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,4 +3368,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,4 +3369,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,4 +3370,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,4 +3371,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,4 +3372,,T1552.004,Private Keys,[],[],,SC-12,mitigates,4 +3373,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,4 +3374,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,4 +3375,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,4 +3376,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,4 +3377,,T1005,Data from Local System,[],[],,SC-13,mitigates,4 +3378,,T1025,Data from Removable Media,[],[],,SC-13,mitigates,4 +3379,,T1041,Exfiltration Over C2 Channel,[],[],,SC-13,mitigates,4 +3380,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-13,mitigates,4 +3381,,T1505,Server Software Component,[],[],,SC-16,mitigates,4 +3382,,T1505.002,Transport Agent,[],[],,SC-16,mitigates,4 +3383,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,4 +3384,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,4 +3385,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,4 +3386,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,4 +3387,,T1606,Forge Web Credentials,[],[],,SC-17,mitigates,4 +3388,,T1055,Process Injection,[],[],,SC-18,mitigates,4 +3389,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,4 +3390,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,4 +3391,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,4 +3392,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,4 +3393,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,4 +3394,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,4 +3395,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,4 +3396,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,4 +3397,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,4 +3398,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,4 +3399,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,4 +3400,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,4 +3401,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,4 +3402,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,4 +3403,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,4 +3404,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,4 +3405,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,4 +3406,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,4 +3407,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,4 +3408,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,4 +3409,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,4 +3410,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,4 +3411,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,4 +3412,,T1059.007,JavaScript,[],[],,SC-18,mitigates,4 +3413,,T1137,Office Application Startup,[],[],,SC-18,mitigates,4 +3414,,T1137.001,Office Template Macros,[],[],,SC-18,mitigates,4 +3415,,T1137.002,Office Test,[],[],,SC-18,mitigates,4 +3416,,T1137.003,Outlook Forms,[],[],,SC-18,mitigates,4 +3417,,T1137.004,Outlook Home Page,[],[],,SC-18,mitigates,4 +3418,,T1137.005,Outlook Rules,[],[],,SC-18,mitigates,4 +3419,,T1137.006,Add-ins,[],[],,SC-18,mitigates,4 +3420,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,4 +3421,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,4 +3422,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,4 +3423,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,4 +3424,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,4 +3425,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,4 +3426,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,4 +3427,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,4 +3428,,T1611,Escape to Host,[],[],,SC-2,mitigates,4 +3429,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,4 +3430,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,4 +3431,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,4 +3432,,T1566.002,Spearphishing Link,[],[],,SC-20,mitigates,4 +3433,,T1598.003,Spearphishing Link,[],[],,SC-20,mitigates,4 +3434,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,4 +3435,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,4 +3436,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,4 +3437,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,4 +3438,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,4 +3439,,T1071.004,DNS,[],[],,SC-20,mitigates,4 +3440,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,4 +3441,,T1566,Phishing,[],[],,SC-20,mitigates,4 +3442,,T1566.001,Spearphishing Attachment,[],[],,SC-20,mitigates,4 +3443,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,4 +3444,,T1598,Phishing for Information,[],[],,SC-20,mitigates,4 +3445,,T1598.002,Spearphishing Attachment,[],[],,SC-20,mitigates,4 +3446,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,4 +3447,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,4 +3448,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,4 +3449,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,4 +3450,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,4 +3451,,T1071.004,DNS,[],[],,SC-21,mitigates,4 +3452,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,4 +3453,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,4 +3454,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,4 +3455,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,4 +3456,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,4 +3457,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,4 +3458,,T1071.004,DNS,[],[],,SC-22,mitigates,4 +3459,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,4 +3460,,T1557.003,DHCP Spoofing,[],[],,SC-23,mitigates,4 +3461,,T1622,Debugger Evasion,[],[],,SC-23,mitigates,4 +3462,,T1557,Adversary-in-the-Middle,[],[],,SC-23,mitigates,4 +3463,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,4 +3464,,T1562.006,Indicator Blocking,[],[],,SC-23,mitigates,4 +3465,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,4 +3466,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,4 +3467,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,4 +3468,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,4 +3469,,T1071.004,DNS,[],[],,SC-23,mitigates,4 +3470,,T1185,Browser Session Hijacking,[],[],,SC-23,mitigates,4 +3471,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,4 +3472,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,4 +3473,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,4 +3474,,T1562.009,Safe Mode Boot,[],[],,SC-23,mitigates,4 +3475,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,4 +3476,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,4 +3477,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,4 +3478,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,4 +3479,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,4 +3480,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,4 +3481,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,4 +3482,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,4 +3483,,T1567,Exfiltration Over Web Service,[],[],,SC-28,mitigates,4 +3484,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,4 +3485,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,4 +3486,,T1003.003,NTDS,[],[],,SC-28,mitigates,4 +3487,,T1005,Data from Local System,[],[],,SC-28,mitigates,4 +3488,,T1078,Valid Accounts,[],[],,SC-28,mitigates,4 +3489,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,4 +3490,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,4 +3491,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,4 +3492,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,4 +3493,,T1552.003,Bash History,[],[],,SC-28,mitigates,4 +3494,,T1565,Data Manipulation,[],[],,SC-28,mitigates,4 +3495,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,4 +3496,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,4 +3497,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,4 +3498,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,4 +3499,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,4 +3500,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,4 +3501,,T1003.006,DCSync,[],[],,SC-28,mitigates,4 +3502,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,4 +3503,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,4 +3504,,T1025,Data from Removable Media,[],[],,SC-28,mitigates,4 +3505,,T1041,Exfiltration Over C2 Channel,[],[],,SC-28,mitigates,4 +3506,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-28,mitigates,4 +3507,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-28,mitigates,4 +3508,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-28,mitigates,4 +3509,,T1052,Exfiltration Over Physical Medium,[],[],,SC-28,mitigates,4 +3510,,T1052.001,Exfiltration over USB,[],[],,SC-28,mitigates,4 +3511,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,4 +3512,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,4 +3513,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,4 +3514,,T1213.001,Confluence,[],[],,SC-28,mitigates,4 +3515,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,4 +3516,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,4 +3517,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,4 +3518,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,4 +3519,,T1552.004,Private Keys,[],[],,SC-28,mitigates,4 +3520,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,4 +3521,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,4 +3522,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,4 +3523,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,4 +3524,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,4 +3525,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,4 +3526,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,4 +3527,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,4 +3528,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,4 +3529,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,4 +3530,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,4 +3531,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,4 +3532,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,4 +3533,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,4 +3534,,T1003.001,LSASS Memory,[],[],,SC-3,mitigates,4 +3535,,T1611,Escape to Host,[],[],,SC-3,mitigates,4 +3536,,T1047,Windows Management Instrumentation,[],[],,SC-3,mitigates,4 +3537,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,4 +3538,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,4 +3539,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,4 +3540,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,4 +3541,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,4 +3542,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,4 +3543,,T1003,OS Credential Dumping,[],[],,SC-3,mitigates,4 +3544,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,4 +3545,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,4 +3546,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,4 +3547,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,4 +3548,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,4 +3549,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,4 +3550,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,4 +3551,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,4 +3552,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,4 +3553,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,4 +3554,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,4 +3555,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,4 +3556,,T1567,Exfiltration Over Web Service,[],[],,SC-31,mitigates,4 +3557,,T1041,Exfiltration Over C2 Channel,[],[],,SC-31,mitigates,4 +3558,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-31,mitigates,4 +3559,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-31,mitigates,4 +3560,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-31,mitigates,4 +3561,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,4 +3562,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,4 +3563,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,4 +3564,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,4 +3565,,T1071.004,DNS,[],[],,SC-31,mitigates,4 +3566,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,4 +3567,,T1611,Escape to Host,[],[],,SC-34,mitigates,4 +3568,,T1047,Windows Management Instrumentation,[],[],,SC-34,mitigates,4 +3569,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,4 +3570,,T1542.001,System Firmware,[],[],,SC-34,mitigates,4 +3571,,T1542.003,Bootkit,[],[],,SC-34,mitigates,4 +3572,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,4 +3573,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,4 +3574,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,4 +3575,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,4 +3576,,T1553,Subvert Trust Controls,[],[],,SC-34,mitigates,4 +3577,,T1553.006,Code Signing Policy Modification,[],[],,SC-34,mitigates,4 +3578,,T1601,Modify System Image,[],[],,SC-34,mitigates,4 +3579,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,4 +3580,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,4 +3581,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,4 +3582,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,4 +3583,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,4 +3584,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,4 +3585,,T1070.008,Clear Mailbox Data,[],[],,SC-36,mitigates,4 +3586,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,4 +3587,,T1119,Automated Collection,[],[],,SC-36,mitigates,4 +3588,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,4 +3589,,T1565,Data Manipulation,[],[],,SC-36,mitigates,4 +3590,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,4 +3591,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,4 +3592,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,4 +3593,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,4 +3594,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,4 +3595,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,4 +3596,,T1071.004,DNS,[],[],,SC-37,mitigates,4 +3597,,T1005,Data from Local System,[],[],,SC-38,mitigates,4 +3598,,T1025,Data from Removable Media,[],[],,SC-38,mitigates,4 +3599,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,4 +3600,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,4 +3601,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,4 +3602,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,4 +3603,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,4 +3604,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,4 +3605,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,4 +3606,,T1003.003,NTDS,[],[],,SC-39,mitigates,4 +3607,,T1611,Escape to Host,[],[],,SC-39,mitigates,4 +3608,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,4 +3609,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,4 +3610,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,4 +3611,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,4 +3612,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,4 +3613,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,4 +3614,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,4 +3615,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,4 +3616,,T1003.006,DCSync,[],[],,SC-39,mitigates,4 +3617,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,4 +3618,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,4 +3619,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,4 +3620,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,4 +3621,,T1595.003,Wordlist Scanning,[],[],,SC-4,mitigates,4 +3622,,T1070.008,Clear Mailbox Data,[],[],,SC-4,mitigates,4 +3623,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,4 +3624,,T1040,Network Sniffing,[],[],,SC-4,mitigates,4 +3625,,T1119,Automated Collection,[],[],,SC-4,mitigates,4 +3626,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,4 +3627,,T1557,Adversary-in-the-Middle,[],[],,SC-4,mitigates,4 +3628,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,4 +3629,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,4 +3630,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,4 +3631,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,4 +3632,,T1565,Data Manipulation,[],[],,SC-4,mitigates,4 +3633,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,4 +3634,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,4 +3635,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,4 +3636,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,4 +3637,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,4 +3638,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,4 +3639,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,4 +3640,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,4 +3641,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,4 +3642,,T1552.004,Private Keys,[],[],,SC-4,mitigates,4 +3643,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,4 +3644,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,4 +3645,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,4 +3646,,T1564.009,Resource Forking,[],[],,SC-4,mitigates,4 +3647,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,4 +3648,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,4 +3649,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,4 +3650,,T1200,Hardware Additions,[],[],,SC-41,mitigates,4 +3651,,T1025,Data from Removable Media,[],[],,SC-41,mitigates,4 +3652,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,4 +3653,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,4 +3654,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,4 +3655,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,4 +3656,,T1204,User Execution,[],[],,SC-44,mitigates,4 +3657,,T1204.002,Malicious File,[],[],,SC-44,mitigates,4 +3658,,T1221,Template Injection,[],[],,SC-44,mitigates,4 +3659,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,4 +3660,,T1204.003,Malicious Image,[],[],,SC-44,mitigates,4 +3661,,T1564.009,Resource Forking,[],[],,SC-44,mitigates,4 +3662,,T1566,Phishing,[],[],,SC-44,mitigates,4 +3663,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,4 +3664,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,4 +3665,,T1598,Phishing for Information,[],[],,SC-44,mitigates,4 +3666,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,4 +3667,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,4 +3668,,T1557.003,DHCP Spoofing,[],[],,SC-46,mitigates,4 +3669,,T1622,Debugger Evasion,[],[],,SC-46,mitigates,4 +3670,,T1564.009,Resource Forking,[],[],,SC-6,mitigates,4 +3671,,T1557.003,DHCP Spoofing,[],[],,SC-7,mitigates,4 +3672,,T1583.007,Serverless,[],[],,SC-7,mitigates,4 +3673,,T1584.007,Serverless,[],[],,SC-7,mitigates,4 +3674,,T1622,Debugger Evasion,[],[],,SC-7,mitigates,4 +3675,,T1648,Serverless Execution,[],[],,SC-7,mitigates,4 +3676,,T1552.007,Container API,[],[],,SC-7,mitigates,4 +3677,,T1609,Container Administration Command,[],[],,SC-7,mitigates,4 +3678,,T1610,Deploy Container,[],[],,SC-7,mitigates,4 +3679,,T1055,Process Injection,[],[],,SC-7,mitigates,4 +3680,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,4 +3681,,T1133,External Remote Services,[],[],,SC-7,mitigates,4 +3682,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,4 +3683,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,4 +3684,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,4 +3685,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,4 +3686,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,4 +3687,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,4 +3688,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,4 +3689,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,4 +3690,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,4 +3691,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,4 +3692,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,4 +3693,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,4 +3694,,T1557,Adversary-in-the-Middle,[],[],,SC-7,mitigates,4 +3695,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,4 +3696,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,4 +3697,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,4 +3698,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,4 +3699,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,4 +3700,,T1611,Escape to Host,[],[],,SC-7,mitigates,4 +3701,,T1020.001,Traffic Duplication,[],[],,SC-7,mitigates,4 +3702,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,4 +3703,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,4 +3704,,T1098,Account Manipulation,[],[],,SC-7,mitigates,4 +3705,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,4 +3706,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,4 +3707,,T1176,Browser Extensions,[],[],,SC-7,mitigates,4 +3708,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,4 +3709,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,4 +3710,,T1197,BITS Jobs,[],[],,SC-7,mitigates,4 +3711,,T1204,User Execution,[],[],,SC-7,mitigates,4 +3712,,T1204.002,Malicious File,[],[],,SC-7,mitigates,4 +3713,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,4 +3714,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,4 +3715,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,4 +3716,,T1218.012,Verclsid,[],[],,SC-7,mitigates,4 +3717,,T1219,Remote Access Software,[],[],,SC-7,mitigates,4 +3718,,T1221,Template Injection,[],[],,SC-7,mitigates,4 +3719,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,4 +3720,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,4 +3721,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,4 +3722,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,4 +3723,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,4 +3724,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,4 +3725,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,4 +3726,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,4 +3727,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,4 +3728,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,4 +3729,,T1565,Data Manipulation,[],[],,SC-7,mitigates,4 +3730,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,4 +3731,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,4 +3732,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,4 +3733,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,4 +3734,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,4 +3735,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,4 +3736,,T1001.001,Junk Data,[],[],,SC-7,mitigates,4 +3737,,T1001.002,Steganography,[],[],,SC-7,mitigates,4 +3738,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,4 +3739,,T1008,Fallback Channels,[],[],,SC-7,mitigates,4 +3740,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,4 +3741,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,4 +3742,,T1021.005,VNC,[],[],,SC-7,mitigates,4 +3743,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,4 +3744,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,4 +3745,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,4 +3746,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,4 +3747,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,4 +3748,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,4 +3749,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,4 +3750,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,4 +3751,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,4 +3752,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,4 +3753,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,4 +3754,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,4 +3755,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,4 +3756,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,4 +3757,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,4 +3758,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,4 +3759,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,4 +3760,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,4 +3761,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,4 +3762,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,4 +3763,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,4 +3764,,T1071.004,DNS,[],[],,SC-7,mitigates,4 +3765,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,4 +3766,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,4 +3767,,T1090,Proxy,[],[],,SC-7,mitigates,4 +3768,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,4 +3769,,T1090.002,External Proxy,[],[],,SC-7,mitigates,4 +3770,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,4 +3771,,T1102,Web Service,[],[],,SC-7,mitigates,4 +3772,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,4 +3773,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,4 +3774,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,4 +3775,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,4 +3776,,T1114,Email Collection,[],[],,SC-7,mitigates,4 +3777,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,4 +3778,,T1132,Data Encoding,[],[],,SC-7,mitigates,4 +3779,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,4 +3780,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,4 +3781,,T1136,Create Account,[],[],,SC-7,mitigates,4 +3782,,T1136.002,Domain Account,[],[],,SC-7,mitigates,4 +3783,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,4 +3784,,T1187,Forced Authentication,[],[],,SC-7,mitigates,4 +3785,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,4 +3786,,T1204.003,Malicious Image,[],[],,SC-7,mitigates,4 +3787,,T1489,Service Stop,[],[],,SC-7,mitigates,4 +3788,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,4 +3789,,T1505.004,IIS Components,[],[],,SC-7,mitigates,4 +3790,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,4 +3791,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,4 +3792,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,4 +3793,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,4 +3794,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,4 +3795,,T1552.004,Private Keys,[],[],,SC-7,mitigates,4 +3796,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,4 +3797,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,4 +3798,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,4 +3799,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,4 +3800,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,4 +3801,,T1566,Phishing,[],[],,SC-7,mitigates,4 +3802,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,4 +3803,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,4 +3804,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,4 +3805,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,4 +3806,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,4 +3807,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,4 +3808,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,4 +3809,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,4 +3810,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,4 +3811,,T1598,Phishing for Information,[],[],,SC-7,mitigates,4 +3812,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,4 +3813,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,4 +3814,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,4 +3815,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,4 +3816,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,4 +3817,,T1612,Build Image on Host,[],[],,SC-7,mitigates,4 +3818,,T1613,Container and Resource Discovery,[],[],,SC-7,mitigates,4 +3819,,T1557.003,DHCP Spoofing,[],[],,SC-8,mitigates,4 +3820,,T1622,Debugger Evasion,[],[],,SC-8,mitigates,4 +3821,,T1552.007,Container API,[],[],,SC-8,mitigates,4 +3822,,T1040,Network Sniffing,[],[],,SC-8,mitigates,4 +3823,,T1557,Adversary-in-the-Middle,[],[],,SC-8,mitigates,4 +3824,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,4 +3825,,T1020.001,Traffic Duplication,[],[],,SC-8,mitigates,4 +3826,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,4 +3827,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,4 +3828,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,4 +3829,,T1090,Proxy,[],[],,SC-8,mitigates,4 +3830,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,4 +3831,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,4 +3832,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,4 +3833,,T1562.009,Safe Mode Boot,[],[],,SC-8,mitigates,4 +3834,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,4 +3835,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,4 +3836,,T1557.003,DHCP Spoofing,[],[],,SI-10,mitigates,4 +3837,,T1622,Debugger Evasion,[],[],,SI-10,mitigates,4 +3838,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-10,mitigates,4 +3839,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,4 +3840,,T1609,Container Administration Command,[],[],,SI-10,mitigates,4 +3841,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,4 +3842,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,4 +3843,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,4 +3844,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,4 +3845,,T1218.011,Rundll32,[],[],,SI-10,mitigates,4 +3846,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,4 +3847,,T1557,Adversary-in-the-Middle,[],[],,SI-10,mitigates,4 +3848,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,4 +3849,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,4 +3850,,T1059.001,PowerShell,[],[],,SI-10,mitigates,4 +3851,,T1059.002,AppleScript,[],[],,SI-10,mitigates,4 +3852,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,4 +3853,,T1059.008,Network Device CLI,[],[],,SI-10,mitigates,4 +3854,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,4 +3855,,T1129,Shared Modules,[],[],,SI-10,mitigates,4 +3856,,T1176,Browser Extensions,[],[],,SI-10,mitigates,4 +3857,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,4 +3858,,T1197,BITS Jobs,[],[],,SI-10,mitigates,4 +3859,,T1204,User Execution,[],[],,SI-10,mitigates,4 +3860,,T1204.002,Malicious File,[],[],,SI-10,mitigates,4 +3861,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,4 +3862,,T1216.001,PubPrn,[],[],,SI-10,mitigates,4 +3863,,T1218.003,CMSTP,[],[],,SI-10,mitigates,4 +3864,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,4 +3865,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,4 +3866,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,4 +3867,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,4 +3868,,T1218.012,Verclsid,[],[],,SI-10,mitigates,4 +3869,,T1218.013,Mavinject,[],[],,SI-10,mitigates,4 +3870,,T1218.014,MMC,[],[],,SI-10,mitigates,4 +3871,,T1219,Remote Access Software,[],[],,SI-10,mitigates,4 +3872,,T1221,Template Injection,[],[],,SI-10,mitigates,4 +3873,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,4 +3874,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,4 +3875,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,4 +3876,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,4 +3877,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,4 +3878,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,4 +3879,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,4 +3880,,T1546.002,Screensaver,[],[],,SI-10,mitigates,4 +3881,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,4 +3882,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,4 +3883,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,4 +3884,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,4 +3885,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,4 +3886,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,4 +3887,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,4 +3888,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,4 +3889,,T1021.005,VNC,[],[],,SI-10,mitigates,4 +3890,,T1036,Masquerading,[],[],,SI-10,mitigates,4 +3891,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,4 +3892,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,4 +3893,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,4 +3894,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,4 +3895,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,4 +3896,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,4 +3897,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,4 +3898,,T1059.006,Python,[],[],,SI-10,mitigates,4 +3899,,T1059.007,JavaScript,[],[],,SI-10,mitigates,4 +3900,,T1071.004,DNS,[],[],,SI-10,mitigates,4 +3901,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,4 +3902,,T1090,Proxy,[],[],,SI-10,mitigates,4 +3903,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,4 +3904,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,4 +3905,,T1187,Forced Authentication,[],[],,SI-10,mitigates,4 +3906,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,4 +3907,,T1218.002,Control Panel,[],[],,SI-10,mitigates,4 +3908,,T1218.005,Mshta,[],[],,SI-10,mitigates,4 +3909,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,4 +3910,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,4 +3911,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,4 +3912,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,4 +3913,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,4 +3914,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,4 +3915,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,4 +3916,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,4 +3917,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,4 +3918,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,4 +3919,,T1564.009,Resource Forking,[],[],,SI-10,mitigates,4 +3920,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,4 +3921,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,4 +3922,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-10,mitigates,4 +3923,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,4 +3924,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,4 +3925,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,4 +3926,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,4 +3927,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,4 +3928,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,4 +3929,,T1070.008,Clear Mailbox Data,[],[],,SI-12,mitigates,4 +3930,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,4 +3931,,T1003.003,NTDS,[],[],,SI-12,mitigates,4 +3932,,T1040,Network Sniffing,[],[],,SI-12,mitigates,4 +3933,,T1119,Automated Collection,[],[],,SI-12,mitigates,4 +3934,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,4 +3935,,T1557,Adversary-in-the-Middle,[],[],,SI-12,mitigates,4 +3936,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,4 +3937,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,4 +3938,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,4 +3939,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,4 +3940,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,4 +3941,,T1565,Data Manipulation,[],[],,SI-12,mitigates,4 +3942,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,4 +3943,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,4 +3944,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,4 +3945,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,4 +3946,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,4 +3947,,T1114,Email Collection,[],[],,SI-12,mitigates,4 +3948,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,4 +3949,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,4 +3950,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,4 +3951,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,4 +3952,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,4 +3953,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,4 +3954,,T1552.004,Private Keys,[],[],,SI-12,mitigates,4 +3955,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,4 +3956,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,4 +3957,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,4 +3958,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,4 +3959,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,4 +3960,,T1505,Server Software Component,[],[],,SI-14,mitigates,4 +3961,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-14,mitigates,4 +3962,,T1547.004,Winlogon Helper DLL,[],[],,SI-14,mitigates,4 +3963,,T1547.006,Kernel Modules and Extensions,[],[],,SI-14,mitigates,4 +3964,,T1505.001,SQL Stored Procedures,[],[],,SI-14,mitigates,4 +3965,,T1505.002,Transport Agent,[],[],,SI-14,mitigates,4 +3966,,T1505.004,IIS Components,[],[],,SI-14,mitigates,4 +3967,,T1557.003,DHCP Spoofing,[],[],,SI-15,mitigates,4 +3968,,T1622,Debugger Evasion,[],[],,SI-15,mitigates,4 +3969,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,4 +3970,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,4 +3971,,T1557,Adversary-in-the-Middle,[],[],,SI-15,mitigates,4 +3972,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,4 +3973,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,4 +3974,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,4 +3975,,T1197,BITS Jobs,[],[],,SI-15,mitigates,4 +3976,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,4 +3977,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,4 +3978,,T1218.012,Verclsid,[],[],,SI-15,mitigates,4 +3979,,T1219,Remote Access Software,[],[],,SI-15,mitigates,4 +3980,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,4 +3981,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,4 +3982,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,4 +3983,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,4 +3984,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,4 +3985,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,4 +3986,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,4 +3987,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,4 +3988,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,4 +3989,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,4 +3990,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,4 +3991,,T1021.005,VNC,[],[],,SI-15,mitigates,4 +3992,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,4 +3993,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,4 +3994,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,4 +3995,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,4 +3996,,T1071.004,DNS,[],[],,SI-15,mitigates,4 +3997,,T1090,Proxy,[],[],,SI-15,mitigates,4 +3998,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,4 +3999,,T1187,Forced Authentication,[],[],,SI-15,mitigates,4 +4000,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,4 +4001,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,4 +4002,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,4 +4003,,T1564.009,Resource Forking,[],[],,SI-15,mitigates,4 +4004,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,4 +4005,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,4 +4006,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,4 +4007,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,4 +4008,,T1611,Escape to Host,[],[],,SI-16,mitigates,4 +4009,,T1047,Windows Management Instrumentation,[],[],,SI-16,mitigates,4 +4010,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,4 +4011,,T1565,Data Manipulation,[],[],,SI-16,mitigates,4 +4012,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,4 +4013,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,4 +4014,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,4 +4015,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,4 +4016,,T1027.007,Dynamic API Resolution,[],[],,SI-2,mitigates,4 +4017,,T1027.008,Stripped Payloads,[],[],,SI-2,mitigates,4 +4018,,T1027.009,Embedded Payloads,[],[],,SI-2,mitigates,4 +4019,,T1546.016,Installer Packages,[],[],,SI-2,mitigates,4 +4020,,T1574.013,KernelCallbackTable,[],[],,SI-2,mitigates,4 +4021,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,4 +4022,,T1055,Process Injection,[],[],,SI-2,mitigates,4 +4023,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,4 +4024,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,4 +4025,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,4 +4026,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,4 +4027,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,4 +4028,,T1003.001,LSASS Memory,[],[],,SI-2,mitigates,4 +4029,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,4 +4030,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,4 +4031,,T1611,Escape to Host,[],[],,SI-2,mitigates,4 +4032,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,4 +4033,,T1027.002,Software Packing,[],[],,SI-2,mitigates,4 +4034,,T1047,Windows Management Instrumentation,[],[],,SI-2,mitigates,4 +4035,,T1059.001,PowerShell,[],[],,SI-2,mitigates,4 +4036,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,4 +4037,,T1106,Native API,[],[],,SI-2,mitigates,4 +4038,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,4 +4039,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,4 +4040,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,4 +4041,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,4 +4042,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,4 +4043,,T1204,User Execution,[],[],,SI-2,mitigates,4 +4044,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,4 +4045,,T1213.003,Code Repositories,[],[],,SI-2,mitigates,4 +4046,,T1221,Template Injection,[],[],,SI-2,mitigates,4 +4047,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,4 +4048,,T1525,Implant Internal Image,[],[],,SI-2,mitigates,4 +4049,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,4 +4050,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,4 +4051,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,4 +4052,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,4 +4053,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,4 +4054,,T1003,OS Credential Dumping,[],[],,SI-2,mitigates,4 +4055,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,4 +4056,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,4 +4057,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,4 +4058,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,4 +4059,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,4 +4060,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,4 +4061,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,4 +4062,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,4 +4063,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,4 +4064,,T1059.006,Python,[],[],,SI-2,mitigates,4 +4065,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,4 +4066,,T1137,Office Application Startup,[],[],,SI-2,mitigates,4 +4067,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,4 +4068,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,4 +4069,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,4 +4070,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,4 +4071,,T1204.003,Malicious Image,[],[],,SI-2,mitigates,4 +4072,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,4 +4073,,T1542.001,System Firmware,[],[],,SI-2,mitigates,4 +4074,,T1542.003,Bootkit,[],[],,SI-2,mitigates,4 +4075,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,4 +4076,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,4 +4077,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,4 +4078,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,4 +4079,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,4 +4080,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,4 +4081,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,4 +4082,,T1553,Subvert Trust Controls,[],[],,SI-2,mitigates,4 +4083,,T1553.006,Code Signing Policy Modification,[],[],,SI-2,mitigates,4 +4084,,T1555.005,Password Managers,[],[],,SI-2,mitigates,4 +4085,,T1566,Phishing,[],[],,SI-2,mitigates,4 +4086,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,4 +4087,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,4 +4088,,T1601,Modify System Image,[],[],,SI-2,mitigates,4 +4089,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,4 +4090,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,4 +4091,,T1606,Forge Web Credentials,[],[],,SI-2,mitigates,4 +4092,,T1606.001,Web Cookies,[],[],,SI-2,mitigates,4 +4093,,T1055.015,ListPlanting,[],[],,SI-3,mitigates,4 +4094,,T1027.007,Dynamic API Resolution,[],[],,SI-3,mitigates,4 +4095,,T1027.008,Stripped Payloads,[],[],,SI-3,mitigates,4 +4096,,T1027.009,Embedded Payloads,[],[],,SI-3,mitigates,4 +4097,,T1070.007,Clear Network Connection History and Configurations,[],[],,SI-3,mitigates,4 +4098,,T1070.008,Clear Mailbox Data,[],[],,SI-3,mitigates,4 +4099,,T1070.009,Clear Persistence,[],[],,SI-3,mitigates,4 +4100,,T1546.016,Installer Packages,[],[],,SI-3,mitigates,4 +4101,,T1574.013,KernelCallbackTable,[],[],,SI-3,mitigates,4 +4102,,T1557.003,DHCP Spoofing,[],[],,SI-3,mitigates,4 +4103,,T1622,Debugger Evasion,[],[],,SI-3,mitigates,4 +4104,,T1562,Impair Defenses,[],[],,SI-3,mitigates,4 +4105,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,4 +4106,,T1055,Process Injection,[],[],,SI-3,mitigates,4 +4107,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,4 +4108,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,4 +4109,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,4 +4110,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,4 +4111,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,4 +4112,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,4 +4113,,T1567,Exfiltration Over Web Service,[],[],,SI-3,mitigates,4 +4114,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,4 +4115,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,4 +4116,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,4 +4117,,T1003.003,NTDS,[],[],,SI-3,mitigates,4 +4118,,T1005,Data from Local System,[],[],,SI-3,mitigates,4 +4119,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,4 +4120,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,4 +4121,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,4 +4122,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,4 +4123,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,4 +4124,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,4 +4125,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,4 +4126,,T1218,Signed Binary Proxy Execution,[],[],,SI-3,mitigates,4 +4127,,T1557,Adversary-in-the-Middle,[],[],,SI-3,mitigates,4 +4128,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,4 +4129,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,4 +4130,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,4 +4131,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,4 +4132,,T1611,Escape to Host,[],[],,SI-3,mitigates,4 +4133,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,4 +4134,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,4 +4135,,T1027.002,Software Packing,[],[],,SI-3,mitigates,4 +4136,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,4 +4137,,T1037.005,Startup Items,[],[],,SI-3,mitigates,4 +4138,,T1047,Windows Management Instrumentation,[],[],,SI-3,mitigates,4 +4139,,T1059.001,PowerShell,[],[],,SI-3,mitigates,4 +4140,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,4 +4141,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,4 +4142,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,4 +4143,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,4 +4144,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,4 +4145,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,4 +4146,,T1106,Native API,[],[],,SI-3,mitigates,4 +4147,,T1176,Browser Extensions,[],[],,SI-3,mitigates,4 +4148,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,4 +4149,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,4 +4150,,T1204,User Execution,[],[],,SI-3,mitigates,4 +4151,,T1204.002,Malicious File,[],[],,SI-3,mitigates,4 +4152,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,4 +4153,,T1218.003,CMSTP,[],[],,SI-3,mitigates,4 +4154,,T1218.004,InstallUtil,[],[],,SI-3,mitigates,4 +4155,,T1218.008,Odbcconf,[],[],,SI-3,mitigates,4 +4156,,T1218.009,Regsvcs/Regasm,[],[],,SI-3,mitigates,4 +4157,,T1218.012,Verclsid,[],[],,SI-3,mitigates,4 +4158,,T1218.013,Mavinject,[],[],,SI-3,mitigates,4 +4159,,T1218.014,MMC,[],[],,SI-3,mitigates,4 +4160,,T1219,Remote Access Software,[],[],,SI-3,mitigates,4 +4161,,T1221,Template Injection,[],[],,SI-3,mitigates,4 +4162,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,4 +4163,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,4 +4164,,T1491,Defacement,[],[],,SI-3,mitigates,4 +4165,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,4 +4166,,T1491.002,External Defacement,[],[],,SI-3,mitigates,4 +4167,,T1505,Server Software Component,[],[],,SI-3,mitigates,4 +4168,,T1525,Implant Internal Image,[],[],,SI-3,mitigates,4 +4169,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,4 +4170,,T1546.002,Screensaver,[],[],,SI-3,mitigates,4 +4171,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-3,mitigates,4 +4172,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,4 +4173,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,4 +4174,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,4 +4175,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,4 +4176,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,4 +4177,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,4 +4178,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,4 +4179,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,4 +4180,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,4 +4181,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,4 +4182,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,4 +4183,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,4 +4184,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,4 +4185,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,4 +4186,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,4 +4187,,T1001.001,Junk Data,[],[],,SI-3,mitigates,4 +4188,,T1001.002,Steganography,[],[],,SI-3,mitigates,4 +4189,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,4 +4190,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,4 +4191,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,4 +4192,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,4 +4193,,T1003.006,DCSync,[],[],,SI-3,mitigates,4 +4194,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,4 +4195,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,4 +4196,,T1008,Fallback Channels,[],[],,SI-3,mitigates,4 +4197,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,4 +4198,,T1021.005,VNC,[],[],,SI-3,mitigates,4 +4199,,T1025,Data from Removable Media,[],[],,SI-3,mitigates,4 +4200,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,4 +4201,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,4 +4202,,T1036,Masquerading,[],[],,SI-3,mitigates,4 +4203,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,4 +4204,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,4 +4205,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,4 +4206,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,4 +4207,,T1037.004,RC Scripts,[],[],,SI-3,mitigates,4 +4208,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,4 +4209,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,4 +4210,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,4 +4211,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,4 +4212,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,4 +4213,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,4 +4214,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,4 +4215,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,4 +4216,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,4 +4217,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,4 +4218,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,4 +4219,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,4 +4220,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,4 +4221,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,4 +4222,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,4 +4223,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,4 +4224,,T1059.006,Python,[],[],,SI-3,mitigates,4 +4225,,T1059.007,JavaScript,[],[],,SI-3,mitigates,4 +4226,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,4 +4227,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,4 +4228,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,4 +4229,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,4 +4230,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,4 +4231,,T1071.004,DNS,[],[],,SI-3,mitigates,4 +4232,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,4 +4233,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,4 +4234,,T1090,Proxy,[],[],,SI-3,mitigates,4 +4235,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,4 +4236,,T1090.002,External Proxy,[],[],,SI-3,mitigates,4 +4237,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,4 +4238,,T1102,Web Service,[],[],,SI-3,mitigates,4 +4239,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,4 +4240,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,4 +4241,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,4 +4242,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,4 +4243,,T1132,Data Encoding,[],[],,SI-3,mitigates,4 +4244,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,4 +4245,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,4 +4246,,T1137,Office Application Startup,[],[],,SI-3,mitigates,4 +4247,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,4 +4248,,T1185,Browser Session Hijacking,[],[],,SI-3,mitigates,4 +4249,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,4 +4250,,T1204.003,Malicious Image,[],[],,SI-3,mitigates,4 +4251,,T1218.001,Compiled HTML File,[],[],,SI-3,mitigates,4 +4252,,T1218.002,Control Panel,[],[],,SI-3,mitigates,4 +4253,,T1218.005,Mshta,[],[],,SI-3,mitigates,4 +4254,,T1485,Data Destruction,[],[],,SI-3,mitigates,4 +4255,,T1505.001,SQL Stored Procedures,[],[],,SI-3,mitigates,4 +4256,,T1505.002,Transport Agent,[],[],,SI-3,mitigates,4 +4257,,T1505.004,IIS Components,[],[],,SI-3,mitigates,4 +4258,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,4 +4259,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,4 +4260,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-3,mitigates,4 +4261,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,4 +4262,,T1546.014,Emond,[],[],,SI-3,mitigates,4 +4263,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,4 +4264,,T1547.013,XDG Autostart Entries,[],[],,SI-3,mitigates,4 +4265,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,4 +4266,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,4 +4267,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,4 +4268,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,4 +4269,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,4 +4270,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,4 +4271,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,4 +4272,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,4 +4273,,T1561,Disk Wipe,[],[],,SI-3,mitigates,4 +4274,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,4 +4275,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,4 +4276,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,4 +4277,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,4 +4278,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,4 +4279,,T1564.008,Email Hiding Rules,[],[],,SI-3,mitigates,4 +4280,,T1564.009,Resource Forking,[],[],,SI-3,mitigates,4 +4281,,T1566,Phishing,[],[],,SI-3,mitigates,4 +4282,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,4 +4283,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,4 +4284,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,4 +4285,,T1569,System Services,[],[],,SI-3,mitigates,4 +4286,,T1569.002,Service Execution,[],[],,SI-3,mitigates,4 +4287,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,4 +4288,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,4 +4289,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,4 +4290,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,4 +4291,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,4 +4292,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,4 +4293,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,4 +4294,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,4 +4295,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,4 +4296,,T1598,Phishing for Information,[],[],,SI-3,mitigates,4 +4297,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,4 +4298,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,4 +4299,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,4 +4300,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,4 +4301,,T1027.007,Dynamic API Resolution,[],[],,SI-4,mitigates,4 +4302,,T1027.008,Stripped Payloads,[],[],,SI-4,mitigates,4 +4303,,T1027.009,Embedded Payloads,[],[],,SI-4,mitigates,4 +4304,,T1070.007,Clear Network Connection History and Configurations,[],[],,SI-4,mitigates,4 +4305,,T1070.008,Clear Mailbox Data,[],[],,SI-4,mitigates,4 +4306,,T1070.009,Clear Persistence,[],[],,SI-4,mitigates,4 +4307,,T1205.002,Socket Filters,[],[],,SI-4,mitigates,4 +4308,,T1505.005,Terminal Services DLL,[],[],,SI-4,mitigates,4 +4309,,T1546.016,Installer Packages,[],[],,SI-4,mitigates,4 +4310,,T1559.003,XPC Services,[],[],,SI-4,mitigates,4 +4311,,T1564.010,Process Argument Spoofing,[],[],,SI-4,mitigates,4 +4312,,T1574.013,KernelCallbackTable,[],[],,SI-4,mitigates,4 +4313,,T1648,Serverless Execution,[],[],,SI-4,mitigates,4 +4314,,T1557.003,DHCP Spoofing,[],[],,SI-4,mitigates,4 +4315,,T1622,Debugger Evasion,[],[],,SI-4,mitigates,4 +4316,,T1647,Plist File Modification,[],[],,SI-4,mitigates,4 +4317,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,4 +4318,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-4,mitigates,4 +4319,,T1562,Impair Defenses,[],[],,SI-4,mitigates,4 +4320,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,4 +4321,,T1610,Deploy Container,[],[],,SI-4,mitigates,4 +4322,,T1055,Process Injection,[],[],,SI-4,mitigates,4 +4323,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,4 +4324,,T1087.001,Local Account,[],[],,SI-4,mitigates,4 +4325,,T1087.002,Domain Account,[],[],,SI-4,mitigates,4 +4326,,T1133,External Remote Services,[],[],,SI-4,mitigates,4 +4327,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,4 +4328,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,4 +4329,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,4 +4330,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,4 +4331,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,4 +4332,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,4 +4333,,T1567,Exfiltration Over Web Service,[],[],,SI-4,mitigates,4 +4334,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,4 +4335,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,4 +4336,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,4 +4337,,T1003.003,NTDS,[],[],,SI-4,mitigates,4 +4338,,T1005,Data from Local System,[],[],,SI-4,mitigates,4 +4339,,T1040,Network Sniffing,[],[],,SI-4,mitigates,4 +4340,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,4 +4341,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,4 +4342,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,4 +4343,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,4 +4344,,T1078,Valid Accounts,[],[],,SI-4,mitigates,4 +4345,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,4 +4346,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,4 +4347,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,4 +4348,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,4 +4349,,T1119,Automated Collection,[],[],,SI-4,mitigates,4 +4350,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,4 +4351,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,4 +4352,,T1218.011,Rundll32,[],[],,SI-4,mitigates,4 +4353,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,4 +4354,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,4 +4355,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,4 +4356,,T1555.001,Keychain,[],[],,SI-4,mitigates,4 +4357,,T1555.004,Windows Credential Manager,[],[],,SI-4,mitigates,4 +4358,,T1557,Adversary-in-the-Middle,[],[],,SI-4,mitigates,4 +4359,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,4 +4360,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,4 +4361,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,4 +4362,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,4 +4363,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,4 +4364,,T1611,Escape to Host,[],[],,SI-4,mitigates,4 +4365,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,4 +4366,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,4 +4367,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,4 +4368,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,4 +4369,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,4 +4370,,T1027.002,Software Packing,[],[],,SI-4,mitigates,4 +4371,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,4 +4372,,T1037.005,Startup Items,[],[],,SI-4,mitigates,4 +4373,,T1047,Windows Management Instrumentation,[],[],,SI-4,mitigates,4 +4374,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,4 +4375,,T1053.002,At (Windows),[],[],,SI-4,mitigates,4 +4376,,T1053.003,Cron,[],[],,SI-4,mitigates,4 +4377,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,4 +4378,,T1059.001,PowerShell,[],[],,SI-4,mitigates,4 +4379,,T1059.002,AppleScript,[],[],,SI-4,mitigates,4 +4380,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,4 +4381,,T1059.008,Network Device CLI,[],[],,SI-4,mitigates,4 +4382,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,4 +4383,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,4 +4384,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,4 +4385,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,4 +4386,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,4 +4387,,T1098,Account Manipulation,[],[],,SI-4,mitigates,4 +4388,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,4 +4389,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,4 +4390,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,4 +4391,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,4 +4392,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,4 +4393,,T1106,Native API,[],[],,SI-4,mitigates,4 +4394,,T1129,Shared Modules,[],[],,SI-4,mitigates,4 +4395,,T1176,Browser Extensions,[],[],,SI-4,mitigates,4 +4396,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,4 +4397,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,4 +4398,,T1197,BITS Jobs,[],[],,SI-4,mitigates,4 +4399,,T1204,User Execution,[],[],,SI-4,mitigates,4 +4400,,T1204.002,Malicious File,[],[],,SI-4,mitigates,4 +4401,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,4 +4402,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,4 +4403,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,4 +4404,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,4 +4405,,T1216.001,PubPrn,[],[],,SI-4,mitigates,4 +4406,,T1218.003,CMSTP,[],[],,SI-4,mitigates,4 +4407,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,4 +4408,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,4 +4409,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,4 +4410,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,4 +4411,,T1218.012,Verclsid,[],[],,SI-4,mitigates,4 +4412,,T1218.013,Mavinject,[],[],,SI-4,mitigates,4 +4413,,T1218.014,MMC,[],[],,SI-4,mitigates,4 +4414,,T1219,Remote Access Software,[],[],,SI-4,mitigates,4 +4415,,T1221,Template Injection,[],[],,SI-4,mitigates,4 +4416,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,4 +4417,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,4 +4418,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,4 +4419,,T1491,Defacement,[],[],,SI-4,mitigates,4 +4420,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,4 +4421,,T1491.002,External Defacement,[],[],,SI-4,mitigates,4 +4422,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,4 +4423,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,4 +4424,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,4 +4425,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,4 +4426,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,4 +4427,,T1505,Server Software Component,[],[],,SI-4,mitigates,4 +4428,,T1505.003,Web Shell,[],[],,SI-4,mitigates,4 +4429,,T1525,Implant Internal Image,[],[],,SI-4,mitigates,4 +4430,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,4 +4431,,T1543.003,Windows Service,[],[],,SI-4,mitigates,4 +4432,,T1546.002,Screensaver,[],[],,SI-4,mitigates,4 +4433,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-4,mitigates,4 +4434,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,4 +4435,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,4 +4436,,T1547.003,Time Providers,[],[],,SI-4,mitigates,4 +4437,,T1547.004,Winlogon Helper DLL,[],[],,SI-4,mitigates,4 +4438,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,4 +4439,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,4 +4440,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,4 +4441,,T1547.009,Shortcut Modification,[],[],,SI-4,mitigates,4 +4442,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,4 +4443,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,4 +4444,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,4 +4445,,T1552.003,Bash History,[],[],,SI-4,mitigates,4 +4446,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,4 +4447,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,4 +4448,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,4 +4449,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,4 +4450,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,4 +4451,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,4 +4452,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,4 +4453,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,4 +4454,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,4 +4455,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,4 +4456,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,4 +4457,,T1562.010,Downgrade Attack,[],[],,SI-4,mitigates,4 +4458,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,4 +4459,,T1565,Data Manipulation,[],[],,SI-4,mitigates,4 +4460,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,4 +4461,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,4 +4462,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,4 +4463,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,4 +4464,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,4 +4465,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,4 +4466,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,4 +4467,,T1001.001,Junk Data,[],[],,SI-4,mitigates,4 +4468,,T1001.002,Steganography,[],[],,SI-4,mitigates,4 +4469,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,4 +4470,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,4 +4471,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,4 +4472,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,4 +4473,,T1003.006,DCSync,[],[],,SI-4,mitigates,4 +4474,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,4 +4475,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,4 +4476,,T1008,Fallback Channels,[],[],,SI-4,mitigates,4 +4477,,T1021,Remote Services,[],[],,SI-4,mitigates,4 +4478,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,4 +4479,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,4 +4480,,T1021.004,SSH,[],[],,SI-4,mitigates,4 +4481,,T1021.005,VNC,[],[],,SI-4,mitigates,4 +4482,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,4 +4483,,T1025,Data from Removable Media,[],[],,SI-4,mitigates,4 +4484,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,4 +4485,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,4 +4486,,T1036,Masquerading,[],[],,SI-4,mitigates,4 +4487,,T1036.001,Invalid Code Signature,[],[],,SI-4,mitigates,4 +4488,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,4 +4489,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,4 +4490,,T1036.007,Double File Extension,[],[],,SI-4,mitigates,4 +4491,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,4 +4492,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,4 +4493,,T1037.004,RC Scripts,[],[],,SI-4,mitigates,4 +4494,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,4 +4495,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,4 +4496,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,4 +4497,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,4 +4498,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,4 +4499,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,4 +4500,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,4 +4501,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,4 +4502,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,4 +4503,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,4 +4504,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,4 +4505,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,4 +4506,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,4 +4507,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,4 +4508,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,4 +4509,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,4 +4510,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,4 +4511,,T1059.003,Windows Command Shell,[],[],,SI-4,mitigates,4 +4512,,T1059.004,Unix Shell,[],[],,SI-4,mitigates,4 +4513,,T1059.006,Python,[],[],,SI-4,mitigates,4 +4514,,T1059.007,JavaScript,[],[],,SI-4,mitigates,4 +4515,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,4 +4516,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,4 +4517,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,4 +4518,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,4 +4519,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,4 +4520,,T1071.004,DNS,[],[],,SI-4,mitigates,4 +4521,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,4 +4522,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,4 +4523,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,4 +4524,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,4 +4525,,T1087,Account Discovery,[],[],,SI-4,mitigates,4 +4526,,T1090,Proxy,[],[],,SI-4,mitigates,4 +4527,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,4 +4528,,T1090.002,External Proxy,[],[],,SI-4,mitigates,4 +4529,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,4 +4530,,T1102,Web Service,[],[],,SI-4,mitigates,4 +4531,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,4 +4532,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,4 +4533,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,4 +4534,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,4 +4535,,T1110,Brute Force,[],[],,SI-4,mitigates,4 +4536,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,4 +4537,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,4 +4538,,T1114,Email Collection,[],[],,SI-4,mitigates,4 +4539,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,4 +4540,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,4 +4541,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,4 +4542,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,4 +4543,,T1127.001,MSBuild,[],[],,SI-4,mitigates,4 +4544,,T1132,Data Encoding,[],[],,SI-4,mitigates,4 +4545,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,4 +4546,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,4 +4547,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,4 +4548,,T1136,Create Account,[],[],,SI-4,mitigates,4 +4549,,T1136.001,Local Account,[],[],,SI-4,mitigates,4 +4550,,T1136.002,Domain Account,[],[],,SI-4,mitigates,4 +4551,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,4 +4552,,T1137,Office Application Startup,[],[],,SI-4,mitigates,4 +4553,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,4 +4554,,T1185,Browser Session Hijacking,[],[],,SI-4,mitigates,4 +4555,,T1187,Forced Authentication,[],[],,SI-4,mitigates,4 +4556,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,4 +4557,,T1204.003,Malicious Image,[],[],,SI-4,mitigates,4 +4558,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,4 +4559,,T1213.001,Confluence,[],[],,SI-4,mitigates,4 +4560,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,4 +4561,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,4 +4562,,T1218.002,Control Panel,[],[],,SI-4,mitigates,4 +4563,,T1218.005,Mshta,[],[],,SI-4,mitigates,4 +4564,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,4 +4565,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,4 +4566,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,4 +4567,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,4 +4568,,T1485,Data Destruction,[],[],,SI-4,mitigates,4 +4569,,T1489,Service Stop,[],[],,SI-4,mitigates,4 +4570,,T1505.001,SQL Stored Procedures,[],[],,SI-4,mitigates,4 +4571,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,4 +4572,,T1505.004,IIS Components,[],[],,SI-4,mitigates,4 +4573,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,4 +4574,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,4 +4575,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,4 +4576,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,4 +4577,,T1543.004,Launch Daemon,[],[],,SI-4,mitigates,4 +4578,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-4,mitigates,4 +4579,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,4 +4580,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,4 +4581,,T1546.014,Emond,[],[],,SI-4,mitigates,4 +4582,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,4 +4583,,T1547.012,Print Processors,[],[],,SI-4,mitigates,4 +4584,,T1547.013,XDG Autostart Entries,[],[],,SI-4,mitigates,4 +4585,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,4 +4586,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,4 +4587,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,4 +4588,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,4 +4589,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,4 +4590,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,4 +4591,,T1552.004,Private Keys,[],[],,SI-4,mitigates,4 +4592,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,4 +4593,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,4 +4594,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,4 +4595,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,4 +4596,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,4 +4597,,T1555.005,Password Managers,[],[],,SI-4,mitigates,4 +4598,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,4 +4599,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,4 +4600,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,4 +4601,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,4 +4602,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,4 +4603,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,4 +4604,,T1559.001,Component Object Model,[],[],,SI-4,mitigates,4 +4605,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,4 +4606,,T1561,Disk Wipe,[],[],,SI-4,mitigates,4 +4607,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,4 +4608,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,4 +4609,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,4 +4610,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,4 +4611,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,4 +4612,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,4 +4613,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,4 +4614,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,4 +4615,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,4 +4616,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,4 +4617,,T1564.008,Email Hiding Rules,[],[],,SI-4,mitigates,4 +4618,,T1564.009,Resource Forking,[],[],,SI-4,mitigates,4 +4619,,T1566,Phishing,[],[],,SI-4,mitigates,4 +4620,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,4 +4621,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,4 +4622,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,4 +4623,,T1569,System Services,[],[],,SI-4,mitigates,4 +4624,,T1569.002,Service Execution,[],[],,SI-4,mitigates,4 +4625,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,4 +4626,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,4 +4627,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,4 +4628,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,4 +4629,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,4 +4630,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,4 +4631,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,4 +4632,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,4 +4633,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,4 +4634,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,4 +4635,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,4 +4636,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,4 +4637,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,4 +4638,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,4 +4639,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,4 +4640,,T1598,Phishing for Information,[],[],,SI-4,mitigates,4 +4641,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,4 +4642,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,4 +4643,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,4 +4644,,T1601,Modify System Image,[],[],,SI-4,mitigates,4 +4645,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,4 +4646,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,4 +4647,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,4 +4648,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,4 +4649,,T1612,Build Image on Host,[],[],,SI-4,mitigates,4 +4650,,T1613,Container and Resource Discovery,[],[],,SI-4,mitigates,4 +4651,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,4 +4652,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,4 +4653,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,4 +4654,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,4 +4655,,T1027.007,Dynamic API Resolution,[],[],,SI-7,mitigates,4 +4656,,T1027.008,Stripped Payloads,[],[],,SI-7,mitigates,4 +4657,,T1027.009,Embedded Payloads,[],[],,SI-7,mitigates,4 +4658,,T1070.007,Clear Network Connection History and Configurations,[],[],,SI-7,mitigates,4 +4659,,T1070.008,Clear Mailbox Data,[],[],,SI-7,mitigates,4 +4660,,T1070.009,Clear Persistence,[],[],,SI-7,mitigates,4 +4661,,T1564.010,Process Argument Spoofing,[],[],,SI-7,mitigates,4 +4662,,T1574.013,KernelCallbackTable,[],[],,SI-7,mitigates,4 +4663,,T1565.003,Runtime Data Manipulation,[],[],,SI-7,mitigates,4 +4664,,T1647,Plist File Modification,[],[],,SI-7,mitigates,4 +4665,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,4 +4666,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-7,mitigates,4 +4667,,T1562,Impair Defenses,[],[],,SI-7,mitigates,4 +4668,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,4 +4669,,T1609,Container Administration Command,[],[],,SI-7,mitigates,4 +4670,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,4 +4671,,T1133,External Remote Services,[],[],,SI-7,mitigates,4 +4672,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,4 +4673,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,4 +4674,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,4 +4675,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,4 +4676,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,4 +4677,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,4 +4678,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,4 +4679,,T1003.003,NTDS,[],[],,SI-7,mitigates,4 +4680,,T1040,Network Sniffing,[],[],,SI-7,mitigates,4 +4681,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,4 +4682,,T1119,Automated Collection,[],[],,SI-7,mitigates,4 +4683,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,4 +4684,,T1218.011,Rundll32,[],[],,SI-7,mitigates,4 +4685,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,4 +4686,,T1557,Adversary-in-the-Middle,[],[],,SI-7,mitigates,4 +4687,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,4 +4688,,T1611,Escape to Host,[],[],,SI-7,mitigates,4 +4689,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,4 +4690,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,4 +4691,,T1027.002,Software Packing,[],[],,SI-7,mitigates,4 +4692,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,4 +4693,,T1037.005,Startup Items,[],[],,SI-7,mitigates,4 +4694,,T1047,Windows Management Instrumentation,[],[],,SI-7,mitigates,4 +4695,,T1059.001,PowerShell,[],[],,SI-7,mitigates,4 +4696,,T1059.002,AppleScript,[],[],,SI-7,mitigates,4 +4697,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,4 +4698,,T1059.008,Network Device CLI,[],[],,SI-7,mitigates,4 +4699,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,4 +4700,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,4 +4701,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,4 +4702,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,4 +4703,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,4 +4704,,T1129,Shared Modules,[],[],,SI-7,mitigates,4 +4705,,T1176,Browser Extensions,[],[],,SI-7,mitigates,4 +4706,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,4 +4707,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,4 +4708,,T1204,User Execution,[],[],,SI-7,mitigates,4 +4709,,T1204.002,Malicious File,[],[],,SI-7,mitigates,4 +4710,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,4 +4711,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,4 +4712,,T1216.001,PubPrn,[],[],,SI-7,mitigates,4 +4713,,T1218.003,CMSTP,[],[],,SI-7,mitigates,4 +4714,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,4 +4715,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,4 +4716,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,4 +4717,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,4 +4718,,T1218.012,Verclsid,[],[],,SI-7,mitigates,4 +4719,,T1218.013,Mavinject,[],[],,SI-7,mitigates,4 +4720,,T1218.014,MMC,[],[],,SI-7,mitigates,4 +4721,,T1219,Remote Access Software,[],[],,SI-7,mitigates,4 +4722,,T1221,Template Injection,[],[],,SI-7,mitigates,4 +4723,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,4 +4724,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,4 +4725,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,4 +4726,,T1491,Defacement,[],[],,SI-7,mitigates,4 +4727,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,4 +4728,,T1491.002,External Defacement,[],[],,SI-7,mitigates,4 +4729,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,4 +4730,,T1505,Server Software Component,[],[],,SI-7,mitigates,4 +4731,,T1525,Implant Internal Image,[],[],,SI-7,mitigates,4 +4732,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,4 +4733,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,4 +4734,,T1546.002,Screensaver,[],[],,SI-7,mitigates,4 +4735,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,4 +4736,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,4 +4737,,T1547.003,Time Providers,[],[],,SI-7,mitigates,4 +4738,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,4 +4739,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,4 +4740,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,4 +4741,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,4 +4742,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,4 +4743,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,4 +4744,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,4 +4745,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,4 +4746,,T1559,Inter-Process Communication,[],[],,SI-7,mitigates,4 +4747,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,4 +4748,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,4 +4749,,T1565,Data Manipulation,[],[],,SI-7,mitigates,4 +4750,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,4 +4751,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,4 +4752,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,4 +4753,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,4 +4754,,T1036,Masquerading,[],[],,SI-7,mitigates,4 +4755,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,4 +4756,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,4 +4757,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,4 +4758,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,4 +4759,,T1037.004,RC Scripts,[],[],,SI-7,mitigates,4 +4760,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,4 +4761,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,4 +4762,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,4 +4763,,T1059.006,Python,[],[],,SI-7,mitigates,4 +4764,,T1059.007,JavaScript,[],[],,SI-7,mitigates,4 +4765,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,4 +4766,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,4 +4767,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,4 +4768,,T1114,Email Collection,[],[],,SI-7,mitigates,4 +4769,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,4 +4770,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,4 +4771,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,4 +4772,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,4 +4773,,T1136,Create Account,[],[],,SI-7,mitigates,4 +4774,,T1136.001,Local Account,[],[],,SI-7,mitigates,4 +4775,,T1136.002,Domain Account,[],[],,SI-7,mitigates,4 +4776,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,4 +4777,,T1185,Browser Session Hijacking,[],[],,SI-7,mitigates,4 +4778,,T1204.003,Malicious Image,[],[],,SI-7,mitigates,4 +4779,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,4 +4780,,T1213.001,Confluence,[],[],,SI-7,mitigates,4 +4781,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,4 +4782,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,4 +4783,,T1218.002,Control Panel,[],[],,SI-7,mitigates,4 +4784,,T1218.005,Mshta,[],[],,SI-7,mitigates,4 +4785,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,4 +4786,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,4 +4787,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,4 +4788,,T1485,Data Destruction,[],[],,SI-7,mitigates,4 +4789,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,4 +4790,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,4 +4791,,T1505.004,IIS Components,[],[],,SI-7,mitigates,4 +4792,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,4 +4793,,T1542.001,System Firmware,[],[],,SI-7,mitigates,4 +4794,,T1542.003,Bootkit,[],[],,SI-7,mitigates,4 +4795,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,4 +4796,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,4 +4797,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,4 +4798,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-7,mitigates,4 +4799,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,4 +4800,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,4 +4801,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,4 +4802,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,4 +4803,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,4 +4804,,T1547.013,XDG Autostart Entries,[],[],,SI-7,mitigates,4 +4805,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,4 +4806,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,4 +4807,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,4 +4808,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,4 +4809,,T1552.004,Private Keys,[],[],,SI-7,mitigates,4 +4810,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,4 +4811,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,4 +4812,,T1553.006,Code Signing Policy Modification,[],[],,SI-7,mitigates,4 +4813,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,4 +4814,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,4 +4815,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,4 +4816,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,4 +4817,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,4 +4818,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,4 +4819,,T1559.001,Component Object Model,[],[],,SI-7,mitigates,4 +4820,,T1561,Disk Wipe,[],[],,SI-7,mitigates,4 +4821,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,4 +4822,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,4 +4823,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,4 +4824,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,4 +4825,,T1562.009,Safe Mode Boot,[],[],,SI-7,mitigates,4 +4826,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,4 +4827,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,4 +4828,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,4 +4829,,T1564.008,Email Hiding Rules,[],[],,SI-7,mitigates,4 +4830,,T1564.009,Resource Forking,[],[],,SI-7,mitigates,4 +4831,,T1569,System Services,[],[],,SI-7,mitigates,4 +4832,,T1569.002,Service Execution,[],[],,SI-7,mitigates,4 +4833,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,4 +4834,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,4 +4835,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-7,mitigates,4 +4836,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,4 +4837,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,4 +4838,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,4 +4839,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,4 +4840,,T1601,Modify System Image,[],[],,SI-7,mitigates,4 +4841,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,4 +4842,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,4 +4843,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,4 +4844,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,4 +4845,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,4 +4846,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,4 +4847,,T1204,User Execution,[],[],,SI-8,mitigates,4 +4848,,T1204.002,Malicious File,[],[],,SI-8,mitigates,4 +4849,,T1221,Template Injection,[],[],,SI-8,mitigates,4 +4850,,T1137,Office Application Startup,[],[],,SI-8,mitigates,4 +4851,,T1137.001,Office Template Macros,[],[],,SI-8,mitigates,4 +4852,,T1137.002,Office Test,[],[],,SI-8,mitigates,4 +4853,,T1137.003,Outlook Forms,[],[],,SI-8,mitigates,4 +4854,,T1137.004,Outlook Home Page,[],[],,SI-8,mitigates,4 +4855,,T1137.005,Outlook Rules,[],[],,SI-8,mitigates,4 +4856,,T1137.006,Add-ins,[],[],,SI-8,mitigates,4 +4857,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,4 +4858,,T1204.003,Malicious Image,[],[],,SI-8,mitigates,4 +4859,,T1566,Phishing,[],[],,SI-8,mitigates,4 +4860,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,4 +4861,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,4 +4862,,T1598,Phishing for Information,[],[],,SI-8,mitigates,4 +4863,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,4 +4864,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,4 diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata.csv new file mode 100644 index 00000000..720087c1 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,12.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,4 diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata_object.csv new file mode 100644 index 00000000..720087c1 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,12.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,4 diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_navigator_layer.json index 84c89629..c80e8e94 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r4/parsed_nist800-53-r4-12.1_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "12.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1556.006", "score": 8, "comment": "Related to Policy and Procedures, Account Management, Access Enforcement, Least Privilege, Policy and Procedures, Event Logging, Re-authentication, Identification and Authentication (Organizational Users)"}, {"techniqueID": "T1556.007", "score": 8, "comment": "Related to Policy and Procedures, Account Management, Access Enforcement, Least Privilege, Policy and Procedures, Event Logging, Re-authentication, Identification and Authentication (Organizational Users)"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information System Monitoring"}, {"techniqueID": "T1137", "score": 12, "comment": "Related to Concurrent Session Control, Remote Access, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1137.002", "score": 9, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification Or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Mobile Code, Spam Protection"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to Concurrent Session Control, Session Termination, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Identification And Authentication (Organizational Users), Session Authenticity, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1505.005", "score": 11, "comment": "Related to Session Termination, Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to Session Termination, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Key Establishment And Management, Public Key Infrastructure Certificates, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.008", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1647", "score": 15, "comment": "Related to Security Attributes, Remote Access, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Developer Configuration Management, Developer Security Testing And Evaluation, Security Engineering Principles, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security Attributes, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Identification And Authentication (Non-Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1567", "score": 16, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Security Engineering Principles, External Information System Services, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Backup, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1005", "score": 12, "comment": "Related to Security Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information System Backup, Security Engineering Principles, Cryptographic Protection, Protection Of Information At Rest, Operations Security, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, System Interconnections, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505", "score": 22, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Transmission Of Security Attributes, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Penetration Testing, Software Usage Restrictions, User-Installed Software, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Protection Of Information At Rest, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security Attributes, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification And Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003", "score": 23, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Backup, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Security Function Isolation, Process Isolation, Information Handling And Retention, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1025", "score": 14, "comment": "Related to Security Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information System Backup, Media Use, Security Engineering Principles, Cryptographic Protection, Protection Of Information At Rest, Operations Security, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1041", "score": 17, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Security Engineering Principles, External Information System Services, Cryptographic Protection, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048", "score": 21, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security Engineering Principles, External Information System Services, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.002", "score": 21, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security Engineering Principles, External Information System Services, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.003", "score": 22, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, System Interconnections, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security Engineering Principles, External Information System Services, Cryptographic Protection, Protection Of Information At Rest, Covert Channel Analysis, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052", "score": 18, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Security Engineering Principles, Protection Of Information At Rest, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052.001", "score": 18, "comment": "Related to Security Attributes, Account Management, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Security Engineering Principles, Protection Of Information At Rest, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.003", "score": 10, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Configuration Settings, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.002", "score": 22, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Transmission Of Security Attributes, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548", "score": 20, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.007", "score": 13, "comment": "Related to Remote Access, Account Management, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Transmission Confidentiality And Integrity"}, {"techniqueID": "T1609", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to Remote Access, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Security Function Isolation, Non-Modifiable Executable Programs, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.002", "score": 12, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.005", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.008", "score": 14, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.004", "score": 12, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Non-Persistence, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1059.003", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.004", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.007", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.004", "score": 21, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Boundary Protection, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.004", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Information System Monitoring"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Cryptographic Key Establishment And Management, Session Authenticity, Information System Monitoring"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Scanning, Developer Security Testing And Evaluation, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1613", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1556.005", "score": 4, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Authenticator Management"}, {"techniqueID": "T1585.003", "score": 2, "comment": "Related to Account Management, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1586.003", "score": 2, "comment": "Related to Account Management, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1621", "score": 6, "comment": "Related to Account Management, Least Privilege, Access Restriction for Change, Identification and Authentication (Organizational Users) , Device Identification and Authentication , Authenticator Management"}, {"techniqueID": "T1070.007", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.009", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.005", "score": 7, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings"}, {"techniqueID": "T1648", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, System Monitoring"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Security Function Isolation, Process Isolation, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1078", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1218", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1611", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Application Partitioning, Security Function Isolation, Non-Modifiable Executable Programs, Process Isolation, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.002", "score": 20, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.005", "score": 20, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Security Engineering Principles, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, System Development Life Cycle, Security Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Non-Persistence, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.006", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Information Input Validation, Non-Persistence, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Session Authenticity, Transmission Confidentiality And Integrity, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053.007", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1553", "score": 23, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Software Usage Restrictions, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Service Identification And Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Information Input Validation, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.006", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Software Usage Restrictions, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Session Authenticity, Transmission Confidentiality And Integrity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Public Key Infrastructure Certificates, Flaw Remediation"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Flaw Remediation"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to Account Management, Access Enforcement, Least Privilege"}, {"techniqueID": "T1583.007", "score": 2, "comment": "Related to Use of External Information Systems, Boundary Protection"}, {"techniqueID": "T1584.007", "score": 2, "comment": "Related to Use of External Information Systems, Boundary Protection "}, {"techniqueID": "T1098.004", "score": 15, "comment": "Related to Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Cryptographic Key Establishment And Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Media Use, Port And I/O Device Access"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Security Testing And Evaluation, Developer Security Architecture And Design, Acquisition Process, Security Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1557.003", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1622", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Boundary Protection"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1218.012", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Information System Backup, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Memory Protection, Information System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information In Shared Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1218.002", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Cryptographic Module Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1205.002", "score": 2, "comment": "Related to Information Flow Enforncement, Information System Monitoring"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Scanning, Trustworthiness, Developer Security Architecture And Design, Security Engineering Principles, Boundary Protection"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Information System Component Inventory, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Unsupported System Components, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1204.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Supply Chain Protection, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to Information Flow Enforcement, Configuration Change Control, Access Restrictions For Change, Least Functionality, Incident Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1546.016", "score": 7, "comment": "Related to Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions For Change"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Vulnerability Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1137.001", "score": 9, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1137.003", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.004", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.005", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.006", "score": 5, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Spam Protection"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1593.003", "score": 3, "comment": "Related to Response to Audit Processing Failure, Audit Review, Analysis, & Reporting, Information System Component Inventory"}, {"techniqueID": "T1649", "score": 3, "comment": "Related to Audit Review, Analysis, and Reporting , Identification and Authentication (Organizational Users) , Authenticator Management"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1564.010", "score": 3, "comment": "Related to Continuous Monitoring, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.013", "score": 6, "comment": "Related to Continuous Monitoring, Penetration Testing, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions For Change, Information System Component Inventory, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1505.001", "score": 15, "comment": "Related to Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Non-Persistence, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Supply Chain Protection, Component Authenticity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Information System Monitoring"}, {"techniqueID": "T1218.003", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.004", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.008", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.009", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.013", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.014", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.001", "score": 9, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.005", "score": 10, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to User-Installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Developer Configuration Management, Information In Shared Resources, Detonation Chambers, Resource Availability, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Scanning, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to Baseline Configuration, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1548.004", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Monitoring"}, {"techniqueID": "T1559.003", "score": 7, "comment": "Related to Access Restrictions for Change, Configuration Settings, Least Functionality, Developer Configuration Management, Developer Security Testing And Evaluation, Security Engineering Principles, Information System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality And Integrity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1595.003", "score": 1, "comment": "Related to Information in Shared Resources"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality And Integrity"}, {"techniqueID": "T1027.007", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.008", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.009", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1055.015", "score": 1, "comment": "Related to Malicious Code Protection"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "12.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1556.006", "score": 8, "comment": "Related to AC-1, AC-2, AC-3, AC-6, AU-1, AU-2, IA-11, IA-2"}, {"techniqueID": "T1556.007", "score": 8, "comment": "Related to AC-1, AC-2, AC-3, AC-6, AU-1, AU-2, IA-11, IA-2"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1137", "score": 12, "comment": "Related to AC-10, AC-17, AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.002", "score": 9, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5, CM-6, SC-18, SI-8"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to AC-10, AC-12, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SC-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1505.005", "score": 11, "comment": "Related to AC-12, AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.008", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1647", "score": 15, "comment": "Related to AC-16, AC-17, AC-3, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SA-10, SA-11, SA-8, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1567", "score": 16, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-3, SI-4"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1005", "score": 12, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CP-9, SA-8, SC-13, SC-28, SC-38, SI-3, SI-4"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-4, CA-3, CM-2, CM-6, CM-8, SC-4, SC-7, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1505", "score": 22, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SC-16, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CA-8, CM-10, CM-11, CM-2, CM-6, IA-2, IA-4, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 23, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-3, SC-39, SI-12, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1025", "score": 14, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CP-9, MP-7, SA-8, SC-13, SC-28, SC-38, SC-41, SI-3, SI-4"}, {"techniqueID": "T1041", "score": 17, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-7, SI-3, SI-4"}, {"techniqueID": "T1048", "score": 21, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.002", "score": 21, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.003", "score": 22, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1052", "score": 18, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4"}, {"techniqueID": "T1052.001", "score": 18, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 10, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, CM-6, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1505.002", "score": 22, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SC-16, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 20, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.007", "score": 13, "comment": "Related to AC-17, AC-2, AC-23, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SC-8"}, {"techniqueID": "T1609", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-6, CM-7, SC-7, SI-10, SI-7"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1059", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SC-3, SC-34, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.002", "score": 12, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, CM-7, IA-9, SA-12, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.005", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 14, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2, IA-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1547.004", "score": 12, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-14, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1059.003", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.004", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.004", "score": 21, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-8, CM-11, CM-2, CM-6, CM-7, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SC-7, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-8, CM-6, CM-7, RA-5, SA-11, SC-7, SI-4"}, {"techniqueID": "T1613", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1556.005", "score": 4, "comment": "Related to AC-2, AC-5, AC-6, IA-5"}, {"techniqueID": "T1585.003", "score": 2, "comment": "Related to AC-2, IA-2"}, {"techniqueID": "T1586.003", "score": 2, "comment": "Related to AC-2, IA-2"}, {"techniqueID": "T1621", "score": 6, "comment": "Related to AC-2, AC-6, CM-5, IA-2, IA-3, IA-5"}, {"techniqueID": "T1070.007", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.009", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1098.005", "score": 7, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6"}, {"techniqueID": "T1648", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-3, SC-39, SI-2, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1078", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, IA-5, RA-5, SA-10, SA-11, SA-12, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1218", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1611", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-2, SC-3, SC-34, SC-39, SC-7, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 21, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 20, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 20, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, IA-2, IA-9, RA-5, SA-10, SA-11, SA-15, SA-3, SA-8, SI-2"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SI-2, SI-7"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SI-14, SI-3, SI-4"}, {"techniqueID": "T1547.006", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-10, SI-14, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-10, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1053.007", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1553", "score": 23, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-10, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-9, SA-10, SA-11, SA-14, SC-34, SI-10, SI-2, SI-4, SI-7"}, {"techniqueID": "T1553.006", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5, SC-18, SC-3, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-10, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-7"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, SC-17, SI-2"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to AC-2, AC-3, AC-6, SI-2"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to AC-2, AC-3, AC-6"}, {"techniqueID": "T1583.007", "score": 2, "comment": "Related to AC-20, SC-7"}, {"techniqueID": "T1584.007", "score": 2, "comment": "Related to AC-20, SC-7"}, {"techniqueID": "T1098.004", "score": 15, "comment": "Related to AC-20, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1557.003", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1622", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.012", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-7, SI-16, SI-4, SI-7"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 10, "comment": "Related to AC-3, CA-7, CM-11, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1205.002", "score": 2, "comment": "Related to AC-4, SI-4"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to AC-4, CA-8, CM-6, CM-7, RA-5, SA-13, SA-17, SA-8, SC-7"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.003", "score": 15, "comment": "Related to AC-4, CA-7, CA-8, CM-2, CM-6, CM-7, RA-5, SA-12, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to AC-4, CM-3, CM-5, CM-7, IR-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1546.016", "score": 7, "comment": "Related to AC-6, CA-7, CM-5, CM-6, SI-2, SI-3, SI-4"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, CM-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1137.001", "score": 9, "comment": "Related to AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.003", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-2, SI-8"}, {"techniqueID": "T1137.004", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-2, SI-8"}, {"techniqueID": "T1137.005", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-2, SI-8"}, {"techniqueID": "T1137.006", "score": 5, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SI-8"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1593.003", "score": 3, "comment": "Related to AU-5, AU-6, CM-8"}, {"techniqueID": "T1649", "score": 3, "comment": "Related to AU-5, IA-2, IA-5"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1564.010", "score": 3, "comment": "Related to CA-7, SI-4, SI-7"}, {"techniqueID": "T1574.013", "score": 6, "comment": "Related to CA-7, CA-8, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to CA-7, CM-2, CM-6, CM-7, IA-2, SI-4"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1505.001", "score": 15, "comment": "Related to CA-8, CM-11, CM-2, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-14, SI-3, SI-4, SI-7"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SA-12, SA-19, SI-7"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1218.003", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.013", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.014", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.001", "score": 9, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SA-10, SC-4, SC-44, SC-6, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to CM-2, CM-6, CM-7, IA-5, SI-4"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to CM-2, CM-6, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SA-12, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to CM-2, CM-6, IA-9, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to CM-2, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1548.004", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to CM-2, CM-6, IA-2, IA-5, SI-2, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1559.003", "score": 7, "comment": "Related to CM-5, CM-6, CM-7, SA-10, SA-11, SA-8, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to CM-6, CM-7, SI-10, SI-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SI-2"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1595.003", "score": 1, "comment": "Related to SC-4"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027.007", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.008", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.009", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1055.015", "score": 1, "comment": "Related to SI-3"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings.yaml index a2d0fcb6..7dc58747 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Policy and Procedures + capability-id: AC-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Policy and Procedures + capability-id: AC-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1585.003 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1586.003 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1583.007 attack-object-name: Serverless - capability-id: Use of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1584.007 attack-object-name: Serverless - capability-id: Use of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1205.002 attack-object-name: Socket Filters - capability-id: Information Flow Enforncement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1606.002 attack-object-name: SAML Tokens - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Policy and Procedures + capability-id: AU-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Policy and Procedures + capability-id: AU-1 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Event Logging + capability-id: AU-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Event Logging + capability-id: AU-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1593.003 attack-object-name: Code Repositories - capability-id: Response to Audit Processing Failure + capability-id: AU-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1649 attack-object-name: Steal or Forge Authentication Certificates - capability-id: 'Audit Review, Analysis, and Reporting ' + capability-id: AU-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1593.003 attack-object-name: Code Repositories - capability-id: Audit Review, Analysis, & Reporting + capability-id: AU-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Exchange + capability-id: CA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1564.010 attack-object-name: Process Argument Spoofing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Information Location + capability-id: CM-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Information Location + capability-id: CM-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Access Restriction for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1098.005 attack-object-name: Device Registration - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1593.003 attack-object-name: Code Repositories - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1619 attack-object-name: Cloud Storage Object Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1556.006 attack-object-name: Multi-Factor Authentication - capability-id: Identification and Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1556.007 attack-object-name: Hybrid Identity - capability-id: Identification and Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1585.003 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1586.003 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: 'Identification and Authentication (Organizational Users) ' + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1649 attack-object-name: Steal or Forge Authentication Certificates - capability-id: 'Identification and Authentication (Organizational Users) ' + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: 'Device Identification and Authentication ' + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1556.005 attack-object-name: Reversible Encryption - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1621 attack-object-name: Multi-Factor Authentication Request Generation - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1649 attack-object-name: Steal or Forge Authentication Certificates - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Incident Monitoring + capability-id: IR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: External System Services + capability-id: SA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Cryptographic Protection + capability-id: SC-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Operations Security + capability-id: SC-38 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1595.003 attack-object-name: Wordlist Scanning - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Usage Restrictions + capability-id: SC-43 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Usage Restrictions + capability-id: SC-43 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Resource Availability + capability-id: SC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1583.007 attack-object-name: Serverless - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1584.007 attack-object-name: Serverless - capability-id: 'Boundary Protection ' + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Non-persistence + capability-id: SI-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1213.003 attack-object-name: Code Repositories - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1606.001 attack-object-name: Web Cookies - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33529,7 +33529,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33537,7 +33537,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33545,7 +33545,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33553,7 +33553,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33561,7 +33561,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33569,7 +33569,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33577,7 +33577,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33585,7 +33585,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33593,7 +33593,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33601,7 +33601,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33609,7 +33609,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33617,7 +33617,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33625,7 +33625,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33633,7 +33633,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33641,7 +33641,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33649,7 +33649,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33657,7 +33657,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33665,7 +33665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33673,7 +33673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33681,7 +33681,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33689,7 +33689,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33697,7 +33697,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33705,7 +33705,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33713,7 +33713,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33721,7 +33721,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33729,7 +33729,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33737,7 +33737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33745,7 +33745,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33753,7 +33753,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33761,7 +33761,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33769,7 +33769,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33777,7 +33777,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33785,7 +33785,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33793,7 +33793,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33801,7 +33801,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33809,7 +33809,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33817,7 +33817,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33825,7 +33825,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33833,7 +33833,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33841,7 +33841,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33849,7 +33849,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33857,7 +33857,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33865,7 +33865,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33873,7 +33873,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33881,7 +33881,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33889,7 +33889,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33897,7 +33897,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33905,7 +33905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33913,7 +33913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33921,7 +33921,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33929,7 +33929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33937,7 +33937,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33945,7 +33945,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33953,7 +33953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33961,7 +33961,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33969,7 +33969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33977,7 +33977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33985,7 +33985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -33993,7 +33993,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34001,7 +34001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34009,7 +34009,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34017,7 +34017,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34025,7 +34025,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34033,7 +34033,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34041,7 +34041,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34049,7 +34049,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34057,7 +34057,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34065,7 +34065,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34073,7 +34073,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34081,7 +34081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34089,7 +34089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34097,7 +34097,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34105,7 +34105,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34113,7 +34113,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34121,7 +34121,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34129,7 +34129,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34137,7 +34137,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34145,7 +34145,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34153,7 +34153,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34161,7 +34161,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34169,7 +34169,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34177,7 +34177,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34185,7 +34185,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34193,7 +34193,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34201,7 +34201,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34209,7 +34209,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34217,7 +34217,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34225,7 +34225,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34233,7 +34233,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34241,7 +34241,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34249,7 +34249,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34257,7 +34257,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34265,7 +34265,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34273,7 +34273,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34281,7 +34281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34289,7 +34289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34297,7 +34297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34305,7 +34305,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34313,7 +34313,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34321,7 +34321,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34329,7 +34329,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34337,7 +34337,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34345,7 +34345,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34353,7 +34353,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34361,7 +34361,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34369,7 +34369,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34377,7 +34377,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34385,7 +34385,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34393,7 +34393,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34401,7 +34401,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34409,7 +34409,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34417,7 +34417,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34425,7 +34425,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34433,7 +34433,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34441,7 +34441,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34449,7 +34449,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34457,7 +34457,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34465,7 +34465,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34473,7 +34473,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34481,7 +34481,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34489,7 +34489,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34497,7 +34497,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34505,7 +34505,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34513,7 +34513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34521,7 +34521,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34529,7 +34529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34537,7 +34537,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34545,7 +34545,7 @@ attack-objects: tags: [] - attack-object-id: T1055.015 attack-object-name: ListPlanting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -34553,7 +34553,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34561,7 +34561,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34569,7 +34569,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34577,7 +34577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34585,7 +34585,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34593,7 +34593,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34601,7 +34601,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34609,7 +34609,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34617,7 +34617,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34625,7 +34625,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34633,7 +34633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34641,7 +34641,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34649,7 +34649,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34657,7 +34657,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34665,7 +34665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34673,7 +34673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34681,7 +34681,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34689,7 +34689,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34697,7 +34697,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34705,7 +34705,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34713,7 +34713,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34721,7 +34721,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34729,7 +34729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34737,7 +34737,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34745,7 +34745,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34753,7 +34753,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34761,7 +34761,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34769,7 +34769,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34777,7 +34777,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34785,7 +34785,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34793,7 +34793,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34801,7 +34801,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34809,7 +34809,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34817,7 +34817,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34825,7 +34825,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34833,7 +34833,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34841,7 +34841,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34849,7 +34849,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34857,7 +34857,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34865,7 +34865,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34873,7 +34873,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34881,7 +34881,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34889,7 +34889,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34897,7 +34897,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34905,7 +34905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34913,7 +34913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34921,7 +34921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34929,7 +34929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34937,7 +34937,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34945,7 +34945,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34953,7 +34953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34961,7 +34961,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34969,7 +34969,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34977,7 +34977,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34985,7 +34985,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34993,7 +34993,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35001,7 +35001,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35009,7 +35009,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35017,7 +35017,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35025,7 +35025,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35033,7 +35033,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35041,7 +35041,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35049,7 +35049,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35057,7 +35057,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35065,7 +35065,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35073,7 +35073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.003 attack-object-name: Web Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35081,7 +35081,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35089,7 +35089,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35097,7 +35097,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35105,7 +35105,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35113,7 +35113,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35121,7 +35121,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35129,7 +35129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35137,7 +35137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35145,7 +35145,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35153,7 +35153,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35161,7 +35161,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35169,7 +35169,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35177,7 +35177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35185,7 +35185,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35193,7 +35193,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35201,7 +35201,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35209,7 +35209,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35217,7 +35217,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35225,7 +35225,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35233,7 +35233,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35241,7 +35241,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35249,7 +35249,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35257,7 +35257,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35265,7 +35265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35273,7 +35273,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35281,7 +35281,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35289,7 +35289,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35297,7 +35297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35305,7 +35305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35313,7 +35313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35321,7 +35321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.010 attack-object-name: Downgrade Attack - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35329,7 +35329,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35337,7 +35337,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35345,7 +35345,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35353,7 +35353,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35361,7 +35361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35369,7 +35369,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35377,7 +35377,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35385,7 +35385,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35393,7 +35393,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35401,7 +35401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35409,7 +35409,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35417,7 +35417,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35425,7 +35425,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35433,7 +35433,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35441,7 +35441,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35449,7 +35449,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35457,7 +35457,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35465,7 +35465,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35473,7 +35473,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35481,7 +35481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35489,7 +35489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35497,7 +35497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35505,7 +35505,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35513,7 +35513,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35521,7 +35521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35529,7 +35529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35537,7 +35537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35545,7 +35545,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35553,7 +35553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35561,7 +35561,7 @@ attack-objects: tags: [] - attack-object-id: T1025 attack-object-name: Data from Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35569,7 +35569,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35577,7 +35577,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35585,7 +35585,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35593,7 +35593,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35601,7 +35601,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35609,7 +35609,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35617,7 +35617,7 @@ attack-objects: tags: [] - attack-object-id: T1036.007 attack-object-name: Double File Extension - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35625,7 +35625,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35633,7 +35633,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35641,7 +35641,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35649,7 +35649,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35657,7 +35657,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35665,7 +35665,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35673,7 +35673,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35681,7 +35681,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35689,7 +35689,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35697,7 +35697,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35705,7 +35705,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35713,7 +35713,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35721,7 +35721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35729,7 +35729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35737,7 +35737,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35745,7 +35745,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35753,7 +35753,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35761,7 +35761,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35769,7 +35769,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35777,7 +35777,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35785,7 +35785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35793,7 +35793,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35801,7 +35801,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35809,7 +35809,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35817,7 +35817,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35825,7 +35825,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35833,7 +35833,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35841,7 +35841,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35849,7 +35849,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35857,7 +35857,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35865,7 +35865,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35873,7 +35873,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35881,7 +35881,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35889,7 +35889,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35897,7 +35897,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35905,7 +35905,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35913,7 +35913,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35921,7 +35921,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35929,7 +35929,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35937,7 +35937,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35945,7 +35945,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35953,7 +35953,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35961,7 +35961,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35969,7 +35969,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35977,7 +35977,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35985,7 +35985,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -35993,7 +35993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36001,7 +36001,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36009,7 +36009,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36017,7 +36017,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36025,7 +36025,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36033,7 +36033,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36041,7 +36041,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36049,7 +36049,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36057,7 +36057,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36065,7 +36065,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36073,7 +36073,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36081,7 +36081,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36089,7 +36089,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36097,7 +36097,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36105,7 +36105,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36113,7 +36113,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36121,7 +36121,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36129,7 +36129,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36137,7 +36137,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36145,7 +36145,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36153,7 +36153,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36161,7 +36161,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36169,7 +36169,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36177,7 +36177,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36185,7 +36185,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36193,7 +36193,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36201,7 +36201,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36209,7 +36209,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36217,7 +36217,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36225,7 +36225,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36233,7 +36233,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36241,7 +36241,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36249,7 +36249,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36257,7 +36257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36265,7 +36265,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36273,7 +36273,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36281,7 +36281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36289,7 +36289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36297,7 +36297,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36305,7 +36305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36313,7 +36313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36321,7 +36321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36329,7 +36329,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36337,7 +36337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36345,7 +36345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36353,7 +36353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36361,7 +36361,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36369,7 +36369,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36377,7 +36377,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36385,7 +36385,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36393,7 +36393,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36401,7 +36401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36409,7 +36409,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36417,7 +36417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36425,7 +36425,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36433,7 +36433,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36441,7 +36441,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36449,7 +36449,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36457,7 +36457,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36465,7 +36465,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36473,7 +36473,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36481,7 +36481,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36489,7 +36489,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36497,7 +36497,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36505,7 +36505,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36513,7 +36513,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36521,7 +36521,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36529,7 +36529,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36537,7 +36537,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36545,7 +36545,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36553,7 +36553,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36561,7 +36561,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36569,7 +36569,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36577,7 +36577,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36585,7 +36585,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36593,7 +36593,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36601,7 +36601,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36609,7 +36609,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36617,7 +36617,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36625,7 +36625,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36633,7 +36633,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36641,7 +36641,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36649,7 +36649,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36657,7 +36657,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36665,7 +36665,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36673,7 +36673,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36681,7 +36681,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36689,7 +36689,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36697,7 +36697,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36705,7 +36705,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36713,7 +36713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36721,7 +36721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36729,7 +36729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36737,7 +36737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36745,7 +36745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36753,7 +36753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36761,7 +36761,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36769,7 +36769,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36777,7 +36777,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36785,7 +36785,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36793,7 +36793,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36801,7 +36801,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36809,7 +36809,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36817,7 +36817,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36825,7 +36825,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36833,7 +36833,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36841,7 +36841,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36849,7 +36849,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36857,7 +36857,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36865,7 +36865,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36873,7 +36873,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36881,7 +36881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36889,7 +36889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36897,7 +36897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36905,7 +36905,7 @@ attack-objects: tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36913,7 +36913,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36921,7 +36921,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36929,7 +36929,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36937,7 +36937,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36945,7 +36945,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36953,7 +36953,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36961,7 +36961,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36969,7 +36969,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36977,7 +36977,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36985,7 +36985,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -36993,7 +36993,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37001,7 +37001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37009,7 +37009,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37017,7 +37017,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37025,7 +37025,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37033,7 +37033,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37041,7 +37041,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37049,7 +37049,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37057,7 +37057,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37065,7 +37065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37073,7 +37073,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37081,7 +37081,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37089,7 +37089,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37097,7 +37097,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37105,7 +37105,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37113,7 +37113,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37121,7 +37121,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37129,7 +37129,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37137,7 +37137,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37145,7 +37145,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37153,7 +37153,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37161,7 +37161,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37169,7 +37169,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37177,7 +37177,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37185,7 +37185,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37193,7 +37193,7 @@ attack-objects: tags: [] - attack-object-id: T1557.003 attack-object-name: DHCP Spoofing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37201,7 +37201,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37209,7 +37209,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37217,7 +37217,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37225,7 +37225,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37233,7 +37233,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37241,7 +37241,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37249,7 +37249,7 @@ attack-objects: tags: [] - attack-object-id: T1505.005 attack-object-name: Terminal Services DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37257,7 +37257,7 @@ attack-objects: tags: [] - attack-object-id: T1546.016 attack-object-name: Installer Packages - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37265,7 +37265,7 @@ attack-objects: tags: [] - attack-object-id: T1559.003 attack-object-name: XPC Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37273,7 +37273,7 @@ attack-objects: tags: [] - attack-object-id: T1564.010 attack-object-name: Process Argument Spoofing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37281,7 +37281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37289,7 +37289,7 @@ attack-objects: tags: [] - attack-object-id: T1622 attack-object-name: Debugger Evasion - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37297,7 +37297,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37305,7 +37305,7 @@ attack-objects: tags: [] - attack-object-id: T1648 attack-object-name: Serverless Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37313,7 +37313,7 @@ attack-objects: tags: [] - attack-object-id: T1205.002 attack-object-name: Socket Filters - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -37321,7 +37321,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37329,7 +37329,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37337,7 +37337,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37345,7 +37345,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -37353,7 +37353,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37361,7 +37361,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37369,7 +37369,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37377,7 +37377,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37385,7 +37385,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37393,7 +37393,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37401,7 +37401,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37409,7 +37409,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37417,7 +37417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37425,7 +37425,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37433,7 +37433,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37441,7 +37441,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37449,7 +37449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37457,7 +37457,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37465,7 +37465,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37473,7 +37473,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37481,7 +37481,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37489,7 +37489,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37497,7 +37497,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37505,7 +37505,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37513,7 +37513,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37521,7 +37521,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37529,7 +37529,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37537,7 +37537,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37545,7 +37545,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37553,7 +37553,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37561,7 +37561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37569,7 +37569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37577,7 +37577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37585,7 +37585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37593,7 +37593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37601,7 +37601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37609,7 +37609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.013 attack-object-name: Mavinject - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37617,7 +37617,7 @@ attack-objects: tags: [] - attack-object-id: T1218.014 attack-object-name: MMC - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37625,7 +37625,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37633,7 +37633,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37641,7 +37641,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37649,7 +37649,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37657,7 +37657,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37665,7 +37665,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37673,7 +37673,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37681,7 +37681,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37689,7 +37689,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37697,7 +37697,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37705,7 +37705,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37713,7 +37713,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37721,7 +37721,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37729,7 +37729,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37737,7 +37737,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37745,7 +37745,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37753,7 +37753,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37761,7 +37761,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37769,7 +37769,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37777,7 +37777,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37785,7 +37785,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37793,7 +37793,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37801,7 +37801,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37809,7 +37809,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37817,7 +37817,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37825,7 +37825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37833,7 +37833,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37841,7 +37841,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37849,7 +37849,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37857,7 +37857,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37865,7 +37865,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37873,7 +37873,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37881,7 +37881,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37889,7 +37889,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37897,7 +37897,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37905,7 +37905,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37913,7 +37913,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37921,7 +37921,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37929,7 +37929,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37937,7 +37937,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37945,7 +37945,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37953,7 +37953,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37961,7 +37961,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37969,7 +37969,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37977,7 +37977,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37985,7 +37985,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -37993,7 +37993,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38001,7 +38001,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38009,7 +38009,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38017,7 +38017,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38025,7 +38025,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38033,7 +38033,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38041,7 +38041,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38049,7 +38049,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38057,7 +38057,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38065,7 +38065,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38073,7 +38073,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38081,7 +38081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38089,7 +38089,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38097,7 +38097,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38105,7 +38105,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Browser Session Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38113,7 +38113,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38121,7 +38121,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38129,7 +38129,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38137,7 +38137,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38145,7 +38145,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38153,7 +38153,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38161,7 +38161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38169,7 +38169,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38177,7 +38177,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38185,7 +38185,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38193,7 +38193,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38201,7 +38201,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38209,7 +38209,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38217,7 +38217,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38225,7 +38225,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38233,7 +38233,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38241,7 +38241,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38249,7 +38249,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38257,7 +38257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38265,7 +38265,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38273,7 +38273,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38281,7 +38281,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38289,7 +38289,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38297,7 +38297,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38305,7 +38305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38313,7 +38313,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38321,7 +38321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38329,7 +38329,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38337,7 +38337,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38345,7 +38345,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38353,7 +38353,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38361,7 +38361,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38369,7 +38369,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38377,7 +38377,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38385,7 +38385,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38393,7 +38393,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38401,7 +38401,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38409,7 +38409,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38417,7 +38417,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38425,7 +38425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38433,7 +38433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38441,7 +38441,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38449,7 +38449,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38457,7 +38457,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38465,7 +38465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38473,7 +38473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38481,7 +38481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.009 attack-object-name: Safe Mode Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38489,7 +38489,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38497,7 +38497,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38505,7 +38505,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38513,7 +38513,7 @@ attack-objects: tags: [] - attack-object-id: T1564.008 attack-object-name: Email Hiding Rules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38521,7 +38521,7 @@ attack-objects: tags: [] - attack-object-id: T1564.009 attack-object-name: Resource Forking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38529,7 +38529,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38537,7 +38537,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38545,7 +38545,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38553,7 +38553,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38561,7 +38561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38569,7 +38569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38577,7 +38577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38585,7 +38585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38593,7 +38593,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38601,7 +38601,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38609,7 +38609,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38617,7 +38617,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38625,7 +38625,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38633,7 +38633,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38641,7 +38641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38649,7 +38649,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38657,7 +38657,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38665,7 +38665,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38673,7 +38673,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38681,7 +38681,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38689,7 +38689,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38697,7 +38697,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38705,7 +38705,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38713,7 +38713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38721,7 +38721,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38729,7 +38729,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38737,7 +38737,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Adversary-in-the-Middle - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38745,7 +38745,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38753,7 +38753,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38761,7 +38761,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38769,7 +38769,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38777,7 +38777,7 @@ attack-objects: tags: [] - attack-object-id: T1027.007 attack-object-name: Dynamic API Resolution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38785,7 +38785,7 @@ attack-objects: tags: [] - attack-object-id: T1027.008 attack-object-name: Stripped Payloads - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38793,7 +38793,7 @@ attack-objects: tags: [] - attack-object-id: T1027.009 attack-object-name: Embedded Payloads - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38801,7 +38801,7 @@ attack-objects: tags: [] - attack-object-id: T1070.007 attack-object-name: Clear Network Connection History and Configurations - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38809,7 +38809,7 @@ attack-objects: tags: [] - attack-object-id: T1070.008 attack-object-name: Clear Mailbox Data - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38817,7 +38817,7 @@ attack-objects: tags: [] - attack-object-id: T1070.009 attack-object-name: Clear Persistence - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38825,7 +38825,7 @@ attack-objects: tags: [] - attack-object-id: T1564.010 attack-object-name: Process Argument Spoofing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38833,7 +38833,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38841,7 +38841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.013 attack-object-name: KernelCallbackTable - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38849,7 +38849,7 @@ attack-objects: tags: [] - attack-object-id: T1647 attack-object-name: Plist File Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -38857,7 +38857,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38865,7 +38865,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38873,7 +38873,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38881,7 +38881,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38889,7 +38889,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38897,7 +38897,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38905,7 +38905,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38913,7 +38913,7 @@ attack-objects: tags: [] - attack-object-id: T1137.006 attack-object-name: Add-ins - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38921,7 +38921,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38929,7 +38929,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38937,7 +38937,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38945,7 +38945,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38953,7 +38953,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38961,7 +38961,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38969,7 +38969,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38977,7 +38977,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38985,7 +38985,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -38993,7 +38993,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -39001,7 +39001,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -39009,7 +39009,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -39017,7 +39017,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39025,7 +39025,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39033,7 +39033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39041,7 +39041,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39049,7 +39049,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39057,7 +39057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39065,7 +39065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39073,7 +39073,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39081,7 +39081,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39089,7 +39089,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39097,7 +39097,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -39105,7 +39105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39113,7 +39113,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39121,7 +39121,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39129,7 +39129,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39137,7 +39137,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39145,7 +39145,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39153,7 +39153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39161,7 +39161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39169,7 +39169,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39177,7 +39177,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39185,7 +39185,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39193,7 +39193,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39201,7 +39201,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39209,7 +39209,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39217,7 +39217,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39225,7 +39225,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39233,7 +39233,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39241,7 +39241,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -39249,7 +39249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39257,7 +39257,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39265,7 +39265,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39273,7 +39273,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39281,7 +39281,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39289,7 +39289,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39297,7 +39297,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39305,7 +39305,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39313,7 +39313,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39321,7 +39321,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39329,7 +39329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -39337,7 +39337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39345,7 +39345,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39353,7 +39353,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39361,7 +39361,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39369,7 +39369,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39377,7 +39377,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39385,7 +39385,7 @@ attack-objects: tags: [] - attack-object-id: T1505.004 attack-object-name: IIS Components - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39393,7 +39393,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39401,7 +39401,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39409,7 +39409,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39417,7 +39417,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -39425,7 +39425,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_attack_objects.csv new file mode 100644 index 00000000..a29d462a --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_attack_objects.csv @@ -0,0 +1,4930 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1556.006,Multi-Factor Authentication,[],[],,AC-1,mitigates,5 +1,,T1556.007,Hybrid Identity,[],[],,AC-1,mitigates,5 +2,,T1137,Office Application Startup,[],[],,AC-10,mitigates,5 +3,,T1137.002,Office Test,[],[],,AC-10,mitigates,5 +4,,T1185,Browser Session Hijacking,[],[],,AC-10,mitigates,5 +5,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,5 +6,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,5 +7,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,5 +8,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,5 +9,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,5 +10,,T1185,Browser Session Hijacking,[],[],,AC-12,mitigates,5 +11,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,5 +12,,T1505.005,Terminal Services DLL,[],[],,AC-12,mitigates,5 +13,,T1137.002,Office Test,[],[],,AC-14,mitigates,5 +14,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,5 +15,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,5 +16,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,5 +17,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,5 +18,,T1505,Server Software Component,[],[],,AC-16,mitigates,5 +19,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,5 +20,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,5 +21,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,5 +22,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,5 +23,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,5 +24,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,5 +25,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,5 +26,,T1565,Data Manipulation,[],[],,AC-16,mitigates,5 +27,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,5 +28,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,5 +29,,T1567,Exfiltration Over Web Service,[],[],,AC-16,mitigates,5 +30,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,5 +31,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,5 +32,,T1025,Data from Removable Media,[],[],,AC-16,mitigates,5 +33,,T1041,Exfiltration Over C2 Channel,[],[],,AC-16,mitigates,5 +34,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-16,mitigates,5 +35,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-16,mitigates,5 +36,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-16,mitigates,5 +37,,T1052,Exfiltration Over Physical Medium,[],[],,AC-16,mitigates,5 +38,,T1052.001,Exfiltration over USB,[],[],,AC-16,mitigates,5 +39,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,5 +40,,T1114,Email Collection,[],[],,AC-16,mitigates,5 +41,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,5 +42,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,5 +43,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,5 +44,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,5 +45,,T1213.001,Confluence,[],[],,AC-16,mitigates,5 +46,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,5 +47,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,5 +48,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,5 +49,,T1505.002,Transport Agent,[],[],,AC-16,mitigates,5 +50,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,5 +51,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,5 +52,,T1552.004,Private Keys,[],[],,AC-16,mitigates,5 +53,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,5 +54,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,5 +55,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,5 +56,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,5 +57,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,5 +58,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,5 +59,,T1003.003,NTDS,[],[],,AC-16,mitigates,5 +60,,T1005,Data from Local System,[],[],,AC-16,mitigates,5 +61,,T1040,Network Sniffing,[],[],,AC-16,mitigates,5 +62,,T1119,Automated Collection,[],[],,AC-16,mitigates,5 +63,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,5 +64,,T1557,Adversary-in-the-Middle,[],[],,AC-16,mitigates,5 +65,,T1070.008,Clear Mailbox Data,[],[],,AC-16,mitigates,5 +66,,T1647,Plist File Modification,[],[],,AC-16,mitigates,5 +67,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,5 +68,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,5 +69,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,5 +70,,T1059,Command and Scripting Interpreter,[],[],,AC-17,mitigates,5 +71,,T1059.001,PowerShell,[],[],,AC-17,mitigates,5 +72,,T1059.002,AppleScript,[],[],,AC-17,mitigates,5 +73,,T1059.005,Visual Basic,[],[],,AC-17,mitigates,5 +74,,T1059.008,Network Device CLI,[],[],,AC-17,mitigates,5 +75,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,5 +76,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,5 +77,,T1219,Remote Access Software,[],[],,AC-17,mitigates,5 +78,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,5 +79,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,5 +80,,T1547.003,Time Providers,[],[],,AC-17,mitigates,5 +81,,T1547.004,Winlogon Helper DLL,[],[],,AC-17,mitigates,5 +82,,T1547.009,Shortcut Modification,[],[],,AC-17,mitigates,5 +83,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,5 +84,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,5 +85,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,5 +86,,T1565,Data Manipulation,[],[],,AC-17,mitigates,5 +87,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,5 +88,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,5 +89,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,5 +90,,T1609,Container Administration Command,[],[],,AC-17,mitigates,5 +91,,T1610,Deploy Container,[],[],,AC-17,mitigates,5 +92,,T1021,Remote Services,[],[],,AC-17,mitigates,5 +93,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,5 +94,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,5 +95,,T1021.004,SSH,[],[],,AC-17,mitigates,5 +96,,T1021.005,VNC,[],[],,AC-17,mitigates,5 +97,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,5 +98,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,5 +99,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,5 +100,,T1059.003,Windows Command Shell,[],[],,AC-17,mitigates,5 +101,,T1059.004,Unix Shell,[],[],,AC-17,mitigates,5 +102,,T1059.006,Python,[],[],,AC-17,mitigates,5 +103,,T1059.007,JavaScript,[],[],,AC-17,mitigates,5 +104,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,5 +105,,T1114,Email Collection,[],[],,AC-17,mitigates,5 +106,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,5 +107,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,5 +108,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,5 +109,,T1137,Office Application Startup,[],[],,AC-17,mitigates,5 +110,,T1137.002,Office Test,[],[],,AC-17,mitigates,5 +111,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,5 +112,,T1213.001,Confluence,[],[],,AC-17,mitigates,5 +113,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,5 +114,,T1505.004,IIS Components,[],[],,AC-17,mitigates,5 +115,,T1547.012,Print Processors,[],[],,AC-17,mitigates,5 +116,,T1547.013,XDG Autostart Entries,[],[],,AC-17,mitigates,5 +117,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,5 +118,,T1552.002,Credentials in Registry,[],[],,AC-17,mitigates,5 +119,,T1552.004,Private Keys,[],[],,AC-17,mitigates,5 +120,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,5 +121,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,5 +122,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,5 +123,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,5 +124,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,5 +125,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,5 +126,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,5 +127,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,5 +128,,T1612,Build Image on Host,[],[],,AC-17,mitigates,5 +129,,T1613,Container and Resource Discovery,[],[],,AC-17,mitigates,5 +130,,T1619,Cloud Storage Object Discovery,[],[],,AC-17,mitigates,5 +131,,T1040,Network Sniffing,[],[],,AC-17,mitigates,5 +132,,T1119,Automated Collection,[],[],,AC-17,mitigates,5 +133,,T1133,External Remote Services,[],[],,AC-17,mitigates,5 +134,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,5 +135,,T1552.007,Container API,[],[],,AC-17,mitigates,5 +136,,T1557,Adversary-in-the-Middle,[],[],,AC-17,mitigates,5 +137,,T1070.008,Clear Mailbox Data,[],[],,AC-17,mitigates,5 +138,,T1505.005,Terminal Services DLL,[],[],,AC-17,mitigates,5 +139,,T1647,Plist File Modification,[],[],,AC-17,mitigates,5 +140,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,5 +141,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,5 +142,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,5 +143,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,5 +144,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,5 +145,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,5 +146,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,5 +147,,T1565,Data Manipulation,[],[],,AC-18,mitigates,5 +148,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,5 +149,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,5 +150,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,5 +151,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,5 +152,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,5 +153,,T1552.004,Private Keys,[],[],,AC-18,mitigates,5 +154,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,5 +155,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,5 +156,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,5 +157,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,5 +158,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,5 +159,,T1040,Network Sniffing,[],[],,AC-18,mitigates,5 +160,,T1119,Automated Collection,[],[],,AC-18,mitigates,5 +161,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,5 +162,,T1557,Adversary-in-the-Middle,[],[],,AC-18,mitigates,5 +163,,T1070.008,Clear Mailbox Data,[],[],,AC-18,mitigates,5 +164,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,5 +165,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,5 +166,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,5 +167,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,5 +168,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,5 +169,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,5 +170,,T1565,Data Manipulation,[],[],,AC-19,mitigates,5 +171,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,5 +172,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,5 +173,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,5 +174,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,5 +175,,T1114,Email Collection,[],[],,AC-19,mitigates,5 +176,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,5 +177,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,5 +178,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,5 +179,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,5 +180,,T1552.004,Private Keys,[],[],,AC-19,mitigates,5 +181,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,5 +182,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,5 +183,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,5 +184,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,5 +185,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,5 +186,,T1040,Network Sniffing,[],[],,AC-19,mitigates,5 +187,,T1119,Automated Collection,[],[],,AC-19,mitigates,5 +188,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,5 +189,,T1557,Adversary-in-the-Middle,[],[],,AC-19,mitigates,5 +190,,T1070.008,Clear Mailbox Data,[],[],,AC-19,mitigates,5 +191,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,5 +192,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,5 +193,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,5 +194,,T1053.002,At (Windows),[],[],,AC-2,mitigates,5 +195,,T1053.003,Cron,[],[],,AC-2,mitigates,5 +196,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,5 +197,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,5 +198,,T1059.001,PowerShell,[],[],,AC-2,mitigates,5 +199,,T1059.002,AppleScript,[],[],,AC-2,mitigates,5 +200,,T1059.005,Visual Basic,[],[],,AC-2,mitigates,5 +201,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,5 +202,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,5 +203,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,5 +204,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,5 +205,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,5 +206,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,5 +207,,T1098,Account Manipulation,[],[],,AC-2,mitigates,5 +208,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,5 +209,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,5 +210,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,5 +211,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,5 +212,,T1197,BITS Jobs,[],[],,AC-2,mitigates,5 +213,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,5 +214,,T1213.003,Code Repositories,[],[],,AC-2,mitigates,5 +215,,T1218.007,Msiexec,[],[],,AC-2,mitigates,5 +216,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,5 +217,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,5 +218,,T1505,Server Software Component,[],[],,AC-2,mitigates,5 +219,,T1505.003,Web Shell,[],[],,AC-2,mitigates,5 +220,,T1525,Implant Internal Image,[],[],,AC-2,mitigates,5 +221,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,5 +222,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,5 +223,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,5 +224,,T1543.003,Windows Service,[],[],,AC-2,mitigates,5 +225,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,5 +226,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,5 +227,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,5 +228,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,5 +229,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,5 +230,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,5 +231,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,5 +232,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,5 +233,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,5 +234,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,5 +235,,T1562,Impair Defenses,[],[],,AC-2,mitigates,5 +236,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,5 +237,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,5 +238,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,5 +239,,T1567,Exfiltration Over Web Service,[],[],,AC-2,mitigates,5 +240,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,5 +241,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,5 +242,,T1609,Container Administration Command,[],[],,AC-2,mitigates,5 +243,,T1610,Deploy Container,[],[],,AC-2,mitigates,5 +244,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,5 +245,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,5 +246,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,5 +247,,T1003.006,DCSync,[],[],,AC-2,mitigates,5 +248,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,5 +249,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,5 +250,,T1021,Remote Services,[],[],,AC-2,mitigates,5 +251,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,5 +252,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,5 +253,,T1021.004,SSH,[],[],,AC-2,mitigates,5 +254,,T1021.005,VNC,[],[],,AC-2,mitigates,5 +255,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,5 +256,,T1025,Data from Removable Media,[],[],,AC-2,mitigates,5 +257,,T1036,Masquerading,[],[],,AC-2,mitigates,5 +258,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,5 +259,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,5 +260,,T1041,Exfiltration Over C2 Channel,[],[],,AC-2,mitigates,5 +261,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-2,mitigates,5 +262,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-2,mitigates,5 +263,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-2,mitigates,5 +264,,T1052,Exfiltration Over Physical Medium,[],[],,AC-2,mitigates,5 +265,,T1052.001,Exfiltration over USB,[],[],,AC-2,mitigates,5 +266,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,5 +267,,T1053.007,Container Orchestration Job,[],[],,AC-2,mitigates,5 +268,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,5 +269,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,5 +270,,T1059.003,Windows Command Shell,[],[],,AC-2,mitigates,5 +271,,T1059.004,Unix Shell,[],[],,AC-2,mitigates,5 +272,,T1059.006,Python,[],[],,AC-2,mitigates,5 +273,,T1059.007,JavaScript,[],[],,AC-2,mitigates,5 +274,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,5 +275,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,5 +276,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,5 +277,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,5 +278,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,5 +279,,T1110,Brute Force,[],[],,AC-2,mitigates,5 +280,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,5 +281,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,5 +282,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,5 +283,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,5 +284,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,5 +285,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,5 +286,,T1136,Create Account,[],[],,AC-2,mitigates,5 +287,,T1136.001,Local Account,[],[],,AC-2,mitigates,5 +288,,T1136.002,Domain Account,[],[],,AC-2,mitigates,5 +289,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,5 +290,,T1185,Browser Session Hijacking,[],[],,AC-2,mitigates,5 +291,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,5 +292,,T1213.001,Confluence,[],[],,AC-2,mitigates,5 +293,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,5 +294,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,5 +295,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,5 +296,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,5 +297,,T1489,Service Stop,[],[],,AC-2,mitigates,5 +298,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,5 +299,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,5 +300,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,5 +301,,T1542.001,System Firmware,[],[],,AC-2,mitigates,5 +302,,T1542.003,Bootkit,[],[],,AC-2,mitigates,5 +303,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,5 +304,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,5 +305,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,5 +306,,T1547.012,Print Processors,[],[],,AC-2,mitigates,5 +307,,T1547.013,XDG Autostart Entries,[],[],,AC-2,mitigates,5 +308,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,5 +309,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,5 +310,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,5 +311,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,5 +312,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,5 +313,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,5 +314,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,5 +315,,T1552.004,Private Keys,[],[],,AC-2,mitigates,5 +316,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,5 +317,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,5 +318,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,5 +319,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,5 +320,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,5 +321,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,5 +322,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,5 +323,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,5 +324,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,5 +325,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,5 +326,,T1562.009,Safe Mode Boot,[],[],,AC-2,mitigates,5 +327,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,5 +328,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,5 +329,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,5 +330,,T1569,System Services,[],[],,AC-2,mitigates,5 +331,,T1569.001,Launchctl,[],[],,AC-2,mitigates,5 +332,,T1569.002,Service Execution,[],[],,AC-2,mitigates,5 +333,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,5 +334,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,5 +335,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,5 +336,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,5 +337,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,5 +338,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,5 +339,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,5 +340,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,5 +341,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,5 +342,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,5 +343,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,5 +344,,T1601,Modify System Image,[],[],,AC-2,mitigates,5 +345,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,5 +346,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,5 +347,,T1606,Forge Web Credentials,[],[],,AC-2,mitigates,5 +348,,T1606.001,Web Cookies,[],[],,AC-2,mitigates,5 +349,,T1606.002,SAML Tokens,[],[],,AC-2,mitigates,5 +350,,T1612,Build Image on Host,[],[],,AC-2,mitigates,5 +351,,T1613,Container and Resource Discovery,[],[],,AC-2,mitigates,5 +352,,T1619,Cloud Storage Object Discovery,[],[],,AC-2,mitigates,5 +353,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,5 +354,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,5 +355,,T1003.003,NTDS,[],[],,AC-2,mitigates,5 +356,,T1005,Data from Local System,[],[],,AC-2,mitigates,5 +357,,T1055,Process Injection,[],[],,AC-2,mitigates,5 +358,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,5 +359,,T1078,Valid Accounts,[],[],,AC-2,mitigates,5 +360,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,5 +361,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,5 +362,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,5 +363,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,5 +364,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,5 +365,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,5 +366,,T1552.007,Container API,[],[],,AC-2,mitigates,5 +367,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,5 +368,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,5 +369,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,5 +370,,T1611,Escape to Host,[],[],,AC-2,mitigates,5 +371,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-2,mitigates,5 +372,,T1070.008,Clear Mailbox Data,[],[],,AC-2,mitigates,5 +373,,T1070.009,Clear Persistence,[],[],,AC-2,mitigates,5 +374,,T1098.005,Device Registration,[],[],,AC-2,mitigates,5 +375,,T1505.005,Terminal Services DLL,[],[],,AC-2,mitigates,5 +376,,T1648,Serverless Execution,[],[],,AC-2,mitigates,5 +377,,T1556.005,Reversible Encryption,[],[],,AC-2,mitigates,5 +378,,T1556.006,Multi-Factor Authentication,[],[],,AC-2,mitigates,5 +379,,T1556.007,Hybrid Identity,[],[],,AC-2,mitigates,5 +380,,T1585.003,Cloud Accounts,[],[],,AC-2,mitigates,5 +381,,T1586.003,Cloud Accounts,[],[],,AC-2,mitigates,5 +382,,T1621,Multi-Factor Authentication Request Generation,[],[],,AC-2,mitigates,5 +383,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,5 +384,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,5 +385,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,5 +386,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,5 +387,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,5 +388,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,5 +389,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,5 +390,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,5 +391,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,5 +392,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,5 +393,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,5 +394,,T1565,Data Manipulation,[],[],,AC-20,mitigates,5 +395,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,5 +396,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,5 +397,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,5 +398,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,5 +399,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,5 +400,,T1021,Remote Services,[],[],,AC-20,mitigates,5 +401,,T1021.004,SSH,[],[],,AC-20,mitigates,5 +402,,T1041,Exfiltration Over C2 Channel,[],[],,AC-20,mitigates,5 +403,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-20,mitigates,5 +404,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-20,mitigates,5 +405,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-20,mitigates,5 +406,,T1052,Exfiltration Over Physical Medium,[],[],,AC-20,mitigates,5 +407,,T1052.001,Exfiltration over USB,[],[],,AC-20,mitigates,5 +408,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,5 +409,,T1110,Brute Force,[],[],,AC-20,mitigates,5 +410,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,5 +411,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,5 +412,,T1114,Email Collection,[],[],,AC-20,mitigates,5 +413,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,5 +414,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,5 +415,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,5 +416,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,5 +417,,T1136,Create Account,[],[],,AC-20,mitigates,5 +418,,T1136.001,Local Account,[],[],,AC-20,mitigates,5 +419,,T1136.002,Domain Account,[],[],,AC-20,mitigates,5 +420,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,5 +421,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,5 +422,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,5 +423,,T1552.004,Private Keys,[],[],,AC-20,mitigates,5 +424,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,5 +425,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,5 +426,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,5 +427,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,5 +428,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,5 +429,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,5 +430,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,5 +431,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,5 +432,,T1119,Automated Collection,[],[],,AC-20,mitigates,5 +433,,T1133,External Remote Services,[],[],,AC-20,mitigates,5 +434,,T1200,Hardware Additions,[],[],,AC-20,mitigates,5 +435,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,5 +436,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,5 +437,,T1557,Adversary-in-the-Middle,[],[],,AC-20,mitigates,5 +438,,T1098.004,SSH Authorized Keys,[],[],,AC-20,mitigates,5 +439,,T1098.005,Device Registration,[],[],,AC-20,mitigates,5 +440,,T1505.005,Terminal Services DLL,[],[],,AC-20,mitigates,5 +441,,T1583.007,Serverless,[],[],,AC-20,mitigates,5 +442,,T1584.007,Serverless,[],[],,AC-20,mitigates,5 +443,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,5 +444,,T1213.001,Confluence,[],[],,AC-21,mitigates,5 +445,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,5 +446,,T1567,Exfiltration Over Web Service,[],[],,AC-23,mitigates,5 +447,,T1025,Data from Removable Media,[],[],,AC-23,mitigates,5 +448,,T1041,Exfiltration Over C2 Channel,[],[],,AC-23,mitigates,5 +449,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-23,mitigates,5 +450,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-23,mitigates,5 +451,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-23,mitigates,5 +452,,T1052,Exfiltration Over Physical Medium,[],[],,AC-23,mitigates,5 +453,,T1052.001,Exfiltration over USB,[],[],,AC-23,mitigates,5 +454,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,5 +455,,T1213.001,Confluence,[],[],,AC-23,mitigates,5 +456,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,5 +457,,T1005,Data from Local System,[],[],,AC-23,mitigates,5 +458,,T1133,External Remote Services,[],[],,AC-23,mitigates,5 +459,,T1552.007,Container API,[],[],,AC-23,mitigates,5 +460,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,5 +461,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,5 +462,,T1037.005,Startup Items,[],[],,AC-3,mitigates,5 +463,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,5 +464,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,5 +465,,T1053.002,At (Windows),[],[],,AC-3,mitigates,5 +466,,T1053.003,Cron,[],[],,AC-3,mitigates,5 +467,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,5 +468,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,5 +469,,T1059.001,PowerShell,[],[],,AC-3,mitigates,5 +470,,T1059.002,AppleScript,[],[],,AC-3,mitigates,5 +471,,T1059.005,Visual Basic,[],[],,AC-3,mitigates,5 +472,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,5 +473,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,5 +474,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,5 +475,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,5 +476,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,5 +477,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,5 +478,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,5 +479,,T1098,Account Manipulation,[],[],,AC-3,mitigates,5 +480,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,5 +481,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,5 +482,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,5 +483,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,5 +484,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,5 +485,,T1197,BITS Jobs,[],[],,AC-3,mitigates,5 +486,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,5 +487,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,5 +488,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,5 +489,,T1213.003,Code Repositories,[],[],,AC-3,mitigates,5 +490,,T1218.007,Msiexec,[],[],,AC-3,mitigates,5 +491,,T1218.012,Verclsid,[],[],,AC-3,mitigates,5 +492,,T1219,Remote Access Software,[],[],,AC-3,mitigates,5 +493,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,5 +494,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,5 +495,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,5 +496,,T1491,Defacement,[],[],,AC-3,mitigates,5 +497,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,5 +498,,T1491.002,External Defacement,[],[],,AC-3,mitigates,5 +499,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,5 +500,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,5 +501,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,5 +502,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,5 +503,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,5 +504,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,5 +505,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,5 +506,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,5 +507,,T1505,Server Software Component,[],[],,AC-3,mitigates,5 +508,,T1505.003,Web Shell,[],[],,AC-3,mitigates,5 +509,,T1525,Implant Internal Image,[],[],,AC-3,mitigates,5 +510,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,5 +511,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,5 +512,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,5 +513,,T1543.003,Windows Service,[],[],,AC-3,mitigates,5 +514,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,5 +515,,T1547.003,Time Providers,[],[],,AC-3,mitigates,5 +516,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,5 +517,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,5 +518,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,5 +519,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,5 +520,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,5 +521,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,5 +522,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,5 +523,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,5 +524,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,5 +525,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,5 +526,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,5 +527,,T1562,Impair Defenses,[],[],,AC-3,mitigates,5 +528,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,5 +529,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,5 +530,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,5 +531,,T1565,Data Manipulation,[],[],,AC-3,mitigates,5 +532,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,5 +533,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,5 +534,,T1567,Exfiltration Over Web Service,[],[],,AC-3,mitigates,5 +535,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,5 +536,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,5 +537,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,5 +538,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,5 +539,,T1609,Container Administration Command,[],[],,AC-3,mitigates,5 +540,,T1610,Deploy Container,[],[],,AC-3,mitigates,5 +541,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,5 +542,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,5 +543,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,5 +544,,T1003.006,DCSync,[],[],,AC-3,mitigates,5 +545,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,5 +546,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,5 +547,,T1021,Remote Services,[],[],,AC-3,mitigates,5 +548,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,5 +549,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,5 +550,,T1021.004,SSH,[],[],,AC-3,mitigates,5 +551,,T1021.005,VNC,[],[],,AC-3,mitigates,5 +552,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,5 +553,,T1025,Data from Removable Media,[],[],,AC-3,mitigates,5 +554,,T1036,Masquerading,[],[],,AC-3,mitigates,5 +555,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,5 +556,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,5 +557,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,5 +558,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,5 +559,,T1037.004,RC Scripts,[],[],,AC-3,mitigates,5 +560,,T1041,Exfiltration Over C2 Channel,[],[],,AC-3,mitigates,5 +561,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,5 +562,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,5 +563,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,5 +564,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,5 +565,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,5 +566,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,5 +567,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,5 +568,,T1053.007,Container Orchestration Job,[],[],,AC-3,mitigates,5 +569,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,5 +570,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,5 +571,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,5 +572,,T1059.003,Windows Command Shell,[],[],,AC-3,mitigates,5 +573,,T1059.004,Unix Shell,[],[],,AC-3,mitigates,5 +574,,T1059.006,Python,[],[],,AC-3,mitigates,5 +575,,T1059.007,JavaScript,[],[],,AC-3,mitigates,5 +576,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,5 +577,,T1071.004,DNS,[],[],,AC-3,mitigates,5 +578,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,5 +579,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,5 +580,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,5 +581,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,5 +582,,T1090,Proxy,[],[],,AC-3,mitigates,5 +583,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,5 +584,,T1110,Brute Force,[],[],,AC-3,mitigates,5 +585,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,5 +586,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,5 +587,,T1114,Email Collection,[],[],,AC-3,mitigates,5 +588,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,5 +589,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,5 +590,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,5 +591,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,5 +592,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,5 +593,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,5 +594,,T1136,Create Account,[],[],,AC-3,mitigates,5 +595,,T1136.001,Local Account,[],[],,AC-3,mitigates,5 +596,,T1136.002,Domain Account,[],[],,AC-3,mitigates,5 +597,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,5 +598,,T1185,Browser Session Hijacking,[],[],,AC-3,mitigates,5 +599,,T1187,Forced Authentication,[],[],,AC-3,mitigates,5 +600,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,5 +601,,T1213.001,Confluence,[],[],,AC-3,mitigates,5 +602,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,5 +603,,T1218.002,Control Panel,[],[],,AC-3,mitigates,5 +604,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,5 +605,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,5 +606,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,5 +607,,T1485,Data Destruction,[],[],,AC-3,mitigates,5 +608,,T1489,Service Stop,[],[],,AC-3,mitigates,5 +609,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,5 +610,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,5 +611,,T1505.004,IIS Components,[],[],,AC-3,mitigates,5 +612,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,5 +613,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,5 +614,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,5 +615,,T1542.001,System Firmware,[],[],,AC-3,mitigates,5 +616,,T1542.003,Bootkit,[],[],,AC-3,mitigates,5 +617,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,5 +618,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,5 +619,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,5 +620,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,5 +621,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-3,mitigates,5 +622,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,5 +623,,T1547.012,Print Processors,[],[],,AC-3,mitigates,5 +624,,T1547.013,XDG Autostart Entries,[],[],,AC-3,mitigates,5 +625,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,5 +626,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,5 +627,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,5 +628,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,5 +629,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,5 +630,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,5 +631,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,5 +632,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,5 +633,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,5 +634,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,5 +635,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,5 +636,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,5 +637,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,5 +638,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,5 +639,,T1561,Disk Wipe,[],[],,AC-3,mitigates,5 +640,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,5 +641,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,5 +642,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,5 +643,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,5 +644,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,5 +645,,T1562.009,Safe Mode Boot,[],[],,AC-3,mitigates,5 +646,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,5 +647,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,5 +648,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,5 +649,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,5 +650,,T1569,System Services,[],[],,AC-3,mitigates,5 +651,,T1569.001,Launchctl,[],[],,AC-3,mitigates,5 +652,,T1569.002,Service Execution,[],[],,AC-3,mitigates,5 +653,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,5 +654,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,5 +655,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,5 +656,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,5 +657,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,5 +658,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,5 +659,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,5 +660,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,5 +661,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,5 +662,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,5 +663,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,5 +664,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,5 +665,,T1601,Modify System Image,[],[],,AC-3,mitigates,5 +666,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,5 +667,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,5 +668,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,5 +669,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,5 +670,,T1606,Forge Web Credentials,[],[],,AC-3,mitigates,5 +671,,T1606.001,Web Cookies,[],[],,AC-3,mitigates,5 +672,,T1606.002,SAML Tokens,[],[],,AC-3,mitigates,5 +673,,T1612,Build Image on Host,[],[],,AC-3,mitigates,5 +674,,T1613,Container and Resource Discovery,[],[],,AC-3,mitigates,5 +675,,T1619,Cloud Storage Object Discovery,[],[],,AC-3,mitigates,5 +676,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,5 +677,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,5 +678,,T1003.003,NTDS,[],[],,AC-3,mitigates,5 +679,,T1005,Data from Local System,[],[],,AC-3,mitigates,5 +680,,T1055,Process Injection,[],[],,AC-3,mitigates,5 +681,,T1078,Valid Accounts,[],[],,AC-3,mitigates,5 +682,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,5 +683,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,5 +684,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,5 +685,,T1133,External Remote Services,[],[],,AC-3,mitigates,5 +686,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,5 +687,,T1200,Hardware Additions,[],[],,AC-3,mitigates,5 +688,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,5 +689,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,5 +690,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,5 +691,,T1552.007,Container API,[],[],,AC-3,mitigates,5 +692,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,5 +693,,T1557,Adversary-in-the-Middle,[],[],,AC-3,mitigates,5 +694,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,5 +695,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,5 +696,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,5 +697,,T1611,Escape to Host,[],[],,AC-3,mitigates,5 +698,,T1557.003,DHCP Spoofing,[],[],,AC-3,mitigates,5 +699,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-3,mitigates,5 +700,,T1070.008,Clear Mailbox Data,[],[],,AC-3,mitigates,5 +701,,T1070.009,Clear Persistence,[],[],,AC-3,mitigates,5 +702,,T1098.005,Device Registration,[],[],,AC-3,mitigates,5 +703,,T1505.005,Terminal Services DLL,[],[],,AC-3,mitigates,5 +704,,T1622,Debugger Evasion,[],[],,AC-3,mitigates,5 +705,,T1647,Plist File Modification,[],[],,AC-3,mitigates,5 +706,,T1648,Serverless Execution,[],[],,AC-3,mitigates,5 +707,,T1556.006,Multi-Factor Authentication,[],[],,AC-3,mitigates,5 +708,,T1556.007,Hybrid Identity,[],[],,AC-3,mitigates,5 +709,,T1020.001,Traffic Duplication,[],[],,AC-4,mitigates,5 +710,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,5 +711,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,5 +712,,T1098,Account Manipulation,[],[],,AC-4,mitigates,5 +713,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,5 +714,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,5 +715,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,5 +716,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,5 +717,,T1197,BITS Jobs,[],[],,AC-4,mitigates,5 +718,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,5 +719,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,5 +720,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,5 +721,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,5 +722,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,5 +723,,T1218.012,Verclsid,[],[],,AC-4,mitigates,5 +724,,T1219,Remote Access Software,[],[],,AC-4,mitigates,5 +725,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,5 +726,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,5 +727,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,5 +728,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,5 +729,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,5 +730,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,5 +731,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,5 +732,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,5 +733,,T1547.003,Time Providers,[],[],,AC-4,mitigates,5 +734,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,5 +735,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,5 +736,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,5 +737,,T1565,Data Manipulation,[],[],,AC-4,mitigates,5 +738,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,5 +739,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,5 +740,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,5 +741,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,5 +742,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,5 +743,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,5 +744,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,5 +745,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,5 +746,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,5 +747,,T1001.001,Junk Data,[],[],,AC-4,mitigates,5 +748,,T1001.002,Steganography,[],[],,AC-4,mitigates,5 +749,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,5 +750,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,5 +751,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,5 +752,,T1003.006,DCSync,[],[],,AC-4,mitigates,5 +753,,T1008,Fallback Channels,[],[],,AC-4,mitigates,5 +754,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,5 +755,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,5 +756,,T1021.005,VNC,[],[],,AC-4,mitigates,5 +757,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,5 +758,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,5 +759,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,5 +760,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,5 +761,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,5 +762,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,5 +763,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,5 +764,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,5 +765,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,5 +766,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,5 +767,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,5 +768,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,5 +769,,T1071.004,DNS,[],[],,AC-4,mitigates,5 +770,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,5 +771,,T1090,Proxy,[],[],,AC-4,mitigates,5 +772,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,5 +773,,T1090.002,External Proxy,[],[],,AC-4,mitigates,5 +774,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,5 +775,,T1102,Web Service,[],[],,AC-4,mitigates,5 +776,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,5 +777,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,5 +778,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,5 +779,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,5 +780,,T1114,Email Collection,[],[],,AC-4,mitigates,5 +781,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,5 +782,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,5 +783,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,5 +784,,T1132,Data Encoding,[],[],,AC-4,mitigates,5 +785,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,5 +786,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,5 +787,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,5 +788,,T1136,Create Account,[],[],,AC-4,mitigates,5 +789,,T1136.002,Domain Account,[],[],,AC-4,mitigates,5 +790,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,5 +791,,T1187,Forced Authentication,[],[],,AC-4,mitigates,5 +792,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,5 +793,,T1204.003,Malicious Image,[],[],,AC-4,mitigates,5 +794,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,5 +795,,T1213.001,Confluence,[],[],,AC-4,mitigates,5 +796,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,5 +797,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,5 +798,,T1489,Service Stop,[],[],,AC-4,mitigates,5 +799,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,5 +800,,T1505.004,IIS Components,[],[],,AC-4,mitigates,5 +801,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,5 +802,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,5 +803,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,5 +804,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,5 +805,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,5 +806,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,5 +807,,T1564.008,Email Hiding Rules,[],[],,AC-4,mitigates,5 +808,,T1566,Phishing,[],[],,AC-4,mitigates,5 +809,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,5 +810,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,5 +811,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,5 +812,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,5 +813,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,5 +814,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,5 +815,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,5 +816,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,5 +817,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,5 +818,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,5 +819,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,5 +820,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,5 +821,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,5 +822,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,5 +823,,T1598,Phishing for Information,[],[],,AC-4,mitigates,5 +824,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,5 +825,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,5 +826,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,5 +827,,T1601,Modify System Image,[],[],,AC-4,mitigates,5 +828,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,5 +829,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,5 +830,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,5 +831,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,5 +832,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,5 +833,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,5 +834,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,5 +835,,T1133,External Remote Services,[],[],,AC-4,mitigates,5 +836,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,5 +837,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,5 +838,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,5 +839,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,5 +840,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,5 +841,,T1552.007,Container API,[],[],,AC-4,mitigates,5 +842,,T1557,Adversary-in-the-Middle,[],[],,AC-4,mitigates,5 +843,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,5 +844,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,5 +845,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,5 +846,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,5 +847,,T1611,Escape to Host,[],[],,AC-4,mitigates,5 +848,,T1204,User Execution,[],[],,AC-4,mitigates,5 +849,,T1204.002,Malicious File,[],[],,AC-4,mitigates,5 +850,,T1557.003,DHCP Spoofing,[],[],,AC-4,mitigates,5 +851,,T1609,Container Administration Command,[],[],,AC-4,mitigates,5 +852,,T1622,Debugger Evasion,[],[],,AC-4,mitigates,5 +853,,T1205.002,Socket Filters,[],[],,AC-4,mitigates,5 +854,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,5 +855,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,5 +856,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,5 +857,,T1053.002,At (Windows),[],[],,AC-5,mitigates,5 +858,,T1053.003,Cron,[],[],,AC-5,mitigates,5 +859,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,5 +860,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,5 +861,,T1059.001,PowerShell,[],[],,AC-5,mitigates,5 +862,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,5 +863,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,5 +864,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,5 +865,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,5 +866,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,5 +867,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,5 +868,,T1098,Account Manipulation,[],[],,AC-5,mitigates,5 +869,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,5 +870,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,5 +871,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,5 +872,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,5 +873,,T1197,BITS Jobs,[],[],,AC-5,mitigates,5 +874,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,5 +875,,T1213.003,Code Repositories,[],[],,AC-5,mitigates,5 +876,,T1218.007,Msiexec,[],[],,AC-5,mitigates,5 +877,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,5 +878,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,5 +879,,T1505,Server Software Component,[],[],,AC-5,mitigates,5 +880,,T1505.003,Web Shell,[],[],,AC-5,mitigates,5 +881,,T1525,Implant Internal Image,[],[],,AC-5,mitigates,5 +882,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,5 +883,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,5 +884,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,5 +885,,T1543.003,Windows Service,[],[],,AC-5,mitigates,5 +886,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,5 +887,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,5 +888,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,5 +889,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,5 +890,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,5 +891,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,5 +892,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,5 +893,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,5 +894,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,5 +895,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,5 +896,,T1562,Impair Defenses,[],[],,AC-5,mitigates,5 +897,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,5 +898,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,5 +899,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,5 +900,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,5 +901,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,5 +902,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,5 +903,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,5 +904,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,5 +905,,T1003.006,DCSync,[],[],,AC-5,mitigates,5 +906,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,5 +907,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,5 +908,,T1021,Remote Services,[],[],,AC-5,mitigates,5 +909,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,5 +910,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,5 +911,,T1021.004,SSH,[],[],,AC-5,mitigates,5 +912,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,5 +913,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,5 +914,,T1053.007,Container Orchestration Job,[],[],,AC-5,mitigates,5 +915,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,5 +916,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,5 +917,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,5 +918,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,5 +919,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,5 +920,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,5 +921,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,5 +922,,T1110,Brute Force,[],[],,AC-5,mitigates,5 +923,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,5 +924,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,5 +925,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,5 +926,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,5 +927,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,5 +928,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,5 +929,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,5 +930,,T1136,Create Account,[],[],,AC-5,mitigates,5 +931,,T1136.001,Local Account,[],[],,AC-5,mitigates,5 +932,,T1136.002,Domain Account,[],[],,AC-5,mitigates,5 +933,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,5 +934,,T1185,Browser Session Hijacking,[],[],,AC-5,mitigates,5 +935,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,5 +936,,T1213.001,Confluence,[],[],,AC-5,mitigates,5 +937,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,5 +938,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,5 +939,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,5 +940,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,5 +941,,T1489,Service Stop,[],[],,AC-5,mitigates,5 +942,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,5 +943,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,5 +944,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,5 +945,,T1542.001,System Firmware,[],[],,AC-5,mitigates,5 +946,,T1542.003,Bootkit,[],[],,AC-5,mitigates,5 +947,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,5 +948,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,5 +949,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,5 +950,,T1547.012,Print Processors,[],[],,AC-5,mitigates,5 +951,,T1547.013,XDG Autostart Entries,[],[],,AC-5,mitigates,5 +952,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,5 +953,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,5 +954,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,5 +955,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,5 +956,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,5 +957,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,5 +958,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,5 +959,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,5 +960,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,5 +961,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,5 +962,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,5 +963,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,5 +964,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,5 +965,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,5 +966,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,5 +967,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,5 +968,,T1562.009,Safe Mode Boot,[],[],,AC-5,mitigates,5 +969,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,5 +970,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,5 +971,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,5 +972,,T1569,System Services,[],[],,AC-5,mitigates,5 +973,,T1569.001,Launchctl,[],[],,AC-5,mitigates,5 +974,,T1569.002,Service Execution,[],[],,AC-5,mitigates,5 +975,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,5 +976,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,5 +977,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,5 +978,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,5 +979,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,5 +980,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,5 +981,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,5 +982,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,5 +983,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,5 +984,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,5 +985,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,5 +986,,T1601,Modify System Image,[],[],,AC-5,mitigates,5 +987,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,5 +988,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,5 +989,,T1606,Forge Web Credentials,[],[],,AC-5,mitigates,5 +990,,T1619,Cloud Storage Object Discovery,[],[],,AC-5,mitigates,5 +991,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,5 +992,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,5 +993,,T1003.003,NTDS,[],[],,AC-5,mitigates,5 +994,,T1055,Process Injection,[],[],,AC-5,mitigates,5 +995,,T1078,Valid Accounts,[],[],,AC-5,mitigates,5 +996,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,5 +997,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,5 +998,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,5 +999,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,5 +1000,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,5 +1001,,T1552.007,Container API,[],[],,AC-5,mitigates,5 +1002,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,5 +1003,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,5 +1004,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,5 +1005,,T1611,Escape to Host,[],[],,AC-5,mitigates,5 +1006,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-5,mitigates,5 +1007,,T1070.008,Clear Mailbox Data,[],[],,AC-5,mitigates,5 +1008,,T1070.009,Clear Persistence,[],[],,AC-5,mitigates,5 +1009,,T1098.004,SSH Authorized Keys,[],[],,AC-5,mitigates,5 +1010,,T1098.005,Device Registration,[],[],,AC-5,mitigates,5 +1011,,T1505.005,Terminal Services DLL,[],[],,AC-5,mitigates,5 +1012,,T1609,Container Administration Command,[],[],,AC-5,mitigates,5 +1013,,T1556.005,Reversible Encryption,[],[],,AC-5,mitigates,5 +1014,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,5 +1015,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,5 +1016,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,5 +1017,,T1053.002,At (Windows),[],[],,AC-6,mitigates,5 +1018,,T1053.003,Cron,[],[],,AC-6,mitigates,5 +1019,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,5 +1020,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,5 +1021,,T1059.001,PowerShell,[],[],,AC-6,mitigates,5 +1022,,T1059.002,AppleScript,[],[],,AC-6,mitigates,5 +1023,,T1059.005,Visual Basic,[],[],,AC-6,mitigates,5 +1024,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,5 +1025,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,5 +1026,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,5 +1027,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,5 +1028,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,5 +1029,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,5 +1030,,T1098,Account Manipulation,[],[],,AC-6,mitigates,5 +1031,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,5 +1032,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,5 +1033,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,5 +1034,,T1106,Native API,[],[],,AC-6,mitigates,5 +1035,,T1176,Browser Extensions,[],[],,AC-6,mitigates,5 +1036,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,5 +1037,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,5 +1038,,T1197,BITS Jobs,[],[],,AC-6,mitigates,5 +1039,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,5 +1040,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,5 +1041,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,5 +1042,,T1213.003,Code Repositories,[],[],,AC-6,mitigates,5 +1043,,T1218.007,Msiexec,[],[],,AC-6,mitigates,5 +1044,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,5 +1045,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,5 +1046,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,5 +1047,,T1491,Defacement,[],[],,AC-6,mitigates,5 +1048,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,5 +1049,,T1491.002,External Defacement,[],[],,AC-6,mitigates,5 +1050,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,5 +1051,,T1505,Server Software Component,[],[],,AC-6,mitigates,5 +1052,,T1505.003,Web Shell,[],[],,AC-6,mitigates,5 +1053,,T1525,Implant Internal Image,[],[],,AC-6,mitigates,5 +1054,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,5 +1055,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,5 +1056,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,5 +1057,,T1543.003,Windows Service,[],[],,AC-6,mitigates,5 +1058,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,5 +1059,,T1547.003,Time Providers,[],[],,AC-6,mitigates,5 +1060,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,5 +1061,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,5 +1062,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,5 +1063,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,5 +1064,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,5 +1065,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,5 +1066,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,5 +1067,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,5 +1068,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,5 +1069,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,5 +1070,,T1562,Impair Defenses,[],[],,AC-6,mitigates,5 +1071,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,5 +1072,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,5 +1073,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,5 +1074,,T1567,Exfiltration Over Web Service,[],[],,AC-6,mitigates,5 +1075,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,5 +1076,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,5 +1077,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,5 +1078,,T1609,Container Administration Command,[],[],,AC-6,mitigates,5 +1079,,T1610,Deploy Container,[],[],,AC-6,mitigates,5 +1080,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,5 +1081,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,5 +1082,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,5 +1083,,T1003.006,DCSync,[],[],,AC-6,mitigates,5 +1084,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,5 +1085,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,5 +1086,,T1021,Remote Services,[],[],,AC-6,mitigates,5 +1087,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,5 +1088,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,5 +1089,,T1021.004,SSH,[],[],,AC-6,mitigates,5 +1090,,T1021.005,VNC,[],[],,AC-6,mitigates,5 +1091,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,5 +1092,,T1025,Data from Removable Media,[],[],,AC-6,mitigates,5 +1093,,T1036,Masquerading,[],[],,AC-6,mitigates,5 +1094,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,5 +1095,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,5 +1096,,T1041,Exfiltration Over C2 Channel,[],[],,AC-6,mitigates,5 +1097,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-6,mitigates,5 +1098,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-6,mitigates,5 +1099,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-6,mitigates,5 +1100,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,5 +1101,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,5 +1102,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,5 +1103,,T1053.007,Container Orchestration Job,[],[],,AC-6,mitigates,5 +1104,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,5 +1105,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,5 +1106,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,5 +1107,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,5 +1108,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,5 +1109,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,5 +1110,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,5 +1111,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,5 +1112,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,5 +1113,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,5 +1114,,T1059.003,Windows Command Shell,[],[],,AC-6,mitigates,5 +1115,,T1059.004,Unix Shell,[],[],,AC-6,mitigates,5 +1116,,T1059.006,Python,[],[],,AC-6,mitigates,5 +1117,,T1059.007,JavaScript,[],[],,AC-6,mitigates,5 +1118,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,5 +1119,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,5 +1120,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,5 +1121,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,5 +1122,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,5 +1123,,T1110,Brute Force,[],[],,AC-6,mitigates,5 +1124,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,5 +1125,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,5 +1126,,T1112,Modify Registry,[],[],,AC-6,mitigates,5 +1127,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,5 +1128,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,5 +1129,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,5 +1130,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,5 +1131,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,5 +1132,,T1136,Create Account,[],[],,AC-6,mitigates,5 +1133,,T1136.001,Local Account,[],[],,AC-6,mitigates,5 +1134,,T1136.002,Domain Account,[],[],,AC-6,mitigates,5 +1135,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,5 +1136,,T1137,Office Application Startup,[],[],,AC-6,mitigates,5 +1137,,T1137.001,Office Template Macros,[],[],,AC-6,mitigates,5 +1138,,T1137.002,Office Test,[],[],,AC-6,mitigates,5 +1139,,T1137.003,Outlook Forms,[],[],,AC-6,mitigates,5 +1140,,T1137.004,Outlook Home Page,[],[],,AC-6,mitigates,5 +1141,,T1137.005,Outlook Rules,[],[],,AC-6,mitigates,5 +1142,,T1137.006,Add-ins,[],[],,AC-6,mitigates,5 +1143,,T1185,Browser Session Hijacking,[],[],,AC-6,mitigates,5 +1144,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,5 +1145,,T1213.001,Confluence,[],[],,AC-6,mitigates,5 +1146,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,5 +1147,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,5 +1148,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,5 +1149,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,5 +1150,,T1485,Data Destruction,[],[],,AC-6,mitigates,5 +1151,,T1489,Service Stop,[],[],,AC-6,mitigates,5 +1152,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,5 +1153,,T1505.004,IIS Components,[],[],,AC-6,mitigates,5 +1154,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,5 +1155,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,5 +1156,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,5 +1157,,T1542.001,System Firmware,[],[],,AC-6,mitigates,5 +1158,,T1542.003,Bootkit,[],[],,AC-6,mitigates,5 +1159,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,5 +1160,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,5 +1161,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,5 +1162,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,5 +1163,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-6,mitigates,5 +1164,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,5 +1165,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,5 +1166,,T1547.012,Print Processors,[],[],,AC-6,mitigates,5 +1167,,T1547.013,XDG Autostart Entries,[],[],,AC-6,mitigates,5 +1168,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,5 +1169,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,5 +1170,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,5 +1171,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,5 +1172,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,5 +1173,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,5 +1174,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,5 +1175,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,5 +1176,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,5 +1177,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,5 +1178,,T1553.006,Code Signing Policy Modification,[],[],,AC-6,mitigates,5 +1179,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,5 +1180,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,5 +1181,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,5 +1182,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,5 +1183,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,5 +1184,,T1561,Disk Wipe,[],[],,AC-6,mitigates,5 +1185,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,5 +1186,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,5 +1187,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,5 +1188,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,5 +1189,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,5 +1190,,T1562.009,Safe Mode Boot,[],[],,AC-6,mitigates,5 +1191,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,5 +1192,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,5 +1193,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,5 +1194,,T1569,System Services,[],[],,AC-6,mitigates,5 +1195,,T1569.001,Launchctl,[],[],,AC-6,mitigates,5 +1196,,T1569.002,Service Execution,[],[],,AC-6,mitigates,5 +1197,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,5 +1198,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,5 +1199,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,5 +1200,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,5 +1201,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,5 +1202,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,5 +1203,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,5 +1204,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,5 +1205,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,5 +1206,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,5 +1207,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,5 +1208,,T1601,Modify System Image,[],[],,AC-6,mitigates,5 +1209,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,5 +1210,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,5 +1211,,T1606,Forge Web Credentials,[],[],,AC-6,mitigates,5 +1212,,T1606.001,Web Cookies,[],[],,AC-6,mitigates,5 +1213,,T1606.002,SAML Tokens,[],[],,AC-6,mitigates,5 +1214,,T1612,Build Image on Host,[],[],,AC-6,mitigates,5 +1215,,T1613,Container and Resource Discovery,[],[],,AC-6,mitigates,5 +1216,,T1619,Cloud Storage Object Discovery,[],[],,AC-6,mitigates,5 +1217,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,5 +1218,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,5 +1219,,T1003.003,NTDS,[],[],,AC-6,mitigates,5 +1220,,T1005,Data from Local System,[],[],,AC-6,mitigates,5 +1221,,T1055,Process Injection,[],[],,AC-6,mitigates,5 +1222,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,5 +1223,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,5 +1224,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,5 +1225,,T1078,Valid Accounts,[],[],,AC-6,mitigates,5 +1226,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,5 +1227,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,5 +1228,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,5 +1229,,T1133,External Remote Services,[],[],,AC-6,mitigates,5 +1230,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,5 +1231,,T1200,Hardware Additions,[],[],,AC-6,mitigates,5 +1232,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,5 +1233,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,5 +1234,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,5 +1235,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,5 +1236,,T1552.007,Container API,[],[],,AC-6,mitigates,5 +1237,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,5 +1238,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,5 +1239,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,5 +1240,,T1611,Escape to Host,[],[],,AC-6,mitigates,5 +1241,,T1070.007,Clear Network Connection History and Configurations,[],[],,AC-6,mitigates,5 +1242,,T1070.008,Clear Mailbox Data,[],[],,AC-6,mitigates,5 +1243,,T1070.009,Clear Persistence,[],[],,AC-6,mitigates,5 +1244,,T1098.004,SSH Authorized Keys,[],[],,AC-6,mitigates,5 +1245,,T1098.005,Device Registration,[],[],,AC-6,mitigates,5 +1246,,T1505.005,Terminal Services DLL,[],[],,AC-6,mitigates,5 +1247,,T1546.016,Installer Packages,[],[],,AC-6,mitigates,5 +1248,,T1647,Plist File Modification,[],[],,AC-6,mitigates,5 +1249,,T1648,Serverless Execution,[],[],,AC-6,mitigates,5 +1250,,T1556.005,Reversible Encryption,[],[],,AC-6,mitigates,5 +1251,,T1556.006,Multi-Factor Authentication,[],[],,AC-6,mitigates,5 +1252,,T1556.007,Hybrid Identity,[],[],,AC-6,mitigates,5 +1253,,T1621,Multi-Factor Authentication Request Generation,[],[],,AC-6,mitigates,5 +1254,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,5 +1255,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,5 +1256,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,5 +1257,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,5 +1258,,T1021,Remote Services,[],[],,AC-7,mitigates,5 +1259,,T1021.004,SSH,[],[],,AC-7,mitigates,5 +1260,,T1110,Brute Force,[],[],,AC-7,mitigates,5 +1261,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,5 +1262,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,5 +1263,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,5 +1264,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,5 +1265,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,5 +1266,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,5 +1267,,T1133,External Remote Services,[],[],,AC-7,mitigates,5 +1268,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,5 +1269,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,5 +1270,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,5 +1271,,T1556.006,Multi-Factor Authentication,[],[],,AU-1,mitigates,5 +1272,,T1556.007,Hybrid Identity,[],[],,AU-1,mitigates,5 +1273,,T1556.006,Multi-Factor Authentication,[],[],,AU-2,mitigates,5 +1274,,T1556.007,Hybrid Identity,[],[],,AU-2,mitigates,5 +1275,,T1593.003,Code Repositories,[],[],,AU-5,mitigates,5 +1276,,T1649,Steal or Forge Authentication Certificates,[],[],,AU-5,mitigates,5 +1277,,T1593.003,Code Repositories,[],[],,AU-6,mitigates,5 +1278,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,5 +1279,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,5 +1280,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,5 +1281,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,5 +1282,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,5 +1283,,T1020.001,Traffic Duplication,[],[],,CA-3,mitigates,5 +1284,,T1567,Exfiltration Over Web Service,[],[],,CA-3,mitigates,5 +1285,,T1041,Exfiltration Over C2 Channel,[],[],,CA-3,mitigates,5 +1286,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-3,mitigates,5 +1287,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-3,mitigates,5 +1288,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-3,mitigates,5 +1289,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,5 +1290,,T1037.005,Startup Items,[],[],,CA-7,mitigates,5 +1291,,T1059,Command and Scripting Interpreter,[],[],,CA-7,mitigates,5 +1292,,T1059.005,Visual Basic,[],[],,CA-7,mitigates,5 +1293,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,5 +1294,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,5 +1295,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,5 +1296,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,5 +1297,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,5 +1298,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,5 +1299,,T1176,Browser Extensions,[],[],,CA-7,mitigates,5 +1300,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,5 +1301,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,5 +1302,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,5 +1303,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,5 +1304,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,5 +1305,,T1197,BITS Jobs,[],[],,CA-7,mitigates,5 +1306,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,5 +1307,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,5 +1308,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,5 +1309,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,5 +1310,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,5 +1311,,T1213.003,Code Repositories,[],[],,CA-7,mitigates,5 +1312,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,5 +1313,,T1218.012,Verclsid,[],[],,CA-7,mitigates,5 +1314,,T1219,Remote Access Software,[],[],,CA-7,mitigates,5 +1315,,T1221,Template Injection,[],[],,CA-7,mitigates,5 +1316,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,5 +1317,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,5 +1318,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,5 +1319,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,5 +1320,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,5 +1321,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,5 +1322,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,5 +1323,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,5 +1324,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,5 +1325,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,5 +1326,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CA-7,mitigates,5 +1327,,T1547.003,Time Providers,[],[],,CA-7,mitigates,5 +1328,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,5 +1329,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,5 +1330,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,5 +1331,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,5 +1332,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,5 +1333,,T1562,Impair Defenses,[],[],,CA-7,mitigates,5 +1334,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,5 +1335,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,5 +1336,,T1565,Data Manipulation,[],[],,CA-7,mitigates,5 +1337,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,5 +1338,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,5 +1339,,T1567,Exfiltration Over Web Service,[],[],,CA-7,mitigates,5 +1340,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,5 +1341,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,5 +1342,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,5 +1343,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,5 +1344,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,5 +1345,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,5 +1346,,T1001.001,Junk Data,[],[],,CA-7,mitigates,5 +1347,,T1001.002,Steganography,[],[],,CA-7,mitigates,5 +1348,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,5 +1349,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,5 +1350,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,5 +1351,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,5 +1352,,T1003.006,DCSync,[],[],,CA-7,mitigates,5 +1353,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,5 +1354,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,5 +1355,,T1008,Fallback Channels,[],[],,CA-7,mitigates,5 +1356,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,5 +1357,,T1021.005,VNC,[],[],,CA-7,mitigates,5 +1358,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,5 +1359,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,5 +1360,,T1036,Masquerading,[],[],,CA-7,mitigates,5 +1361,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,5 +1362,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,5 +1363,,T1036.007,Double File Extension,[],[],,CA-7,mitigates,5 +1364,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,5 +1365,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,5 +1366,,T1037.004,RC Scripts,[],[],,CA-7,mitigates,5 +1367,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,5 +1368,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,5 +1369,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,5 +1370,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,5 +1371,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,5 +1372,,T1052,Exfiltration Over Physical Medium,[],[],,CA-7,mitigates,5 +1373,,T1052.001,Exfiltration over USB,[],[],,CA-7,mitigates,5 +1374,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,5 +1375,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,5 +1376,,T1059.007,JavaScript,[],[],,CA-7,mitigates,5 +1377,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,5 +1378,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,5 +1379,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,5 +1380,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,5 +1381,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,5 +1382,,T1071.004,DNS,[],[],,CA-7,mitigates,5 +1383,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,5 +1384,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,5 +1385,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,5 +1386,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,5 +1387,,T1090,Proxy,[],[],,CA-7,mitigates,5 +1388,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,5 +1389,,T1090.002,External Proxy,[],[],,CA-7,mitigates,5 +1390,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,5 +1391,,T1102,Web Service,[],[],,CA-7,mitigates,5 +1392,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,5 +1393,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,5 +1394,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,5 +1395,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,5 +1396,,T1110,Brute Force,[],[],,CA-7,mitigates,5 +1397,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,5 +1398,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,5 +1399,,T1132,Data Encoding,[],[],,CA-7,mitigates,5 +1400,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,5 +1401,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,5 +1402,,T1185,Browser Session Hijacking,[],[],,CA-7,mitigates,5 +1403,,T1187,Forced Authentication,[],[],,CA-7,mitigates,5 +1404,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,5 +1405,,T1204.003,Malicious Image,[],[],,CA-7,mitigates,5 +1406,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,5 +1407,,T1213.001,Confluence,[],[],,CA-7,mitigates,5 +1408,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,5 +1409,,T1218.002,Control Panel,[],[],,CA-7,mitigates,5 +1410,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,5 +1411,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,5 +1412,,T1489,Service Stop,[],[],,CA-7,mitigates,5 +1413,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,5 +1414,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,5 +1415,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,5 +1416,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,5 +1417,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,5 +1418,,T1546.004,Unix Shell Configuration Modification,[],[],,CA-7,mitigates,5 +1419,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,5 +1420,,T1547.013,XDG Autostart Entries,[],[],,CA-7,mitigates,5 +1421,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,5 +1422,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,5 +1423,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,5 +1424,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,5 +1425,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,5 +1426,,T1552.004,Private Keys,[],[],,CA-7,mitigates,5 +1427,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,5 +1428,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,5 +1429,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,5 +1430,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,5 +1431,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,5 +1432,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,5 +1433,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,5 +1434,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,5 +1435,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,5 +1436,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,5 +1437,,T1566,Phishing,[],[],,CA-7,mitigates,5 +1438,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,5 +1439,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,5 +1440,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,5 +1441,,T1569,System Services,[],[],,CA-7,mitigates,5 +1442,,T1569.002,Service Execution,[],[],,CA-7,mitigates,5 +1443,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,5 +1444,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,5 +1445,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,5 +1446,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,5 +1447,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,5 +1448,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,5 +1449,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,5 +1450,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,5 +1451,,T1598,Phishing for Information,[],[],,CA-7,mitigates,5 +1452,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,5 +1453,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,5 +1454,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,5 +1455,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,5 +1456,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,5 +1457,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,5 +1458,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,5 +1459,,T1003.003,NTDS,[],[],,CA-7,mitigates,5 +1460,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,5 +1461,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,5 +1462,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,5 +1463,,T1078,Valid Accounts,[],[],,CA-7,mitigates,5 +1464,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,5 +1465,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,5 +1466,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,5 +1467,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,5 +1468,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,5 +1469,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,5 +1470,,T1218.011,Rundll32,[],[],,CA-7,mitigates,5 +1471,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,5 +1472,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,5 +1473,,T1555.001,Keychain,[],[],,CA-7,mitigates,5 +1474,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,5 +1475,,T1557,Adversary-in-the-Middle,[],[],,CA-7,mitigates,5 +1476,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,5 +1477,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,5 +1478,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,5 +1479,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,5 +1480,,T1204,User Execution,[],[],,CA-7,mitigates,5 +1481,,T1204.002,Malicious File,[],[],,CA-7,mitigates,5 +1482,,T1557.003,DHCP Spoofing,[],[],,CA-7,mitigates,5 +1483,,T1070.007,Clear Network Connection History and Configurations,[],[],,CA-7,mitigates,5 +1484,,T1070.008,Clear Mailbox Data,[],[],,CA-7,mitigates,5 +1485,,T1070.009,Clear Persistence,[],[],,CA-7,mitigates,5 +1486,,T1546.016,Installer Packages,[],[],,CA-7,mitigates,5 +1487,,T1564.010,Process Argument Spoofing,[],[],,CA-7,mitigates,5 +1488,,T1574.013,KernelCallbackTable,[],[],,CA-7,mitigates,5 +1489,,T1622,Debugger Evasion,[],[],,CA-7,mitigates,5 +1490,,T1647,Plist File Modification,[],[],,CA-7,mitigates,5 +1491,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,5 +1492,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,5 +1493,,T1053.002,At (Windows),[],[],,CA-8,mitigates,5 +1494,,T1053.003,Cron,[],[],,CA-8,mitigates,5 +1495,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,5 +1496,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,5 +1497,,T1176,Browser Extensions,[],[],,CA-8,mitigates,5 +1498,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,5 +1499,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,5 +1500,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,5 +1501,,T1505,Server Software Component,[],[],,CA-8,mitigates,5 +1502,,T1525,Implant Internal Image,[],[],,CA-8,mitigates,5 +1503,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,5 +1504,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,5 +1505,,T1550.001,Application Access Token,[],[],,CA-8,mitigates,5 +1506,,T1562,Impair Defenses,[],[],,CA-8,mitigates,5 +1507,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,5 +1508,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,5 +1509,,T1021.005,VNC,[],[],,CA-8,mitigates,5 +1510,,T1204.003,Malicious Image,[],[],,CA-8,mitigates,5 +1511,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,5 +1512,,T1213.001,Confluence,[],[],,CA-8,mitigates,5 +1513,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,5 +1514,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,5 +1515,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,5 +1516,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,5 +1517,,T1505.004,IIS Components,[],[],,CA-8,mitigates,5 +1518,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,5 +1519,,T1542.001,System Firmware,[],[],,CA-8,mitigates,5 +1520,,T1542.003,Bootkit,[],[],,CA-8,mitigates,5 +1521,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,5 +1522,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,5 +1523,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,5 +1524,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,5 +1525,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,5 +1526,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,5 +1527,,T1552.004,Private Keys,[],[],,CA-8,mitigates,5 +1528,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,5 +1529,,T1553,Subvert Trust Controls,[],[],,CA-8,mitigates,5 +1530,,T1553.006,Code Signing Policy Modification,[],[],,CA-8,mitigates,5 +1531,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,5 +1532,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,5 +1533,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,5 +1534,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,5 +1535,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,5 +1536,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,5 +1537,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,5 +1538,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,5 +1539,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,5 +1540,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,5 +1541,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,5 +1542,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,5 +1543,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,5 +1544,,T1601,Modify System Image,[],[],,CA-8,mitigates,5 +1545,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,5 +1546,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,5 +1547,,T1612,Build Image on Host,[],[],,CA-8,mitigates,5 +1548,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,5 +1549,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,5 +1550,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,5 +1551,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,5 +1552,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,5 +1553,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,5 +1554,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,5 +1555,,T1574.013,KernelCallbackTable,[],[],,CA-8,mitigates,5 +1556,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,5 +1557,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,5 +1558,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,5 +1559,,T1562.006,Indicator Blocking,[],[],,CM-10,mitigates,5 +1560,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,5 +1561,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,5 +1562,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,5 +1563,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,5 +1564,,T1562.009,Safe Mode Boot,[],[],,CM-10,mitigates,5 +1565,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,5 +1566,,T1176,Browser Extensions,[],[],,CM-11,mitigates,5 +1567,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,5 +1568,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,5 +1569,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,5 +1570,,T1218.003,CMSTP,[],[],,CM-11,mitigates,5 +1571,,T1218.004,InstallUtil,[],[],,CM-11,mitigates,5 +1572,,T1218.008,Odbcconf,[],[],,CM-11,mitigates,5 +1573,,T1218.009,Regsvcs/Regasm,[],[],,CM-11,mitigates,5 +1574,,T1218.012,Verclsid,[],[],,CM-11,mitigates,5 +1575,,T1218.013,Mavinject,[],[],,CM-11,mitigates,5 +1576,,T1218.014,MMC,[],[],,CM-11,mitigates,5 +1577,,T1505,Server Software Component,[],[],,CM-11,mitigates,5 +1578,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,5 +1579,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,5 +1580,,T1543.003,Windows Service,[],[],,CM-11,mitigates,5 +1581,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,5 +1582,,T1021.005,VNC,[],[],,CM-11,mitigates,5 +1583,,T1059.006,Python,[],[],,CM-11,mitigates,5 +1584,,T1218.001,Compiled HTML File,[],[],,CM-11,mitigates,5 +1585,,T1218.002,Control Panel,[],[],,CM-11,mitigates,5 +1586,,T1218.005,Mshta,[],[],,CM-11,mitigates,5 +1587,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,5 +1588,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,5 +1589,,T1505.004,IIS Components,[],[],,CM-11,mitigates,5 +1590,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,5 +1591,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,5 +1592,,T1547.013,XDG Autostart Entries,[],[],,CM-11,mitigates,5 +1593,,T1564.009,Resource Forking,[],[],,CM-11,mitigates,5 +1594,,T1569,System Services,[],[],,CM-11,mitigates,5 +1595,,T1569.001,Launchctl,[],[],,CM-11,mitigates,5 +1596,,T1218,Signed Binary Proxy Execution,[],[],,CM-11,mitigates,5 +1597,,T1025,Data from Removable Media,[],[],,CM-12,mitigates,5 +1598,,T1005,Data from Local System,[],[],,CM-12,mitigates,5 +1599,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,5 +1600,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,5 +1601,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,5 +1602,,T1027,Obfuscated Files or Information,[],[],,CM-2,mitigates,5 +1603,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,5 +1604,,T1037.005,Startup Items,[],[],,CM-2,mitigates,5 +1605,,T1047,Windows Management Instrumentation,[],[],,CM-2,mitigates,5 +1606,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,5 +1607,,T1053.002,At (Windows),[],[],,CM-2,mitigates,5 +1608,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,5 +1609,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,5 +1610,,T1059.001,PowerShell,[],[],,CM-2,mitigates,5 +1611,,T1059.002,AppleScript,[],[],,CM-2,mitigates,5 +1612,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,5 +1613,,T1059.008,Network Device CLI,[],[],,CM-2,mitigates,5 +1614,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,5 +1615,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,5 +1616,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,5 +1617,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,5 +1618,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,5 +1619,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,5 +1620,,T1106,Native API,[],[],,CM-2,mitigates,5 +1621,,T1129,Shared Modules,[],[],,CM-2,mitigates,5 +1622,,T1176,Browser Extensions,[],[],,CM-2,mitigates,5 +1623,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,5 +1624,,T1205,Traffic Signaling,[],[],,CM-2,mitigates,5 +1625,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,5 +1626,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,5 +1627,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,5 +1628,,T1216.001,PubPrn,[],[],,CM-2,mitigates,5 +1629,,T1218.003,CMSTP,[],[],,CM-2,mitigates,5 +1630,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,5 +1631,,T1218.007,Msiexec,[],[],,CM-2,mitigates,5 +1632,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,5 +1633,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,5 +1634,,T1218.012,Verclsid,[],[],,CM-2,mitigates,5 +1635,,T1218.013,Mavinject,[],[],,CM-2,mitigates,5 +1636,,T1218.014,MMC,[],[],,CM-2,mitigates,5 +1637,,T1219,Remote Access Software,[],[],,CM-2,mitigates,5 +1638,,T1221,Template Injection,[],[],,CM-2,mitigates,5 +1639,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,5 +1640,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,5 +1641,,T1491,Defacement,[],[],,CM-2,mitigates,5 +1642,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,5 +1643,,T1491.002,External Defacement,[],[],,CM-2,mitigates,5 +1644,,T1505,Server Software Component,[],[],,CM-2,mitigates,5 +1645,,T1505.003,Web Shell,[],[],,CM-2,mitigates,5 +1646,,T1525,Implant Internal Image,[],[],,CM-2,mitigates,5 +1647,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,5 +1648,,T1543.001,Launch Agent,[],[],,CM-2,mitigates,5 +1649,,T1543.003,Windows Service,[],[],,CM-2,mitigates,5 +1650,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,5 +1651,,T1546.002,Screensaver,[],[],,CM-2,mitigates,5 +1652,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-2,mitigates,5 +1653,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,5 +1654,,T1547.003,Time Providers,[],[],,CM-2,mitigates,5 +1655,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,5 +1656,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,5 +1657,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,5 +1658,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,5 +1659,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,5 +1660,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,5 +1661,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-2,mitigates,5 +1662,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,5 +1663,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,5 +1664,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,5 +1665,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,5 +1666,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,5 +1667,,T1562,Impair Defenses,[],[],,CM-2,mitigates,5 +1668,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,5 +1669,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,5 +1670,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,5 +1671,,T1562.010,Downgrade Attack,[],[],,CM-2,mitigates,5 +1672,,T1565,Data Manipulation,[],[],,CM-2,mitigates,5 +1673,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,5 +1674,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,5 +1675,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,5 +1676,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,5 +1677,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,5 +1678,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,5 +1679,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,5 +1680,,T1001.001,Junk Data,[],[],,CM-2,mitigates,5 +1681,,T1001.002,Steganography,[],[],,CM-2,mitigates,5 +1682,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,5 +1683,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,5 +1684,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,5 +1685,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,5 +1686,,T1003.006,DCSync,[],[],,CM-2,mitigates,5 +1687,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,5 +1688,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,5 +1689,,T1008,Fallback Channels,[],[],,CM-2,mitigates,5 +1690,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,5 +1691,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,5 +1692,,T1021.004,SSH,[],[],,CM-2,mitigates,5 +1693,,T1021.005,VNC,[],[],,CM-2,mitigates,5 +1694,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,5 +1695,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,5 +1696,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,5 +1697,,T1036,Masquerading,[],[],,CM-2,mitigates,5 +1698,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,5 +1699,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,5 +1700,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,5 +1701,,T1036.007,Double File Extension,[],[],,CM-2,mitigates,5 +1702,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,5 +1703,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,5 +1704,,T1037.004,RC Scripts,[],[],,CM-2,mitigates,5 +1705,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,5 +1706,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,5 +1707,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,5 +1708,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,5 +1709,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,5 +1710,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,5 +1711,,T1059.003,Windows Command Shell,[],[],,CM-2,mitigates,5 +1712,,T1059.004,Unix Shell,[],[],,CM-2,mitigates,5 +1713,,T1059.006,Python,[],[],,CM-2,mitigates,5 +1714,,T1059.007,JavaScript,[],[],,CM-2,mitigates,5 +1715,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,5 +1716,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,5 +1717,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,5 +1718,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,5 +1719,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,5 +1720,,T1071.004,DNS,[],[],,CM-2,mitigates,5 +1721,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,5 +1722,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,5 +1723,,T1090,Proxy,[],[],,CM-2,mitigates,5 +1724,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,5 +1725,,T1090.002,External Proxy,[],[],,CM-2,mitigates,5 +1726,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,5 +1727,,T1102,Web Service,[],[],,CM-2,mitigates,5 +1728,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,5 +1729,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,5 +1730,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,5 +1731,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,5 +1732,,T1110,Brute Force,[],[],,CM-2,mitigates,5 +1733,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,5 +1734,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,5 +1735,,T1114,Email Collection,[],[],,CM-2,mitigates,5 +1736,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,5 +1737,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,5 +1738,,T1127.001,MSBuild,[],[],,CM-2,mitigates,5 +1739,,T1132,Data Encoding,[],[],,CM-2,mitigates,5 +1740,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,5 +1741,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,5 +1742,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,5 +1743,,T1137,Office Application Startup,[],[],,CM-2,mitigates,5 +1744,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,5 +1745,,T1137.002,Office Test,[],[],,CM-2,mitigates,5 +1746,,T1137.003,Outlook Forms,[],[],,CM-2,mitigates,5 +1747,,T1137.004,Outlook Home Page,[],[],,CM-2,mitigates,5 +1748,,T1137.005,Outlook Rules,[],[],,CM-2,mitigates,5 +1749,,T1137.006,Add-ins,[],[],,CM-2,mitigates,5 +1750,,T1185,Browser Session Hijacking,[],[],,CM-2,mitigates,5 +1751,,T1187,Forced Authentication,[],[],,CM-2,mitigates,5 +1752,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,5 +1753,,T1204.003,Malicious Image,[],[],,CM-2,mitigates,5 +1754,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,5 +1755,,T1213.001,Confluence,[],[],,CM-2,mitigates,5 +1756,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,5 +1757,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,5 +1758,,T1218.002,Control Panel,[],[],,CM-2,mitigates,5 +1759,,T1218.005,Mshta,[],[],,CM-2,mitigates,5 +1760,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,5 +1761,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,5 +1762,,T1485,Data Destruction,[],[],,CM-2,mitigates,5 +1763,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,5 +1764,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,5 +1765,,T1505.004,IIS Components,[],[],,CM-2,mitigates,5 +1766,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,5 +1767,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,5 +1768,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,5 +1769,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,5 +1770,,T1543.004,Launch Daemon,[],[],,CM-2,mitigates,5 +1771,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-2,mitigates,5 +1772,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,5 +1773,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,5 +1774,,T1546.014,Emond,[],[],,CM-2,mitigates,5 +1775,,T1547.013,XDG Autostart Entries,[],[],,CM-2,mitigates,5 +1776,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,5 +1777,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,5 +1778,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,5 +1779,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,5 +1780,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,5 +1781,,T1552.004,Private Keys,[],[],,CM-2,mitigates,5 +1782,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,5 +1783,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,5 +1784,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,5 +1785,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,5 +1786,,T1555.005,Password Managers,[],[],,CM-2,mitigates,5 +1787,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,5 +1788,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,5 +1789,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,5 +1790,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,5 +1791,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,5 +1792,,T1561,Disk Wipe,[],[],,CM-2,mitigates,5 +1793,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,5 +1794,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,5 +1795,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,5 +1796,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,5 +1797,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,5 +1798,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,5 +1799,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,5 +1800,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,5 +1801,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,5 +1802,,T1564.009,Resource Forking,[],[],,CM-2,mitigates,5 +1803,,T1566,Phishing,[],[],,CM-2,mitigates,5 +1804,,T1566.001,Spearphishing Attachment,[],[],,CM-2,mitigates,5 +1805,,T1569,System Services,[],[],,CM-2,mitigates,5 +1806,,T1569.002,Service Execution,[],[],,CM-2,mitigates,5 +1807,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,5 +1808,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,5 +1809,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,5 +1810,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,5 +1811,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,5 +1812,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,5 +1813,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,5 +1814,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,5 +1815,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,5 +1816,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,5 +1817,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,5 +1818,,T1598,Phishing for Information,[],[],,CM-2,mitigates,5 +1819,,T1598.002,Spearphishing Attachment,[],[],,CM-2,mitigates,5 +1820,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,5 +1821,,T1601,Modify System Image,[],[],,CM-2,mitigates,5 +1822,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,5 +1823,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,5 +1824,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,5 +1825,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,5 +1826,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,5 +1827,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,5 +1828,,T1003.003,NTDS,[],[],,CM-2,mitigates,5 +1829,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,5 +1830,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,5 +1831,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,5 +1832,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,5 +1833,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,5 +1834,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,5 +1835,,T1119,Automated Collection,[],[],,CM-2,mitigates,5 +1836,,T1133,External Remote Services,[],[],,CM-2,mitigates,5 +1837,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,5 +1838,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,5 +1839,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,5 +1840,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,5 +1841,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,5 +1842,,T1555.004,Windows Credential Manager,[],[],,CM-2,mitigates,5 +1843,,T1556,Modify Authentication Process,[],[],,CM-2,mitigates,5 +1844,,T1557,Adversary-in-the-Middle,[],[],,CM-2,mitigates,5 +1845,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,5 +1846,,T1566.002,Spearphishing Link,[],[],,CM-2,mitigates,5 +1847,,T1598.003,Spearphishing Link,[],[],,CM-2,mitigates,5 +1848,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,5 +1849,,T1204,User Execution,[],[],,CM-2,mitigates,5 +1850,,T1204.002,Malicious File,[],[],,CM-2,mitigates,5 +1851,,T1557.003,DHCP Spoofing,[],[],,CM-2,mitigates,5 +1852,,T1070.007,Clear Network Connection History and Configurations,[],[],,CM-2,mitigates,5 +1853,,T1070.008,Clear Mailbox Data,[],[],,CM-2,mitigates,5 +1854,,T1070.009,Clear Persistence,[],[],,CM-2,mitigates,5 +1855,,T1505.005,Terminal Services DLL,[],[],,CM-2,mitigates,5 +1856,,T1622,Debugger Evasion,[],[],,CM-2,mitigates,5 +1857,,T1647,Plist File Modification,[],[],,CM-2,mitigates,5 +1858,,T1176,Browser Extensions,[],[],,CM-3,mitigates,5 +1859,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,5 +1860,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,5 +1861,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,5 +1862,,T1021.005,VNC,[],[],,CM-3,mitigates,5 +1863,,T1059.006,Python,[],[],,CM-3,mitigates,5 +1864,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,5 +1865,,T1213.001,Confluence,[],[],,CM-3,mitigates,5 +1866,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,5 +1867,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,5 +1868,,T1542.001,System Firmware,[],[],,CM-3,mitigates,5 +1869,,T1542.003,Bootkit,[],[],,CM-3,mitigates,5 +1870,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,5 +1871,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,5 +1872,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,5 +1873,,T1547.013,XDG Autostart Entries,[],[],,CM-3,mitigates,5 +1874,,T1553,Subvert Trust Controls,[],[],,CM-3,mitigates,5 +1875,,T1553.006,Code Signing Policy Modification,[],[],,CM-3,mitigates,5 +1876,,T1564.008,Email Hiding Rules,[],[],,CM-3,mitigates,5 +1877,,T1601,Modify System Image,[],[],,CM-3,mitigates,5 +1878,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,5 +1879,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,5 +1880,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,5 +1881,,T1647,Plist File Modification,[],[],,CM-3,mitigates,5 +1882,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,5 +1883,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,5 +1884,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,5 +1885,,T1053.002,At (Windows),[],[],,CM-5,mitigates,5 +1886,,T1053.003,Cron,[],[],,CM-5,mitigates,5 +1887,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,5 +1888,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,5 +1889,,T1059.001,PowerShell,[],[],,CM-5,mitigates,5 +1890,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,5 +1891,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,5 +1892,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,5 +1893,,T1098,Account Manipulation,[],[],,CM-5,mitigates,5 +1894,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,5 +1895,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,5 +1896,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,5 +1897,,T1176,Browser Extensions,[],[],,CM-5,mitigates,5 +1898,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,5 +1899,,T1197,BITS Jobs,[],[],,CM-5,mitigates,5 +1900,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,5 +1901,,T1218.007,Msiexec,[],[],,CM-5,mitigates,5 +1902,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,5 +1903,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,5 +1904,,T1505,Server Software Component,[],[],,CM-5,mitigates,5 +1905,,T1525,Implant Internal Image,[],[],,CM-5,mitigates,5 +1906,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,5 +1907,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,5 +1908,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,5 +1909,,T1543.003,Windows Service,[],[],,CM-5,mitigates,5 +1910,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,5 +1911,,T1547.003,Time Providers,[],[],,CM-5,mitigates,5 +1912,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,5 +1913,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,5 +1914,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,5 +1915,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,5 +1916,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,5 +1917,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,5 +1918,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,5 +1919,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,5 +1920,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,5 +1921,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,5 +1922,,T1562,Impair Defenses,[],[],,CM-5,mitigates,5 +1923,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,5 +1924,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,5 +1925,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,5 +1926,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,5 +1927,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,5 +1928,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,5 +1929,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,5 +1930,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,5 +1931,,T1003.006,DCSync,[],[],,CM-5,mitigates,5 +1932,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,5 +1933,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,5 +1934,,T1021,Remote Services,[],[],,CM-5,mitigates,5 +1935,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,5 +1936,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,5 +1937,,T1021.004,SSH,[],[],,CM-5,mitigates,5 +1938,,T1021.005,VNC,[],[],,CM-5,mitigates,5 +1939,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,5 +1940,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,5 +1941,,T1053.007,Container Orchestration Job,[],[],,CM-5,mitigates,5 +1942,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,5 +1943,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,5 +1944,,T1059.006,Python,[],[],,CM-5,mitigates,5 +1945,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,5 +1946,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,5 +1947,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,5 +1948,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,5 +1949,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,5 +1950,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,5 +1951,,T1136,Create Account,[],[],,CM-5,mitigates,5 +1952,,T1136.001,Local Account,[],[],,CM-5,mitigates,5 +1953,,T1136.002,Domain Account,[],[],,CM-5,mitigates,5 +1954,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,5 +1955,,T1137.002,Office Test,[],[],,CM-5,mitigates,5 +1956,,T1185,Browser Session Hijacking,[],[],,CM-5,mitigates,5 +1957,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,5 +1958,,T1213.001,Confluence,[],[],,CM-5,mitigates,5 +1959,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,5 +1960,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,5 +1961,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,5 +1962,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,5 +1963,,T1489,Service Stop,[],[],,CM-5,mitigates,5 +1964,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,5 +1965,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,5 +1966,,T1542.001,System Firmware,[],[],,CM-5,mitigates,5 +1967,,T1542.003,Bootkit,[],[],,CM-5,mitigates,5 +1968,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,5 +1969,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,5 +1970,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,5 +1971,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,5 +1972,,T1547.012,Print Processors,[],[],,CM-5,mitigates,5 +1973,,T1547.013,XDG Autostart Entries,[],[],,CM-5,mitigates,5 +1974,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,5 +1975,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,5 +1976,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,5 +1977,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,5 +1978,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,5 +1979,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,5 +1980,,T1553,Subvert Trust Controls,[],[],,CM-5,mitigates,5 +1981,,T1553.006,Code Signing Policy Modification,[],[],,CM-5,mitigates,5 +1982,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,5 +1983,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,5 +1984,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,5 +1985,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,5 +1986,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,5 +1987,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,5 +1988,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,5 +1989,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,5 +1990,,T1562.009,Safe Mode Boot,[],[],,CM-5,mitigates,5 +1991,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,5 +1992,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,5 +1993,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,5 +1994,,T1564.008,Email Hiding Rules,[],[],,CM-5,mitigates,5 +1995,,T1569,System Services,[],[],,CM-5,mitigates,5 +1996,,T1569.001,Launchctl,[],[],,CM-5,mitigates,5 +1997,,T1569.002,Service Execution,[],[],,CM-5,mitigates,5 +1998,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,5 +1999,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,5 +2000,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,5 +2001,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,5 +2002,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,5 +2003,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,5 +2004,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,5 +2005,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,5 +2006,,T1601,Modify System Image,[],[],,CM-5,mitigates,5 +2007,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,5 +2008,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,5 +2009,,T1619,Cloud Storage Object Discovery,[],[],,CM-5,mitigates,5 +2010,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,5 +2011,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,5 +2012,,T1003.003,NTDS,[],[],,CM-5,mitigates,5 +2013,,T1055,Process Injection,[],[],,CM-5,mitigates,5 +2014,,T1078,Valid Accounts,[],[],,CM-5,mitigates,5 +2015,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,5 +2016,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,5 +2017,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,5 +2018,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,5 +2019,,T1552.007,Container API,[],[],,CM-5,mitigates,5 +2020,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,5 +2021,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,5 +2022,,T1611,Escape to Host,[],[],,CM-5,mitigates,5 +2023,,T1098.004,SSH Authorized Keys,[],[],,CM-5,mitigates,5 +2024,,T1098.005,Device Registration,[],[],,CM-5,mitigates,5 +2025,,T1546.016,Installer Packages,[],[],,CM-5,mitigates,5 +2026,,T1559.003,XPC Services,[],[],,CM-5,mitigates,5 +2027,,T1647,Plist File Modification,[],[],,CM-5,mitigates,5 +2028,,T1621,Multi-Factor Authentication Request Generation,[],[],,CM-5,mitigates,5 +2029,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,5 +2030,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,5 +2031,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,5 +2032,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,5 +2033,,T1027,Obfuscated Files or Information,[],[],,CM-6,mitigates,5 +2034,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,5 +2035,,T1037.005,Startup Items,[],[],,CM-6,mitigates,5 +2036,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,5 +2037,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,5 +2038,,T1053.002,At (Windows),[],[],,CM-6,mitigates,5 +2039,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,5 +2040,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,5 +2041,,T1059.001,PowerShell,[],[],,CM-6,mitigates,5 +2042,,T1059.002,AppleScript,[],[],,CM-6,mitigates,5 +2043,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,5 +2044,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,5 +2045,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,5 +2046,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,5 +2047,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,5 +2048,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,5 +2049,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,5 +2050,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,5 +2051,,T1098,Account Manipulation,[],[],,CM-6,mitigates,5 +2052,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,5 +2053,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,5 +2054,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,5 +2055,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,5 +2056,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,5 +2057,,T1106,Native API,[],[],,CM-6,mitigates,5 +2058,,T1176,Browser Extensions,[],[],,CM-6,mitigates,5 +2059,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,5 +2060,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,5 +2061,,T1197,BITS Jobs,[],[],,CM-6,mitigates,5 +2062,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,5 +2063,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,5 +2064,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,5 +2065,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,5 +2066,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,5 +2067,,T1216.001,PubPrn,[],[],,CM-6,mitigates,5 +2068,,T1218.003,CMSTP,[],[],,CM-6,mitigates,5 +2069,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,5 +2070,,T1218.007,Msiexec,[],[],,CM-6,mitigates,5 +2071,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,5 +2072,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,5 +2073,,T1218.012,Verclsid,[],[],,CM-6,mitigates,5 +2074,,T1218.013,Mavinject,[],[],,CM-6,mitigates,5 +2075,,T1218.014,MMC,[],[],,CM-6,mitigates,5 +2076,,T1219,Remote Access Software,[],[],,CM-6,mitigates,5 +2077,,T1221,Template Injection,[],[],,CM-6,mitigates,5 +2078,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,5 +2079,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,5 +2080,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,5 +2081,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,5 +2082,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,5 +2083,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,5 +2084,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,5 +2085,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,5 +2086,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,5 +2087,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,5 +2088,,T1505,Server Software Component,[],[],,CM-6,mitigates,5 +2089,,T1505.003,Web Shell,[],[],,CM-6,mitigates,5 +2090,,T1525,Implant Internal Image,[],[],,CM-6,mitigates,5 +2091,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,5 +2092,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,5 +2093,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,5 +2094,,T1546.002,Screensaver,[],[],,CM-6,mitigates,5 +2095,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,5 +2096,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,5 +2097,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,5 +2098,,T1547.003,Time Providers,[],[],,CM-6,mitigates,5 +2099,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,5 +2100,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,5 +2101,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,5 +2102,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,5 +2103,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,5 +2104,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,5 +2105,,T1552.003,Bash History,[],[],,CM-6,mitigates,5 +2106,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,5 +2107,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,5 +2108,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-6,mitigates,5 +2109,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,5 +2110,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,5 +2111,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,5 +2112,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,5 +2113,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,5 +2114,,T1562,Impair Defenses,[],[],,CM-6,mitigates,5 +2115,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,5 +2116,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,5 +2117,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,5 +2118,,T1562.010,Downgrade Attack,[],[],,CM-6,mitigates,5 +2119,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,5 +2120,,T1565,Data Manipulation,[],[],,CM-6,mitigates,5 +2121,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,5 +2122,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,5 +2123,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,5 +2124,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,5 +2125,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,5 +2126,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,5 +2127,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,5 +2128,,T1609,Container Administration Command,[],[],,CM-6,mitigates,5 +2129,,T1610,Deploy Container,[],[],,CM-6,mitigates,5 +2130,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,5 +2131,,T1001.001,Junk Data,[],[],,CM-6,mitigates,5 +2132,,T1001.002,Steganography,[],[],,CM-6,mitigates,5 +2133,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,5 +2134,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,5 +2135,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,5 +2136,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,5 +2137,,T1003.006,DCSync,[],[],,CM-6,mitigates,5 +2138,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,5 +2139,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,5 +2140,,T1008,Fallback Channels,[],[],,CM-6,mitigates,5 +2141,,T1021,Remote Services,[],[],,CM-6,mitigates,5 +2142,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,5 +2143,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,5 +2144,,T1021.004,SSH,[],[],,CM-6,mitigates,5 +2145,,T1021.005,VNC,[],[],,CM-6,mitigates,5 +2146,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,5 +2147,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,5 +2148,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,5 +2149,,T1036,Masquerading,[],[],,CM-6,mitigates,5 +2150,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,5 +2151,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,5 +2152,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,5 +2153,,T1036.007,Double File Extension,[],[],,CM-6,mitigates,5 +2154,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,5 +2155,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,5 +2156,,T1037.004,RC Scripts,[],[],,CM-6,mitigates,5 +2157,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,5 +2158,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,5 +2159,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,5 +2160,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,5 +2161,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,5 +2162,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,5 +2163,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,5 +2164,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,5 +2165,,T1059.003,Windows Command Shell,[],[],,CM-6,mitigates,5 +2166,,T1059.004,Unix Shell,[],[],,CM-6,mitigates,5 +2167,,T1059.006,Python,[],[],,CM-6,mitigates,5 +2168,,T1059.007,JavaScript,[],[],,CM-6,mitigates,5 +2169,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,5 +2170,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,5 +2171,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,5 +2172,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,5 +2173,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,5 +2174,,T1071.004,DNS,[],[],,CM-6,mitigates,5 +2175,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,5 +2176,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,5 +2177,,T1087,Account Discovery,[],[],,CM-6,mitigates,5 +2178,,T1090,Proxy,[],[],,CM-6,mitigates,5 +2179,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,5 +2180,,T1090.002,External Proxy,[],[],,CM-6,mitigates,5 +2181,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,5 +2182,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,5 +2183,,T1102,Web Service,[],[],,CM-6,mitigates,5 +2184,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,5 +2185,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,5 +2186,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,5 +2187,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,5 +2188,,T1110,Brute Force,[],[],,CM-6,mitigates,5 +2189,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,5 +2190,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,5 +2191,,T1114,Email Collection,[],[],,CM-6,mitigates,5 +2192,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,5 +2193,,T1114.003,Email Forwarding Rule,[],[],,CM-6,mitigates,5 +2194,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,5 +2195,,T1127.001,MSBuild,[],[],,CM-6,mitigates,5 +2196,,T1132,Data Encoding,[],[],,CM-6,mitigates,5 +2197,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,5 +2198,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,5 +2199,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,5 +2200,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,5 +2201,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,5 +2202,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,5 +2203,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,5 +2204,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,5 +2205,,T1136,Create Account,[],[],,CM-6,mitigates,5 +2206,,T1136.001,Local Account,[],[],,CM-6,mitigates,5 +2207,,T1136.002,Domain Account,[],[],,CM-6,mitigates,5 +2208,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,5 +2209,,T1137,Office Application Startup,[],[],,CM-6,mitigates,5 +2210,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,5 +2211,,T1137.002,Office Test,[],[],,CM-6,mitigates,5 +2212,,T1137.003,Outlook Forms,[],[],,CM-6,mitigates,5 +2213,,T1137.004,Outlook Home Page,[],[],,CM-6,mitigates,5 +2214,,T1137.005,Outlook Rules,[],[],,CM-6,mitigates,5 +2215,,T1137.006,Add-ins,[],[],,CM-6,mitigates,5 +2216,,T1187,Forced Authentication,[],[],,CM-6,mitigates,5 +2217,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,5 +2218,,T1204.003,Malicious Image,[],[],,CM-6,mitigates,5 +2219,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,5 +2220,,T1213.001,Confluence,[],[],,CM-6,mitigates,5 +2221,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,5 +2222,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,5 +2223,,T1218.002,Control Panel,[],[],,CM-6,mitigates,5 +2224,,T1218.005,Mshta,[],[],,CM-6,mitigates,5 +2225,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,5 +2226,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,5 +2227,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,5 +2228,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,5 +2229,,T1489,Service Stop,[],[],,CM-6,mitigates,5 +2230,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,5 +2231,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,5 +2232,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,5 +2233,,T1505.004,IIS Components,[],[],,CM-6,mitigates,5 +2234,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,5 +2235,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,5 +2236,,T1542.001,System Firmware,[],[],,CM-6,mitigates,5 +2237,,T1542.003,Bootkit,[],[],,CM-6,mitigates,5 +2238,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,5 +2239,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,5 +2240,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,5 +2241,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-6,mitigates,5 +2242,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,5 +2243,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,5 +2244,,T1546.014,Emond,[],[],,CM-6,mitigates,5 +2245,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,5 +2246,,T1547.013,XDG Autostart Entries,[],[],,CM-6,mitigates,5 +2247,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,5 +2248,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,5 +2249,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,5 +2250,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,5 +2251,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,5 +2252,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,5 +2253,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,5 +2254,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,5 +2255,,T1552.004,Private Keys,[],[],,CM-6,mitigates,5 +2256,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,5 +2257,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,5 +2258,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,5 +2259,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,5 +2260,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,5 +2261,,T1555.005,Password Managers,[],[],,CM-6,mitigates,5 +2262,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,5 +2263,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,5 +2264,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,5 +2265,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,5 +2266,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,5 +2267,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,5 +2268,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,5 +2269,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,5 +2270,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,5 +2271,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,5 +2272,,T1562.009,Safe Mode Boot,[],[],,CM-6,mitigates,5 +2273,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,5 +2274,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,5 +2275,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,5 +2276,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,5 +2277,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,5 +2278,,T1564.009,Resource Forking,[],[],,CM-6,mitigates,5 +2279,,T1566,Phishing,[],[],,CM-6,mitigates,5 +2280,,T1566.001,Spearphishing Attachment,[],[],,CM-6,mitigates,5 +2281,,T1569,System Services,[],[],,CM-6,mitigates,5 +2282,,T1569.002,Service Execution,[],[],,CM-6,mitigates,5 +2283,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,5 +2284,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,5 +2285,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,5 +2286,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,5 +2287,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,5 +2288,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,5 +2289,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,5 +2290,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,5 +2291,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-6,mitigates,5 +2292,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,5 +2293,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,5 +2294,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,5 +2295,,T1598,Phishing for Information,[],[],,CM-6,mitigates,5 +2296,,T1598.002,Spearphishing Attachment,[],[],,CM-6,mitigates,5 +2297,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,5 +2298,,T1601,Modify System Image,[],[],,CM-6,mitigates,5 +2299,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,5 +2300,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,5 +2301,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,5 +2302,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,5 +2303,,T1612,Build Image on Host,[],[],,CM-6,mitigates,5 +2304,,T1613,Container and Resource Discovery,[],[],,CM-6,mitigates,5 +2305,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,5 +2306,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,5 +2307,,T1003.003,NTDS,[],[],,CM-6,mitigates,5 +2308,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,5 +2309,,T1055,Process Injection,[],[],,CM-6,mitigates,5 +2310,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,5 +2311,,T1078,Valid Accounts,[],[],,CM-6,mitigates,5 +2312,,T1087.001,Local Account,[],[],,CM-6,mitigates,5 +2313,,T1087.002,Domain Account,[],[],,CM-6,mitigates,5 +2314,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,5 +2315,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,5 +2316,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,5 +2317,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,5 +2318,,T1119,Automated Collection,[],[],,CM-6,mitigates,5 +2319,,T1133,External Remote Services,[],[],,CM-6,mitigates,5 +2320,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,5 +2321,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,5 +2322,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,5 +2323,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,5 +2324,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,5 +2325,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,5 +2326,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,5 +2327,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,5 +2328,,T1552.007,Container API,[],[],,CM-6,mitigates,5 +2329,,T1555.004,Windows Credential Manager,[],[],,CM-6,mitigates,5 +2330,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,5 +2331,,T1557,Adversary-in-the-Middle,[],[],,CM-6,mitigates,5 +2332,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,5 +2333,,T1566.002,Spearphishing Link,[],[],,CM-6,mitigates,5 +2334,,T1598.003,Spearphishing Link,[],[],,CM-6,mitigates,5 +2335,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,5 +2336,,T1611,Escape to Host,[],[],,CM-6,mitigates,5 +2337,,T1204,User Execution,[],[],,CM-6,mitigates,5 +2338,,T1204.002,Malicious File,[],[],,CM-6,mitigates,5 +2339,,T1557.003,DHCP Spoofing,[],[],,CM-6,mitigates,5 +2340,,T1070.007,Clear Network Connection History and Configurations,[],[],,CM-6,mitigates,5 +2341,,T1070.008,Clear Mailbox Data,[],[],,CM-6,mitigates,5 +2342,,T1070.009,Clear Persistence,[],[],,CM-6,mitigates,5 +2343,,T1098.005,Device Registration,[],[],,CM-6,mitigates,5 +2344,,T1505.005,Terminal Services DLL,[],[],,CM-6,mitigates,5 +2345,,T1546.016,Installer Packages,[],[],,CM-6,mitigates,5 +2346,,T1559.003,XPC Services,[],[],,CM-6,mitigates,5 +2347,,T1622,Debugger Evasion,[],[],,CM-6,mitigates,5 +2348,,T1647,Plist File Modification,[],[],,CM-6,mitigates,5 +2349,,T1648,Serverless Execution,[],[],,CM-6,mitigates,5 +2350,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,5 +2351,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,5 +2352,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,5 +2353,,T1047,Windows Management Instrumentation,[],[],,CM-7,mitigates,5 +2354,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,5 +2355,,T1053.002,At (Windows),[],[],,CM-7,mitigates,5 +2356,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,5 +2357,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,5 +2358,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,5 +2359,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,5 +2360,,T1098,Account Manipulation,[],[],,CM-7,mitigates,5 +2361,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,5 +2362,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,5 +2363,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,5 +2364,,T1106,Native API,[],[],,CM-7,mitigates,5 +2365,,T1129,Shared Modules,[],[],,CM-7,mitigates,5 +2366,,T1176,Browser Extensions,[],[],,CM-7,mitigates,5 +2367,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,5 +2368,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,5 +2369,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,5 +2370,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,5 +2371,,T1197,BITS Jobs,[],[],,CM-7,mitigates,5 +2372,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,5 +2373,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,5 +2374,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,5 +2375,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,5 +2376,,T1216.001,PubPrn,[],[],,CM-7,mitigates,5 +2377,,T1218.003,CMSTP,[],[],,CM-7,mitigates,5 +2378,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,5 +2379,,T1218.007,Msiexec,[],[],,CM-7,mitigates,5 +2380,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,5 +2381,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,5 +2382,,T1218.012,Verclsid,[],[],,CM-7,mitigates,5 +2383,,T1218.013,Mavinject,[],[],,CM-7,mitigates,5 +2384,,T1218.014,MMC,[],[],,CM-7,mitigates,5 +2385,,T1219,Remote Access Software,[],[],,CM-7,mitigates,5 +2386,,T1221,Template Injection,[],[],,CM-7,mitigates,5 +2387,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,5 +2388,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,5 +2389,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,5 +2390,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,5 +2391,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,5 +2392,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,5 +2393,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,5 +2394,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,5 +2395,,T1525,Implant Internal Image,[],[],,CM-7,mitigates,5 +2396,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,5 +2397,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,5 +2398,,T1546.002,Screensaver,[],[],,CM-7,mitigates,5 +2399,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,5 +2400,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,5 +2401,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,5 +2402,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,5 +2403,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,5 +2404,,T1552.003,Bash History,[],[],,CM-7,mitigates,5 +2405,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,5 +2406,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,5 +2407,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-7,mitigates,5 +2408,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,5 +2409,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,5 +2410,,T1562,Impair Defenses,[],[],,CM-7,mitigates,5 +2411,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,5 +2412,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,5 +2413,,T1562.006,Indicator Blocking,[],[],,CM-7,mitigates,5 +2414,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,5 +2415,,T1565,Data Manipulation,[],[],,CM-7,mitigates,5 +2416,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,5 +2417,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,5 +2418,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,5 +2419,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,5 +2420,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,5 +2421,,T1609,Container Administration Command,[],[],,CM-7,mitigates,5 +2422,,T1610,Deploy Container,[],[],,CM-7,mitigates,5 +2423,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,5 +2424,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,5 +2425,,T1008,Fallback Channels,[],[],,CM-7,mitigates,5 +2426,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,5 +2427,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,5 +2428,,T1021.005,VNC,[],[],,CM-7,mitigates,5 +2429,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,5 +2430,,T1036,Masquerading,[],[],,CM-7,mitigates,5 +2431,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,5 +2432,,T1036.007,Double File Extension,[],[],,CM-7,mitigates,5 +2433,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,5 +2434,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,5 +2435,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,5 +2436,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,5 +2437,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,5 +2438,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,5 +2439,,T1052,Exfiltration Over Physical Medium,[],[],,CM-7,mitigates,5 +2440,,T1052.001,Exfiltration over USB,[],[],,CM-7,mitigates,5 +2441,,T1059.007,JavaScript,[],[],,CM-7,mitigates,5 +2442,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,5 +2443,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,5 +2444,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,5 +2445,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,5 +2446,,T1071.004,DNS,[],[],,CM-7,mitigates,5 +2447,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,5 +2448,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,5 +2449,,T1087,Account Discovery,[],[],,CM-7,mitigates,5 +2450,,T1090,Proxy,[],[],,CM-7,mitigates,5 +2451,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,5 +2452,,T1090.002,External Proxy,[],[],,CM-7,mitigates,5 +2453,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,5 +2454,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,5 +2455,,T1102,Web Service,[],[],,CM-7,mitigates,5 +2456,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,5 +2457,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,5 +2458,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,5 +2459,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,5 +2460,,T1112,Modify Registry,[],[],,CM-7,mitigates,5 +2461,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,5 +2462,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,5 +2463,,T1136,Create Account,[],[],,CM-7,mitigates,5 +2464,,T1136.002,Domain Account,[],[],,CM-7,mitigates,5 +2465,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,5 +2466,,T1187,Forced Authentication,[],[],,CM-7,mitigates,5 +2467,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,5 +2468,,T1204.003,Malicious Image,[],[],,CM-7,mitigates,5 +2469,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,5 +2470,,T1213.001,Confluence,[],[],,CM-7,mitigates,5 +2471,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,5 +2472,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,5 +2473,,T1218.002,Control Panel,[],[],,CM-7,mitigates,5 +2474,,T1218.005,Mshta,[],[],,CM-7,mitigates,5 +2475,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,5 +2476,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,5 +2477,,T1489,Service Stop,[],[],,CM-7,mitigates,5 +2478,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,5 +2479,,T1505.004,IIS Components,[],[],,CM-7,mitigates,5 +2480,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,5 +2481,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,5 +2482,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,5 +2483,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,5 +2484,,T1546.010,AppInit DLLs,[],[],,CM-7,mitigates,5 +2485,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,5 +2486,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,5 +2487,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,5 +2488,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,5 +2489,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,5 +2490,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,5 +2491,,T1553.006,Code Signing Policy Modification,[],[],,CM-7,mitigates,5 +2492,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,5 +2493,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,5 +2494,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,5 +2495,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,5 +2496,,T1562.009,Safe Mode Boot,[],[],,CM-7,mitigates,5 +2497,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,5 +2498,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,5 +2499,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,5 +2500,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,5 +2501,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,5 +2502,,T1564.008,Email Hiding Rules,[],[],,CM-7,mitigates,5 +2503,,T1564.009,Resource Forking,[],[],,CM-7,mitigates,5 +2504,,T1569,System Services,[],[],,CM-7,mitigates,5 +2505,,T1569.002,Service Execution,[],[],,CM-7,mitigates,5 +2506,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,5 +2507,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,5 +2508,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,5 +2509,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,5 +2510,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,5 +2511,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,5 +2512,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-7,mitigates,5 +2513,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,5 +2514,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,5 +2515,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,5 +2516,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,5 +2517,,T1601,Modify System Image,[],[],,CM-7,mitigates,5 +2518,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,5 +2519,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,5 +2520,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,5 +2521,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,5 +2522,,T1612,Build Image on Host,[],[],,CM-7,mitigates,5 +2523,,T1613,Container and Resource Discovery,[],[],,CM-7,mitigates,5 +2524,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,5 +2525,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,5 +2526,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,5 +2527,,T1068,Exploitation for Privilege Escalation,[],[],,CM-7,mitigates,5 +2528,,T1087.001,Local Account,[],[],,CM-7,mitigates,5 +2529,,T1087.002,Domain Account,[],[],,CM-7,mitigates,5 +2530,,T1133,External Remote Services,[],[],,CM-7,mitigates,5 +2531,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,5 +2532,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,5 +2533,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,5 +2534,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,5 +2535,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,5 +2536,,T1552.007,Container API,[],[],,CM-7,mitigates,5 +2537,,T1555.004,Windows Credential Manager,[],[],,CM-7,mitigates,5 +2538,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,5 +2539,,T1557,Adversary-in-the-Middle,[],[],,CM-7,mitigates,5 +2540,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,5 +2541,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,5 +2542,,T1611,Escape to Host,[],[],,CM-7,mitigates,5 +2543,,T1204,User Execution,[],[],,CM-7,mitigates,5 +2544,,T1204.002,Malicious File,[],[],,CM-7,mitigates,5 +2545,,T1557.003,DHCP Spoofing,[],[],,CM-7,mitigates,5 +2546,,T1559.003,XPC Services,[],[],,CM-7,mitigates,5 +2547,,T1622,Debugger Evasion,[],[],,CM-7,mitigates,5 +2548,,T1647,Plist File Modification,[],[],,CM-7,mitigates,5 +2549,,T1648,Serverless Execution,[],[],,CM-7,mitigates,5 +2550,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,5 +2551,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,5 +2552,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,5 +2553,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,5 +2554,,T1053.002,At (Windows),[],[],,CM-8,mitigates,5 +2555,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,5 +2556,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,5 +2557,,T1059.001,PowerShell,[],[],,CM-8,mitigates,5 +2558,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,5 +2559,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,5 +2560,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,5 +2561,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,5 +2562,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,5 +2563,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,5 +2564,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,5 +2565,,T1218.003,CMSTP,[],[],,CM-8,mitigates,5 +2566,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,5 +2567,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,5 +2568,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,5 +2569,,T1218.012,Verclsid,[],[],,CM-8,mitigates,5 +2570,,T1218.013,Mavinject,[],[],,CM-8,mitigates,5 +2571,,T1218.014,MMC,[],[],,CM-8,mitigates,5 +2572,,T1221,Template Injection,[],[],,CM-8,mitigates,5 +2573,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,5 +2574,,T1505,Server Software Component,[],[],,CM-8,mitigates,5 +2575,,T1546.002,Screensaver,[],[],,CM-8,mitigates,5 +2576,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,5 +2577,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,5 +2578,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,5 +2579,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,5 +2580,,T1565,Data Manipulation,[],[],,CM-8,mitigates,5 +2581,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,5 +2582,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,5 +2583,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,5 +2584,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,5 +2585,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,5 +2586,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,5 +2587,,T1021.004,SSH,[],[],,CM-8,mitigates,5 +2588,,T1021.005,VNC,[],[],,CM-8,mitigates,5 +2589,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,5 +2590,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,5 +2591,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,5 +2592,,T1059.007,JavaScript,[],[],,CM-8,mitigates,5 +2593,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,5 +2594,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,5 +2595,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,5 +2596,,T1127.001,MSBuild,[],[],,CM-8,mitigates,5 +2597,,T1137,Office Application Startup,[],[],,CM-8,mitigates,5 +2598,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,5 +2599,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,5 +2600,,T1213.001,Confluence,[],[],,CM-8,mitigates,5 +2601,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,5 +2602,,T1218.005,Mshta,[],[],,CM-8,mitigates,5 +2603,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,5 +2604,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,5 +2605,,T1505.004,IIS Components,[],[],,CM-8,mitigates,5 +2606,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,5 +2607,,T1542.001,System Firmware,[],[],,CM-8,mitigates,5 +2608,,T1542.003,Bootkit,[],[],,CM-8,mitigates,5 +2609,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,5 +2610,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,5 +2611,,T1546.014,Emond,[],[],,CM-8,mitigates,5 +2612,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,5 +2613,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,5 +2614,,T1553,Subvert Trust Controls,[],[],,CM-8,mitigates,5 +2615,,T1553.006,Code Signing Policy Modification,[],[],,CM-8,mitigates,5 +2616,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,5 +2617,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,5 +2618,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,5 +2619,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,5 +2620,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,5 +2621,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,5 +2622,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,5 +2623,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,5 +2624,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,5 +2625,,T1601,Modify System Image,[],[],,CM-8,mitigates,5 +2626,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,5 +2627,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,5 +2628,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,5 +2629,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,5 +2630,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,5 +2631,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,5 +2632,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,5 +2633,,T1119,Automated Collection,[],[],,CM-8,mitigates,5 +2634,,T1133,External Remote Services,[],[],,CM-8,mitigates,5 +2635,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,5 +2636,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,5 +2637,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,5 +2638,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,5 +2639,,T1557,Adversary-in-the-Middle,[],[],,CM-8,mitigates,5 +2640,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,5 +2641,,T1557.003,DHCP Spoofing,[],[],,CM-8,mitigates,5 +2642,,T1622,Debugger Evasion,[],[],,CM-8,mitigates,5 +2643,,T1593.003,Code Repositories,[],[],,CM-8,mitigates,5 +2644,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,5 +2645,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,5 +2646,,T1491,Defacement,[],[],,CP-10,mitigates,5 +2647,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,5 +2648,,T1491.002,External Defacement,[],[],,CP-10,mitigates,5 +2649,,T1565,Data Manipulation,[],[],,CP-10,mitigates,5 +2650,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,5 +2651,,T1485,Data Destruction,[],[],,CP-10,mitigates,5 +2652,,T1561,Disk Wipe,[],[],,CP-10,mitigates,5 +2653,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,5 +2654,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,5 +2655,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,5 +2656,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,5 +2657,,T1491,Defacement,[],[],,CP-2,mitigates,5 +2658,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,5 +2659,,T1491.002,External Defacement,[],[],,CP-2,mitigates,5 +2660,,T1485,Data Destruction,[],[],,CP-2,mitigates,5 +2661,,T1561,Disk Wipe,[],[],,CP-2,mitigates,5 +2662,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,5 +2663,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,5 +2664,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,5 +2665,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,5 +2666,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,5 +2667,,T1565,Data Manipulation,[],[],,CP-6,mitigates,5 +2668,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,5 +2669,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,5 +2670,,T1119,Automated Collection,[],[],,CP-6,mitigates,5 +2671,,T1070.008,Clear Mailbox Data,[],[],,CP-6,mitigates,5 +2672,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,5 +2673,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,5 +2674,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,5 +2675,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,5 +2676,,T1491,Defacement,[],[],,CP-7,mitigates,5 +2677,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,5 +2678,,T1491.002,External Defacement,[],[],,CP-7,mitigates,5 +2679,,T1565,Data Manipulation,[],[],,CP-7,mitigates,5 +2680,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,5 +2681,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,5 +2682,,T1485,Data Destruction,[],[],,CP-7,mitigates,5 +2683,,T1561,Disk Wipe,[],[],,CP-7,mitigates,5 +2684,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,5 +2685,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,5 +2686,,T1119,Automated Collection,[],[],,CP-7,mitigates,5 +2687,,T1070.008,Clear Mailbox Data,[],[],,CP-7,mitigates,5 +2688,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,5 +2689,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,5 +2690,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,5 +2691,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,5 +2692,,T1491,Defacement,[],[],,CP-9,mitigates,5 +2693,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,5 +2694,,T1491.002,External Defacement,[],[],,CP-9,mitigates,5 +2695,,T1565,Data Manipulation,[],[],,CP-9,mitigates,5 +2696,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,5 +2697,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,5 +2698,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,5 +2699,,T1025,Data from Removable Media,[],[],,CP-9,mitigates,5 +2700,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,5 +2701,,T1485,Data Destruction,[],[],,CP-9,mitigates,5 +2702,,T1561,Disk Wipe,[],[],,CP-9,mitigates,5 +2703,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,5 +2704,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,5 +2705,,T1003.003,NTDS,[],[],,CP-9,mitigates,5 +2706,,T1005,Data from Local System,[],[],,CP-9,mitigates,5 +2707,,T1119,Automated Collection,[],[],,CP-9,mitigates,5 +2708,,T1070.008,Clear Mailbox Data,[],[],,CP-9,mitigates,5 +2709,,T1110,Brute Force,[],[],,IA-11,mitigates,5 +2710,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,5 +2711,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,5 +2712,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,5 +2713,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,5 +2714,,T1556.006,Multi-Factor Authentication,[],[],,IA-11,mitigates,5 +2715,,T1556.007,Hybrid Identity,[],[],,IA-11,mitigates,5 +2716,,T1078.002,Domain Accounts,[],[],,IA-12,mitigates,5 +2717,,T1078.004,Cloud Accounts,[],[],,IA-12,mitigates,5 +2718,,T1078.003,Local Accounts,[],[],,IA-12,mitigates,5 +2719,,T1078,Valid Accounts,[],[],,IA-12,mitigates,5 +2720,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,5 +2721,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,5 +2722,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,5 +2723,,T1053.002,At (Windows),[],[],,IA-2,mitigates,5 +2724,,T1053.003,Cron,[],[],,IA-2,mitigates,5 +2725,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,5 +2726,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,5 +2727,,T1059.001,PowerShell,[],[],,IA-2,mitigates,5 +2728,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,5 +2729,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,5 +2730,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,5 +2731,,T1098,Account Manipulation,[],[],,IA-2,mitigates,5 +2732,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,5 +2733,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,5 +2734,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,5 +2735,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,5 +2736,,T1197,BITS Jobs,[],[],,IA-2,mitigates,5 +2737,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,5 +2738,,T1213.003,Code Repositories,[],[],,IA-2,mitigates,5 +2739,,T1218.007,Msiexec,[],[],,IA-2,mitigates,5 +2740,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,5 +2741,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,5 +2742,,T1505,Server Software Component,[],[],,IA-2,mitigates,5 +2743,,T1525,Implant Internal Image,[],[],,IA-2,mitigates,5 +2744,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,5 +2745,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,5 +2746,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,5 +2747,,T1543.003,Windows Service,[],[],,IA-2,mitigates,5 +2748,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,5 +2749,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,5 +2750,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,5 +2751,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,5 +2752,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,5 +2753,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,5 +2754,,T1550.001,Application Access Token,[],[],,IA-2,mitigates,5 +2755,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,5 +2756,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,5 +2757,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,5 +2758,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,5 +2759,,T1562,Impair Defenses,[],[],,IA-2,mitigates,5 +2760,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,5 +2761,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,5 +2762,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,5 +2763,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,5 +2764,,T1610,Deploy Container,[],[],,IA-2,mitigates,5 +2765,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,5 +2766,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,5 +2767,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,5 +2768,,T1003.006,DCSync,[],[],,IA-2,mitigates,5 +2769,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,5 +2770,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,5 +2771,,T1021,Remote Services,[],[],,IA-2,mitigates,5 +2772,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,5 +2773,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,5 +2774,,T1021.004,SSH,[],[],,IA-2,mitigates,5 +2775,,T1021.005,VNC,[],[],,IA-2,mitigates,5 +2776,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,5 +2777,,T1036.007,Double File Extension,[],[],,IA-2,mitigates,5 +2778,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,5 +2779,,T1053.007,Container Orchestration Job,[],[],,IA-2,mitigates,5 +2780,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,5 +2781,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,5 +2782,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,5 +2783,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,5 +2784,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,5 +2785,,T1110,Brute Force,[],[],,IA-2,mitigates,5 +2786,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,5 +2787,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,5 +2788,,T1114,Email Collection,[],[],,IA-2,mitigates,5 +2789,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,5 +2790,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,5 +2791,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,5 +2792,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,5 +2793,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,5 +2794,,T1136,Create Account,[],[],,IA-2,mitigates,5 +2795,,T1136.001,Local Account,[],[],,IA-2,mitigates,5 +2796,,T1136.002,Domain Account,[],[],,IA-2,mitigates,5 +2797,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,5 +2798,,T1185,Browser Session Hijacking,[],[],,IA-2,mitigates,5 +2799,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,5 +2800,,T1213.001,Confluence,[],[],,IA-2,mitigates,5 +2801,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,5 +2802,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,5 +2803,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,5 +2804,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,5 +2805,,T1489,Service Stop,[],[],,IA-2,mitigates,5 +2806,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,5 +2807,,T1505.004,IIS Components,[],[],,IA-2,mitigates,5 +2808,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,5 +2809,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,5 +2810,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,5 +2811,,T1542.001,System Firmware,[],[],,IA-2,mitigates,5 +2812,,T1542.003,Bootkit,[],[],,IA-2,mitigates,5 +2813,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,5 +2814,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,5 +2815,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,5 +2816,,T1547.012,Print Processors,[],[],,IA-2,mitigates,5 +2817,,T1547.013,XDG Autostart Entries,[],[],,IA-2,mitigates,5 +2818,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,5 +2819,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,5 +2820,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,5 +2821,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,5 +2822,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,5 +2823,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,5 +2824,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,5 +2825,,T1552.004,Private Keys,[],[],,IA-2,mitigates,5 +2826,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,5 +2827,,T1555.005,Password Managers,[],[],,IA-2,mitigates,5 +2828,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,5 +2829,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,5 +2830,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,5 +2831,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,5 +2832,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,5 +2833,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,5 +2834,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,5 +2835,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,5 +2836,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,5 +2837,,T1562.009,Safe Mode Boot,[],[],,IA-2,mitigates,5 +2838,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,5 +2839,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,5 +2840,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,5 +2841,,T1569,System Services,[],[],,IA-2,mitigates,5 +2842,,T1569.001,Launchctl,[],[],,IA-2,mitigates,5 +2843,,T1569.002,Service Execution,[],[],,IA-2,mitigates,5 +2844,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,5 +2845,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,5 +2846,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,5 +2847,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,5 +2848,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,5 +2849,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,5 +2850,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,5 +2851,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,5 +2852,,T1601,Modify System Image,[],[],,IA-2,mitigates,5 +2853,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,5 +2854,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,5 +2855,,T1613,Container and Resource Discovery,[],[],,IA-2,mitigates,5 +2856,,T1619,Cloud Storage Object Discovery,[],[],,IA-2,mitigates,5 +2857,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,5 +2858,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,5 +2859,,T1003.003,NTDS,[],[],,IA-2,mitigates,5 +2860,,T1040,Network Sniffing,[],[],,IA-2,mitigates,5 +2861,,T1055,Process Injection,[],[],,IA-2,mitigates,5 +2862,,T1078,Valid Accounts,[],[],,IA-2,mitigates,5 +2863,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,5 +2864,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,5 +2865,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,5 +2866,,T1133,External Remote Services,[],[],,IA-2,mitigates,5 +2867,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,5 +2868,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,5 +2869,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,5 +2870,,T1552.007,Container API,[],[],,IA-2,mitigates,5 +2871,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,5 +2872,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,5 +2873,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,5 +2874,,T1611,Escape to Host,[],[],,IA-2,mitigates,5 +2875,,T1098.004,SSH Authorized Keys,[],[],,IA-2,mitigates,5 +2876,,T1648,Serverless Execution,[],[],,IA-2,mitigates,5 +2877,,T1556.006,Multi-Factor Authentication,[],[],,IA-2,mitigates,5 +2878,,T1556.007,Hybrid Identity,[],[],,IA-2,mitigates,5 +2879,,T1585.003,Cloud Accounts,[],[],,IA-2,mitigates,5 +2880,,T1586.003,Cloud Accounts,[],[],,IA-2,mitigates,5 +2881,,T1621,Multi-Factor Authentication Request Generation,[],[],,IA-2,mitigates,5 +2882,,T1649,Steal or Forge Authentication Certificates,[],[],,IA-2,mitigates,5 +2883,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,5 +2884,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,5 +2885,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,5 +2886,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,5 +2887,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,5 +2888,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,5 +2889,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,5 +2890,,T1621,Multi-Factor Authentication Request Generation,[],[],,IA-3,mitigates,5 +2891,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,5 +2892,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,5 +2893,,T1053.002,At (Windows),[],[],,IA-4,mitigates,5 +2894,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,5 +2895,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,5 +2896,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,5 +2897,,T1547.006,Kernel Modules and Extensions,[],[],,IA-4,mitigates,5 +2898,,T1550.001,Application Access Token,[],[],,IA-4,mitigates,5 +2899,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,5 +2900,,T1562,Impair Defenses,[],[],,IA-4,mitigates,5 +2901,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,5 +2902,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,5 +2903,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,5 +2904,,T1003.006,DCSync,[],[],,IA-4,mitigates,5 +2905,,T1021.005,VNC,[],[],,IA-4,mitigates,5 +2906,,T1110,Brute Force,[],[],,IA-4,mitigates,5 +2907,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,5 +2908,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,5 +2909,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,5 +2910,,T1213.001,Confluence,[],[],,IA-4,mitigates,5 +2911,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,5 +2912,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,5 +2913,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,5 +2914,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,5 +2915,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,5 +2916,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,5 +2917,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,5 +2918,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,5 +2919,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,5 +2920,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,5 +2921,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,5 +2922,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,5 +2923,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,5 +2924,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,5 +2925,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,5 +2926,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,5 +2927,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,5 +2928,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,5 +2929,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,5 +2930,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,5 +2931,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,5 +2932,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,5 +2933,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,5 +2934,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,5 +2935,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,5 +2936,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,5 +2937,,T1003.006,DCSync,[],[],,IA-5,mitigates,5 +2938,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,5 +2939,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,5 +2940,,T1021,Remote Services,[],[],,IA-5,mitigates,5 +2941,,T1021.004,SSH,[],[],,IA-5,mitigates,5 +2942,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,5 +2943,,T1110,Brute Force,[],[],,IA-5,mitigates,5 +2944,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,5 +2945,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,5 +2946,,T1114,Email Collection,[],[],,IA-5,mitigates,5 +2947,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,5 +2948,,T1136,Create Account,[],[],,IA-5,mitigates,5 +2949,,T1136.001,Local Account,[],[],,IA-5,mitigates,5 +2950,,T1136.002,Domain Account,[],[],,IA-5,mitigates,5 +2951,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,5 +2952,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,5 +2953,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,5 +2954,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,5 +2955,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,5 +2956,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,5 +2957,,T1552.004,Private Keys,[],[],,IA-5,mitigates,5 +2958,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,5 +2959,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,5 +2960,,T1555.005,Password Managers,[],[],,IA-5,mitigates,5 +2961,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,5 +2962,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,5 +2963,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,5 +2964,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,5 +2965,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,5 +2966,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,5 +2967,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,5 +2968,,T1601,Modify System Image,[],[],,IA-5,mitigates,5 +2969,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,5 +2970,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,5 +2971,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,5 +2972,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,5 +2973,,T1003.003,NTDS,[],[],,IA-5,mitigates,5 +2974,,T1040,Network Sniffing,[],[],,IA-5,mitigates,5 +2975,,T1078,Valid Accounts,[],[],,IA-5,mitigates,5 +2976,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,5 +2977,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,5 +2978,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,5 +2979,,T1133,External Remote Services,[],[],,IA-5,mitigates,5 +2980,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,5 +2981,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,5 +2982,,T1555.001,Keychain,[],[],,IA-5,mitigates,5 +2983,,T1555.004,Windows Credential Manager,[],[],,IA-5,mitigates,5 +2984,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,5 +2985,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,5 +2986,,T1098.004,SSH Authorized Keys,[],[],,IA-5,mitigates,5 +2987,,T1556.005,Reversible Encryption,[],[],,IA-5,mitigates,5 +2988,,T1621,Multi-Factor Authentication Request Generation,[],[],,IA-5,mitigates,5 +2989,,T1649,Steal or Forge Authentication Certificates,[],[],,IA-5,mitigates,5 +2990,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,5 +2991,,T1021.005,VNC,[],[],,IA-6,mitigates,5 +2992,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,5 +2993,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,5 +2994,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,5 +2995,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,5 +2996,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,5 +2997,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,5 +2998,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,5 +2999,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,5 +3000,,T1542.001,System Firmware,[],[],,IA-7,mitigates,5 +3001,,T1542.003,Bootkit,[],[],,IA-7,mitigates,5 +3002,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,5 +3003,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,5 +3004,,T1553,Subvert Trust Controls,[],[],,IA-7,mitigates,5 +3005,,T1553.006,Code Signing Policy Modification,[],[],,IA-7,mitigates,5 +3006,,T1601,Modify System Image,[],[],,IA-7,mitigates,5 +3007,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,5 +3008,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,5 +3009,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,5 +3010,,T1053,Scheduled Task/Job,[],[],,IA-8,mitigates,5 +3011,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,5 +3012,,T1059.001,PowerShell,[],[],,IA-8,mitigates,5 +3013,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,5 +3014,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,5 +3015,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,5 +3016,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,5 +3017,,T1547.006,Kernel Modules and Extensions,[],[],,IA-8,mitigates,5 +3018,,T1053.007,Container Orchestration Job,[],[],,IA-8,mitigates,5 +3019,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,5 +3020,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,5 +3021,,T1213.001,Confluence,[],[],,IA-8,mitigates,5 +3022,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,5 +3023,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,5 +3024,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,5 +3025,,T1542.001,System Firmware,[],[],,IA-8,mitigates,5 +3026,,T1542.003,Bootkit,[],[],,IA-8,mitigates,5 +3027,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,5 +3028,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,5 +3029,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,5 +3030,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,5 +3031,,T1059.001,PowerShell,[],[],,IA-9,mitigates,5 +3032,,T1059.002,AppleScript,[],[],,IA-9,mitigates,5 +3033,,T1213.003,Code Repositories,[],[],,IA-9,mitigates,5 +3034,,T1525,Implant Internal Image,[],[],,IA-9,mitigates,5 +3035,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,5 +3036,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,5 +3037,,T1562.006,Indicator Blocking,[],[],,IA-9,mitigates,5 +3038,,T1036,Masquerading,[],[],,IA-9,mitigates,5 +3039,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,5 +3040,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,5 +3041,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,5 +3042,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,5 +3043,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,5 +3044,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,5 +3045,,T1562.009,Safe Mode Boot,[],[],,IA-9,mitigates,5 +3046,,T1566,Phishing,[],[],,IA-9,mitigates,5 +3047,,T1566.001,Spearphishing Attachment,[],[],,IA-9,mitigates,5 +3048,,T1598,Phishing for Information,[],[],,IA-9,mitigates,5 +3049,,T1598.002,Spearphishing Attachment,[],[],,IA-9,mitigates,5 +3050,,T1566.002,Spearphishing Link,[],[],,IA-9,mitigates,5 +3051,,T1598.003,Spearphishing Link,[],[],,IA-9,mitigates,5 +3052,,T1564.008,Email Hiding Rules,[],[],,IR-5,mitigates,5 +3053,,T1025,Data from Removable Media,[],[],,MP-7,mitigates,5 +3054,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,5 +3055,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,5 +3056,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,5 +3057,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,5 +3058,,T1200,Hardware Additions,[],[],,MP-7,mitigates,5 +3059,,T1190,Exploit Public-Facing Application,[],[],,RA-10,mitigates,5 +3060,,T1195,Supply Chain Compromise,[],[],,RA-10,mitigates,5 +3061,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-10,mitigates,5 +3062,,T1195.002,Compromise Software Supply Chain,[],[],,RA-10,mitigates,5 +3063,,T1210,Exploitation of Remote Services,[],[],,RA-10,mitigates,5 +3064,,T1211,Exploitation for Defense Evasion,[],[],,RA-10,mitigates,5 +3065,,T1068,Exploitation for Privilege Escalation,[],[],,RA-10,mitigates,5 +3066,,T1212,Exploitation for Credential Access,[],[],,RA-10,mitigates,5 +3067,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,5 +3068,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,5 +3069,,T1047,Windows Management Instrumentation,[],[],,RA-5,mitigates,5 +3070,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,5 +3071,,T1053.002,At (Windows),[],[],,RA-5,mitigates,5 +3072,,T1053.003,Cron,[],[],,RA-5,mitigates,5 +3073,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,5 +3074,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,5 +3075,,T1059.001,PowerShell,[],[],,RA-5,mitigates,5 +3076,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,5 +3077,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,5 +3078,,T1176,Browser Extensions,[],[],,RA-5,mitigates,5 +3079,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,5 +3080,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,5 +3081,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,5 +3082,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,5 +3083,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,5 +3084,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,5 +3085,,T1213.003,Code Repositories,[],[],,RA-5,mitigates,5 +3086,,T1218.003,CMSTP,[],[],,RA-5,mitigates,5 +3087,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,5 +3088,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,5 +3089,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,5 +3090,,T1218.012,Verclsid,[],[],,RA-5,mitigates,5 +3091,,T1218.013,Mavinject,[],[],,RA-5,mitigates,5 +3092,,T1218.014,MMC,[],[],,RA-5,mitigates,5 +3093,,T1221,Template Injection,[],[],,RA-5,mitigates,5 +3094,,T1505,Server Software Component,[],[],,RA-5,mitigates,5 +3095,,T1505.003,Web Shell,[],[],,RA-5,mitigates,5 +3096,,T1525,Implant Internal Image,[],[],,RA-5,mitigates,5 +3097,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,5 +3098,,T1546.002,Screensaver,[],[],,RA-5,mitigates,5 +3099,,T1547.006,Kernel Modules and Extensions,[],[],,RA-5,mitigates,5 +3100,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,5 +3101,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,5 +3102,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,5 +3103,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,5 +3104,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,5 +3105,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,5 +3106,,T1562,Impair Defenses,[],[],,RA-5,mitigates,5 +3107,,T1562.010,Downgrade Attack,[],[],,RA-5,mitigates,5 +3108,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,5 +3109,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,5 +3110,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,5 +3111,,T1021.004,SSH,[],[],,RA-5,mitigates,5 +3112,,T1021.005,VNC,[],[],,RA-5,mitigates,5 +3113,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,5 +3114,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,5 +3115,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,5 +3116,,T1059.007,JavaScript,[],[],,RA-5,mitigates,5 +3117,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,5 +3118,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,5 +3119,,T1127.001,MSBuild,[],[],,RA-5,mitigates,5 +3120,,T1137,Office Application Startup,[],[],,RA-5,mitigates,5 +3121,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,5 +3122,,T1204.003,Malicious Image,[],[],,RA-5,mitigates,5 +3123,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,5 +3124,,T1213.001,Confluence,[],[],,RA-5,mitigates,5 +3125,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,5 +3126,,T1218.005,Mshta,[],[],,RA-5,mitigates,5 +3127,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,5 +3128,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,5 +3129,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,5 +3130,,T1505.004,IIS Components,[],[],,RA-5,mitigates,5 +3131,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,5 +3132,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,5 +3133,,T1546.014,Emond,[],[],,RA-5,mitigates,5 +3134,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,5 +3135,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,5 +3136,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,5 +3137,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,5 +3138,,T1552.004,Private Keys,[],[],,RA-5,mitigates,5 +3139,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,5 +3140,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,5 +3141,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,5 +3142,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,5 +3143,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,5 +3144,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,5 +3145,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,5 +3146,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,5 +3147,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,5 +3148,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,5 +3149,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,5 +3150,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,5 +3151,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,5 +3152,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,5 +3153,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,5 +3154,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,5 +3155,,T1612,Build Image on Host,[],[],,RA-5,mitigates,5 +3156,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,5 +3157,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,5 +3158,,T1078,Valid Accounts,[],[],,RA-5,mitigates,5 +3159,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,5 +3160,,T1133,External Remote Services,[],[],,RA-5,mitigates,5 +3161,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,5 +3162,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,5 +3163,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,5 +3164,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,5 +3165,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,5 +3166,,T1557,Adversary-in-the-Middle,[],[],,RA-5,mitigates,5 +3167,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,5 +3168,,T1505.005,Terminal Services DLL,[],[],,RA-5,mitigates,5 +3169,,T1495,Firmware Corruption,[],[],,RA-9,mitigates,5 +3170,,T1542,Pre-OS Boot,[],[],,RA-9,mitigates,5 +3171,,T1542.001,System Firmware,[],[],,RA-9,mitigates,5 +3172,,T1542.003,Bootkit,[],[],,RA-9,mitigates,5 +3173,,T1542.004,ROMMONkit,[],[],,RA-9,mitigates,5 +3174,,T1542.005,TFTP Boot,[],[],,RA-9,mitigates,5 +3175,,T1553,Subvert Trust Controls,[],[],,RA-9,mitigates,5 +3176,,T1553.006,Code Signing Policy Modification,[],[],,RA-9,mitigates,5 +3177,,T1601,Modify System Image,[],[],,RA-9,mitigates,5 +3178,,T1601.001,Patch System Image,[],[],,RA-9,mitigates,5 +3179,,T1601.002,Downgrade System Image,[],[],,RA-9,mitigates,5 +3180,,T1195.003,Compromise Hardware Supply Chain,[],[],,RA-9,mitigates,5 +3181,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,5 +3182,,T1213.003,Code Repositories,[],[],,SA-10,mitigates,5 +3183,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,5 +3184,,T1505,Server Software Component,[],[],,SA-10,mitigates,5 +3185,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,5 +3186,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,5 +3187,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,5 +3188,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,5 +3189,,T1505.004,IIS Components,[],[],,SA-10,mitigates,5 +3190,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,5 +3191,,T1542.001,System Firmware,[],[],,SA-10,mitigates,5 +3192,,T1542.003,Bootkit,[],[],,SA-10,mitigates,5 +3193,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,5 +3194,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,5 +3195,,T1553,Subvert Trust Controls,[],[],,SA-10,mitigates,5 +3196,,T1553.006,Code Signing Policy Modification,[],[],,SA-10,mitigates,5 +3197,,T1564.009,Resource Forking,[],[],,SA-10,mitigates,5 +3198,,T1574.002,DLL Side-Loading,[],[],,SA-10,mitigates,5 +3199,,T1601,Modify System Image,[],[],,SA-10,mitigates,5 +3200,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,5 +3201,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,5 +3202,,T1078,Valid Accounts,[],[],,SA-10,mitigates,5 +3203,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,5 +3204,,T1559.003,XPC Services,[],[],,SA-10,mitigates,5 +3205,,T1647,Plist File Modification,[],[],,SA-10,mitigates,5 +3206,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,5 +3207,,T1213.003,Code Repositories,[],[],,SA-11,mitigates,5 +3208,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,5 +3209,,T1505,Server Software Component,[],[],,SA-11,mitigates,5 +3210,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,5 +3211,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,5 +3212,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,5 +3213,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,5 +3214,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,5 +3215,,T1505.004,IIS Components,[],[],,SA-11,mitigates,5 +3216,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,5 +3217,,T1542.001,System Firmware,[],[],,SA-11,mitigates,5 +3218,,T1542.003,Bootkit,[],[],,SA-11,mitigates,5 +3219,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,5 +3220,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,5 +3221,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,5 +3222,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,5 +3223,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,5 +3224,,T1552.004,Private Keys,[],[],,SA-11,mitigates,5 +3225,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,5 +3226,,T1553,Subvert Trust Controls,[],[],,SA-11,mitigates,5 +3227,,T1553.006,Code Signing Policy Modification,[],[],,SA-11,mitigates,5 +3228,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,5 +3229,,T1574.002,DLL Side-Loading,[],[],,SA-11,mitigates,5 +3230,,T1601,Modify System Image,[],[],,SA-11,mitigates,5 +3231,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,5 +3232,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,5 +3233,,T1612,Build Image on Host,[],[],,SA-11,mitigates,5 +3234,,T1078,Valid Accounts,[],[],,SA-11,mitigates,5 +3235,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,5 +3236,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,5 +3237,,T1559.003,XPC Services,[],[],,SA-11,mitigates,5 +3238,,T1647,Plist File Modification,[],[],,SA-11,mitigates,5 +3239,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,5 +3240,,T1213.003,Code Repositories,[],[],,SA-15,mitigates,5 +3241,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,5 +3242,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,5 +3243,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,5 +3244,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,5 +3245,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,5 +3246,,T1552.004,Private Keys,[],[],,SA-15,mitigates,5 +3247,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,5 +3248,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,5 +3249,,T1574.002,DLL Side-Loading,[],[],,SA-15,mitigates,5 +3250,,T1078,Valid Accounts,[],[],,SA-15,mitigates,5 +3251,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,5 +3252,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,5 +3253,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,5 +3254,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,5 +3255,,T1574.002,DLL Side-Loading,[],[],,SA-16,mitigates,5 +3256,,T1078,Valid Accounts,[],[],,SA-16,mitigates,5 +3257,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,5 +3258,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,5 +3259,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,5 +3260,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,5 +3261,,T1574.002,DLL Side-Loading,[],[],,SA-17,mitigates,5 +3262,,T1078,Valid Accounts,[],[],,SA-17,mitigates,5 +3263,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,5 +3264,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,5 +3265,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,5 +3266,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,5 +3267,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,5 +3268,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,5 +3269,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,5 +3270,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,5 +3271,,T1213.003,Code Repositories,[],[],,SA-3,mitigates,5 +3272,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,5 +3273,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,5 +3274,,T1574.002,DLL Side-Loading,[],[],,SA-3,mitigates,5 +3275,,T1078,Valid Accounts,[],[],,SA-3,mitigates,5 +3276,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,5 +3277,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,5 +3278,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,5 +3279,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,5 +3280,,T1574.002,DLL Side-Loading,[],[],,SA-4,mitigates,5 +3281,,T1078,Valid Accounts,[],[],,SA-4,mitigates,5 +3282,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,5 +3283,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,5 +3284,,T1213.003,Code Repositories,[],[],,SA-8,mitigates,5 +3285,,T1567,Exfiltration Over Web Service,[],[],,SA-8,mitigates,5 +3286,,T1025,Data from Removable Media,[],[],,SA-8,mitigates,5 +3287,,T1041,Exfiltration Over C2 Channel,[],[],,SA-8,mitigates,5 +3288,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-8,mitigates,5 +3289,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-8,mitigates,5 +3290,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-8,mitigates,5 +3291,,T1052,Exfiltration Over Physical Medium,[],[],,SA-8,mitigates,5 +3292,,T1052.001,Exfiltration over USB,[],[],,SA-8,mitigates,5 +3293,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,5 +3294,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,5 +3295,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,5 +3296,,T1574.002,DLL Side-Loading,[],[],,SA-8,mitigates,5 +3297,,T1005,Data from Local System,[],[],,SA-8,mitigates,5 +3298,,T1078,Valid Accounts,[],[],,SA-8,mitigates,5 +3299,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,5 +3300,,T1559.003,XPC Services,[],[],,SA-8,mitigates,5 +3301,,T1647,Plist File Modification,[],[],,SA-8,mitigates,5 +3302,,T1567,Exfiltration Over Web Service,[],[],,SA-9,mitigates,5 +3303,,T1041,Exfiltration Over C2 Channel,[],[],,SA-9,mitigates,5 +3304,,T1048,Exfiltration Over Alternative Protocol,[],[],,SA-9,mitigates,5 +3305,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SA-9,mitigates,5 +3306,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SA-9,mitigates,5 +3307,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,5 +3308,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,5 +3309,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,5 +3310,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,5 +3311,,T1071.004,DNS,[],[],,SC-10,mitigates,5 +3312,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,5 +3313,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,5 +3314,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,5 +3315,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,5 +3316,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,5 +3317,,T1552.004,Private Keys,[],[],,SC-12,mitigates,5 +3318,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,5 +3319,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,5 +3320,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,5 +3321,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,5 +3322,,T1025,Data from Removable Media,[],[],,SC-13,mitigates,5 +3323,,T1041,Exfiltration Over C2 Channel,[],[],,SC-13,mitigates,5 +3324,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-13,mitigates,5 +3325,,T1005,Data from Local System,[],[],,SC-13,mitigates,5 +3326,,T1505,Server Software Component,[],[],,SC-16,mitigates,5 +3327,,T1505.002,Transport Agent,[],[],,SC-16,mitigates,5 +3328,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,5 +3329,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,5 +3330,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,5 +3331,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,5 +3332,,T1606,Forge Web Credentials,[],[],,SC-17,mitigates,5 +3333,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,5 +3334,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,5 +3335,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,5 +3336,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,5 +3337,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,5 +3338,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,5 +3339,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,5 +3340,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,5 +3341,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,5 +3342,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,5 +3343,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,5 +3344,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,5 +3345,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,5 +3346,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,5 +3347,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,5 +3348,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,5 +3349,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,5 +3350,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,5 +3351,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,5 +3352,,T1059.007,JavaScript,[],[],,SC-18,mitigates,5 +3353,,T1137,Office Application Startup,[],[],,SC-18,mitigates,5 +3354,,T1137.001,Office Template Macros,[],[],,SC-18,mitigates,5 +3355,,T1137.002,Office Test,[],[],,SC-18,mitigates,5 +3356,,T1137.003,Outlook Forms,[],[],,SC-18,mitigates,5 +3357,,T1137.004,Outlook Home Page,[],[],,SC-18,mitigates,5 +3358,,T1137.005,Outlook Rules,[],[],,SC-18,mitigates,5 +3359,,T1137.006,Add-ins,[],[],,SC-18,mitigates,5 +3360,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,5 +3361,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,5 +3362,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,5 +3363,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,5 +3364,,T1055,Process Injection,[],[],,SC-18,mitigates,5 +3365,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,5 +3366,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,5 +3367,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,5 +3368,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,5 +3369,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,5 +3370,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,5 +3371,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,5 +3372,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,5 +3373,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,5 +3374,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,5 +3375,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,5 +3376,,T1611,Escape to Host,[],[],,SC-2,mitigates,5 +3377,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,5 +3378,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,5 +3379,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,5 +3380,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,5 +3381,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,5 +3382,,T1071.004,DNS,[],[],,SC-20,mitigates,5 +3383,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,5 +3384,,T1566,Phishing,[],[],,SC-20,mitigates,5 +3385,,T1566.001,Spearphishing Attachment,[],[],,SC-20,mitigates,5 +3386,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,5 +3387,,T1598,Phishing for Information,[],[],,SC-20,mitigates,5 +3388,,T1598.002,Spearphishing Attachment,[],[],,SC-20,mitigates,5 +3389,,T1566.002,Spearphishing Link,[],[],,SC-20,mitigates,5 +3390,,T1598.003,Spearphishing Link,[],[],,SC-20,mitigates,5 +3391,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,5 +3392,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,5 +3393,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,5 +3394,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,5 +3395,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,5 +3396,,T1071.004,DNS,[],[],,SC-21,mitigates,5 +3397,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,5 +3398,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,5 +3399,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,5 +3400,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,5 +3401,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,5 +3402,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,5 +3403,,T1071.004,DNS,[],[],,SC-22,mitigates,5 +3404,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,5 +3405,,T1562.006,Indicator Blocking,[],[],,SC-23,mitigates,5 +3406,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,5 +3407,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,5 +3408,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,5 +3409,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,5 +3410,,T1071.004,DNS,[],[],,SC-23,mitigates,5 +3411,,T1185,Browser Session Hijacking,[],[],,SC-23,mitigates,5 +3412,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,5 +3413,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,5 +3414,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,5 +3415,,T1562.009,Safe Mode Boot,[],[],,SC-23,mitigates,5 +3416,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,5 +3417,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,5 +3418,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,5 +3419,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,5 +3420,,T1557,Adversary-in-the-Middle,[],[],,SC-23,mitigates,5 +3421,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,5 +3422,,T1557.003,DHCP Spoofing,[],[],,SC-23,mitigates,5 +3423,,T1622,Debugger Evasion,[],[],,SC-23,mitigates,5 +3424,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,5 +3425,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,5 +3426,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,5 +3427,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,5 +3428,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,5 +3429,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,5 +3430,,T1552.003,Bash History,[],[],,SC-28,mitigates,5 +3431,,T1565,Data Manipulation,[],[],,SC-28,mitigates,5 +3432,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,5 +3433,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,5 +3434,,T1567,Exfiltration Over Web Service,[],[],,SC-28,mitigates,5 +3435,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,5 +3436,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,5 +3437,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,5 +3438,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,5 +3439,,T1003.006,DCSync,[],[],,SC-28,mitigates,5 +3440,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,5 +3441,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,5 +3442,,T1025,Data from Removable Media,[],[],,SC-28,mitigates,5 +3443,,T1041,Exfiltration Over C2 Channel,[],[],,SC-28,mitigates,5 +3444,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-28,mitigates,5 +3445,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-28,mitigates,5 +3446,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-28,mitigates,5 +3447,,T1052,Exfiltration Over Physical Medium,[],[],,SC-28,mitigates,5 +3448,,T1052.001,Exfiltration over USB,[],[],,SC-28,mitigates,5 +3449,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,5 +3450,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,5 +3451,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,5 +3452,,T1213.001,Confluence,[],[],,SC-28,mitigates,5 +3453,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,5 +3454,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,5 +3455,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,5 +3456,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,5 +3457,,T1552.004,Private Keys,[],[],,SC-28,mitigates,5 +3458,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,5 +3459,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,5 +3460,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,5 +3461,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,5 +3462,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,5 +3463,,T1003.003,NTDS,[],[],,SC-28,mitigates,5 +3464,,T1005,Data from Local System,[],[],,SC-28,mitigates,5 +3465,,T1078,Valid Accounts,[],[],,SC-28,mitigates,5 +3466,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,5 +3467,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,5 +3468,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,5 +3469,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,5 +3470,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,5 +3471,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,5 +3472,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,5 +3473,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,5 +3474,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,5 +3475,,T1047,Windows Management Instrumentation,[],[],,SC-3,mitigates,5 +3476,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,5 +3477,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,5 +3478,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,5 +3479,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,5 +3480,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,5 +3481,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,5 +3482,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,5 +3483,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,5 +3484,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,5 +3485,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,5 +3486,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,5 +3487,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,5 +3488,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,5 +3489,,T1003.001,LSASS Memory,[],[],,SC-3,mitigates,5 +3490,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,5 +3491,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,5 +3492,,T1611,Escape to Host,[],[],,SC-3,mitigates,5 +3493,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,5 +3494,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,5 +3495,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,5 +3496,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,5 +3497,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,5 +3498,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,5 +3499,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,5 +3500,,T1567,Exfiltration Over Web Service,[],[],,SC-31,mitigates,5 +3501,,T1041,Exfiltration Over C2 Channel,[],[],,SC-31,mitigates,5 +3502,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-31,mitigates,5 +3503,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-31,mitigates,5 +3504,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-31,mitigates,5 +3505,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,5 +3506,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,5 +3507,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,5 +3508,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,5 +3509,,T1071.004,DNS,[],[],,SC-31,mitigates,5 +3510,,T1047,Windows Management Instrumentation,[],[],,SC-34,mitigates,5 +3511,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,5 +3512,,T1542.001,System Firmware,[],[],,SC-34,mitigates,5 +3513,,T1542.003,Bootkit,[],[],,SC-34,mitigates,5 +3514,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,5 +3515,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,5 +3516,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,5 +3517,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,5 +3518,,T1553,Subvert Trust Controls,[],[],,SC-34,mitigates,5 +3519,,T1553.006,Code Signing Policy Modification,[],[],,SC-34,mitigates,5 +3520,,T1601,Modify System Image,[],[],,SC-34,mitigates,5 +3521,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,5 +3522,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,5 +3523,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,5 +3524,,T1611,Escape to Host,[],[],,SC-34,mitigates,5 +3525,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,5 +3526,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,5 +3527,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,5 +3528,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,5 +3529,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,5 +3530,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,5 +3531,,T1565,Data Manipulation,[],[],,SC-36,mitigates,5 +3532,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,5 +3533,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,5 +3534,,T1119,Automated Collection,[],[],,SC-36,mitigates,5 +3535,,T1070.008,Clear Mailbox Data,[],[],,SC-36,mitigates,5 +3536,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,5 +3537,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,5 +3538,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,5 +3539,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,5 +3540,,T1071.004,DNS,[],[],,SC-37,mitigates,5 +3541,,T1025,Data from Removable Media,[],[],,SC-38,mitigates,5 +3542,,T1005,Data from Local System,[],[],,SC-38,mitigates,5 +3543,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,5 +3544,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,5 +3545,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,5 +3546,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,5 +3547,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,5 +3548,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,5 +3549,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,5 +3550,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,5 +3551,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,5 +3552,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,5 +3553,,T1003.006,DCSync,[],[],,SC-39,mitigates,5 +3554,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,5 +3555,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,5 +3556,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,5 +3557,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,5 +3558,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,5 +3559,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,5 +3560,,T1003.003,NTDS,[],[],,SC-39,mitigates,5 +3561,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,5 +3562,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,5 +3563,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,5 +3564,,T1611,Escape to Host,[],[],,SC-39,mitigates,5 +3565,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,5 +3566,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,5 +3567,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,5 +3568,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,5 +3569,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,5 +3570,,T1565,Data Manipulation,[],[],,SC-4,mitigates,5 +3571,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,5 +3572,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,5 +3573,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,5 +3574,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,5 +3575,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,5 +3576,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,5 +3577,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,5 +3578,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,5 +3579,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,5 +3580,,T1552.004,Private Keys,[],[],,SC-4,mitigates,5 +3581,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,5 +3582,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,5 +3583,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,5 +3584,,T1564.009,Resource Forking,[],[],,SC-4,mitigates,5 +3585,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,5 +3586,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,5 +3587,,T1040,Network Sniffing,[],[],,SC-4,mitigates,5 +3588,,T1119,Automated Collection,[],[],,SC-4,mitigates,5 +3589,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,5 +3590,,T1557,Adversary-in-the-Middle,[],[],,SC-4,mitigates,5 +3591,,T1070.008,Clear Mailbox Data,[],[],,SC-4,mitigates,5 +3592,,T1595.003,Wordlist Scanning,[],[],,SC-4,mitigates,5 +3593,,T1025,Data from Removable Media,[],[],,SC-41,mitigates,5 +3594,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,5 +3595,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,5 +3596,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,5 +3597,,T1200,Hardware Additions,[],[],,SC-41,mitigates,5 +3598,,T1114.003,Email Forwarding Rule,[],[],,SC-43,mitigates,5 +3599,,T1613,Container and Resource Discovery,[],[],,SC-43,mitigates,5 +3600,,T1203,Exploitation for Client Execution,[],[],,SC-44,mitigates,5 +3601,,T1221,Template Injection,[],[],,SC-44,mitigates,5 +3602,,T1137,Office Application Startup,[],[],,SC-44,mitigates,5 +3603,,T1137.001,Office Template Macros,[],[],,SC-44,mitigates,5 +3604,,T1137.002,Office Test,[],[],,SC-44,mitigates,5 +3605,,T1137.003,Outlook Forms,[],[],,SC-44,mitigates,5 +3606,,T1137.004,Outlook Home Page,[],[],,SC-44,mitigates,5 +3607,,T1137.005,Outlook Rules,[],[],,SC-44,mitigates,5 +3608,,T1137.006,Add-ins,[],[],,SC-44,mitigates,5 +3609,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,5 +3610,,T1204.003,Malicious Image,[],[],,SC-44,mitigates,5 +3611,,T1564.009,Resource Forking,[],[],,SC-44,mitigates,5 +3612,,T1566,Phishing,[],[],,SC-44,mitigates,5 +3613,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,5 +3614,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,5 +3615,,T1598,Phishing for Information,[],[],,SC-44,mitigates,5 +3616,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,5 +3617,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,5 +3618,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,5 +3619,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,5 +3620,,T1204,User Execution,[],[],,SC-44,mitigates,5 +3621,,T1204.002,Malicious File,[],[],,SC-44,mitigates,5 +3622,,T1021.001,Remote Desktop Protocol,[],[],,SC-46,mitigates,5 +3623,,T1098,Account Manipulation,[],[],,SC-46,mitigates,5 +3624,,T1098.001,Additional Cloud Credentials,[],[],,SC-46,mitigates,5 +3625,,T1190,Exploit Public-Facing Application,[],[],,SC-46,mitigates,5 +3626,,T1210,Exploitation of Remote Services,[],[],,SC-46,mitigates,5 +3627,,T1565,Data Manipulation,[],[],,SC-46,mitigates,5 +3628,,T1565.003,Runtime Data Manipulation,[],[],,SC-46,mitigates,5 +3629,,T1021.003,Distributed Component Object Model,[],[],,SC-46,mitigates,5 +3630,,T1021.006,Windows Remote Management,[],[],,SC-46,mitigates,5 +3631,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-46,mitigates,5 +3632,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,5 +3633,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,5 +3634,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-46,mitigates,5 +3635,,T1072,Software Deployment Tools,[],[],,SC-46,mitigates,5 +3636,,T1136,Create Account,[],[],,SC-46,mitigates,5 +3637,,T1136.002,Domain Account,[],[],,SC-46,mitigates,5 +3638,,T1136.003,Cloud Account,[],[],,SC-46,mitigates,5 +3639,,T1489,Service Stop,[],[],,SC-46,mitigates,5 +3640,,T1563,Remote Service Session Hijacking,[],[],,SC-46,mitigates,5 +3641,,T1563.002,RDP Hijacking,[],[],,SC-46,mitigates,5 +3642,,T1046,Network Service Scanning,[],[],,SC-46,mitigates,5 +3643,,T1133,External Remote Services,[],[],,SC-46,mitigates,5 +3644,,T1199,Trusted Relationship,[],[],,SC-46,mitigates,5 +3645,,T1482,Domain Trust Discovery,[],[],,SC-46,mitigates,5 +3646,,T1552.007,Container API,[],[],,SC-46,mitigates,5 +3647,,T1557,Adversary-in-the-Middle,[],[],,SC-46,mitigates,5 +3648,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-46,mitigates,5 +3649,,T1557.003,DHCP Spoofing,[],[],,SC-46,mitigates,5 +3650,,T1622,Debugger Evasion,[],[],,SC-46,mitigates,5 +3651,,T1564.009,Resource Forking,[],[],,SC-6,mitigates,5 +3652,,T1020.001,Traffic Duplication,[],[],,SC-7,mitigates,5 +3653,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,5 +3654,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,5 +3655,,T1098,Account Manipulation,[],[],,SC-7,mitigates,5 +3656,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,5 +3657,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,5 +3658,,T1176,Browser Extensions,[],[],,SC-7,mitigates,5 +3659,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,5 +3660,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,5 +3661,,T1197,BITS Jobs,[],[],,SC-7,mitigates,5 +3662,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,5 +3663,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,5 +3664,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,5 +3665,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,5 +3666,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,5 +3667,,T1218.012,Verclsid,[],[],,SC-7,mitigates,5 +3668,,T1219,Remote Access Software,[],[],,SC-7,mitigates,5 +3669,,T1221,Template Injection,[],[],,SC-7,mitigates,5 +3670,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,5 +3671,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,5 +3672,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,5 +3673,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,5 +3674,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,5 +3675,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,5 +3676,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,5 +3677,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,5 +3678,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,5 +3679,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,5 +3680,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,5 +3681,,T1565,Data Manipulation,[],[],,SC-7,mitigates,5 +3682,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,5 +3683,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,5 +3684,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,5 +3685,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,5 +3686,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,5 +3687,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,5 +3688,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,5 +3689,,T1609,Container Administration Command,[],[],,SC-7,mitigates,5 +3690,,T1610,Deploy Container,[],[],,SC-7,mitigates,5 +3691,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,5 +3692,,T1001.001,Junk Data,[],[],,SC-7,mitigates,5 +3693,,T1001.002,Steganography,[],[],,SC-7,mitigates,5 +3694,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,5 +3695,,T1008,Fallback Channels,[],[],,SC-7,mitigates,5 +3696,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,5 +3697,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,5 +3698,,T1021.005,VNC,[],[],,SC-7,mitigates,5 +3699,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,5 +3700,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,5 +3701,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,5 +3702,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,5 +3703,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,5 +3704,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,5 +3705,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,5 +3706,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,5 +3707,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,5 +3708,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,5 +3709,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,5 +3710,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,5 +3711,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,5 +3712,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,5 +3713,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,5 +3714,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,5 +3715,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,5 +3716,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,5 +3717,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,5 +3718,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,5 +3719,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,5 +3720,,T1071.004,DNS,[],[],,SC-7,mitigates,5 +3721,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,5 +3722,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,5 +3723,,T1090,Proxy,[],[],,SC-7,mitigates,5 +3724,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,5 +3725,,T1090.002,External Proxy,[],[],,SC-7,mitigates,5 +3726,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,5 +3727,,T1102,Web Service,[],[],,SC-7,mitigates,5 +3728,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,5 +3729,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,5 +3730,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,5 +3731,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,5 +3732,,T1114,Email Collection,[],[],,SC-7,mitigates,5 +3733,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,5 +3734,,T1132,Data Encoding,[],[],,SC-7,mitigates,5 +3735,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,5 +3736,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,5 +3737,,T1136,Create Account,[],[],,SC-7,mitigates,5 +3738,,T1136.002,Domain Account,[],[],,SC-7,mitigates,5 +3739,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,5 +3740,,T1187,Forced Authentication,[],[],,SC-7,mitigates,5 +3741,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,5 +3742,,T1204.003,Malicious Image,[],[],,SC-7,mitigates,5 +3743,,T1489,Service Stop,[],[],,SC-7,mitigates,5 +3744,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,5 +3745,,T1505.004,IIS Components,[],[],,SC-7,mitigates,5 +3746,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,5 +3747,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,5 +3748,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,5 +3749,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,5 +3750,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,5 +3751,,T1552.004,Private Keys,[],[],,SC-7,mitigates,5 +3752,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,5 +3753,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,5 +3754,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,5 +3755,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,5 +3756,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,5 +3757,,T1566,Phishing,[],[],,SC-7,mitigates,5 +3758,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,5 +3759,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,5 +3760,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,5 +3761,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,5 +3762,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,5 +3763,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,5 +3764,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,5 +3765,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,5 +3766,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,5 +3767,,T1598,Phishing for Information,[],[],,SC-7,mitigates,5 +3768,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,5 +3769,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,5 +3770,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,5 +3771,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,5 +3772,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,5 +3773,,T1612,Build Image on Host,[],[],,SC-7,mitigates,5 +3774,,T1613,Container and Resource Discovery,[],[],,SC-7,mitigates,5 +3775,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,5 +3776,,T1055,Process Injection,[],[],,SC-7,mitigates,5 +3777,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,5 +3778,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,5 +3779,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,5 +3780,,T1133,External Remote Services,[],[],,SC-7,mitigates,5 +3781,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,5 +3782,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,5 +3783,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,5 +3784,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,5 +3785,,T1552.007,Container API,[],[],,SC-7,mitigates,5 +3786,,T1557,Adversary-in-the-Middle,[],[],,SC-7,mitigates,5 +3787,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,5 +3788,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,5 +3789,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,5 +3790,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,5 +3791,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,5 +3792,,T1611,Escape to Host,[],[],,SC-7,mitigates,5 +3793,,T1204,User Execution,[],[],,SC-7,mitigates,5 +3794,,T1204.002,Malicious File,[],[],,SC-7,mitigates,5 +3795,,T1622,Debugger Evasion,[],[],,SC-7,mitigates,5 +3796,,T1648,Serverless Execution,[],[],,SC-7,mitigates,5 +3797,,T1557.003,DHCP Spoofing,[],[],,SC-7,mitigates,5 +3798,,T1583.007,Serverless,[],[],,SC-7,mitigates,5 +3799,,T1584.007,Serverless,[],[],,SC-7,mitigates,5 +3800,,T1020.001,Traffic Duplication,[],[],,SC-8,mitigates,5 +3801,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,5 +3802,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,5 +3803,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,5 +3804,,T1090,Proxy,[],[],,SC-8,mitigates,5 +3805,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,5 +3806,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,5 +3807,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,5 +3808,,T1562.009,Safe Mode Boot,[],[],,SC-8,mitigates,5 +3809,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,5 +3810,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,5 +3811,,T1040,Network Sniffing,[],[],,SC-8,mitigates,5 +3812,,T1552.007,Container API,[],[],,SC-8,mitigates,5 +3813,,T1557,Adversary-in-the-Middle,[],[],,SC-8,mitigates,5 +3814,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,5 +3815,,T1557.003,DHCP Spoofing,[],[],,SC-8,mitigates,5 +3816,,T1622,Debugger Evasion,[],[],,SC-8,mitigates,5 +3817,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,5 +3818,,T1059.001,PowerShell,[],[],,SI-10,mitigates,5 +3819,,T1059.002,AppleScript,[],[],,SI-10,mitigates,5 +3820,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,5 +3821,,T1059.008,Network Device CLI,[],[],,SI-10,mitigates,5 +3822,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,5 +3823,,T1129,Shared Modules,[],[],,SI-10,mitigates,5 +3824,,T1176,Browser Extensions,[],[],,SI-10,mitigates,5 +3825,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,5 +3826,,T1197,BITS Jobs,[],[],,SI-10,mitigates,5 +3827,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,5 +3828,,T1216.001,PubPrn,[],[],,SI-10,mitigates,5 +3829,,T1218.003,CMSTP,[],[],,SI-10,mitigates,5 +3830,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,5 +3831,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,5 +3832,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,5 +3833,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,5 +3834,,T1218.012,Verclsid,[],[],,SI-10,mitigates,5 +3835,,T1218.013,Mavinject,[],[],,SI-10,mitigates,5 +3836,,T1218.014,MMC,[],[],,SI-10,mitigates,5 +3837,,T1219,Remote Access Software,[],[],,SI-10,mitigates,5 +3838,,T1221,Template Injection,[],[],,SI-10,mitigates,5 +3839,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,5 +3840,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,5 +3841,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,5 +3842,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,5 +3843,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,5 +3844,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,5 +3845,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,5 +3846,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,5 +3847,,T1546.002,Screensaver,[],[],,SI-10,mitigates,5 +3848,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,5 +3849,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,5 +3850,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,5 +3851,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,5 +3852,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,5 +3853,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-10,mitigates,5 +3854,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,5 +3855,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,5 +3856,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,5 +3857,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,5 +3858,,T1609,Container Administration Command,[],[],,SI-10,mitigates,5 +3859,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,5 +3860,,T1021.005,VNC,[],[],,SI-10,mitigates,5 +3861,,T1036,Masquerading,[],[],,SI-10,mitigates,5 +3862,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,5 +3863,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,5 +3864,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,5 +3865,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,5 +3866,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,5 +3867,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,5 +3868,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,5 +3869,,T1059.006,Python,[],[],,SI-10,mitigates,5 +3870,,T1059.007,JavaScript,[],[],,SI-10,mitigates,5 +3871,,T1071.004,DNS,[],[],,SI-10,mitigates,5 +3872,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,5 +3873,,T1090,Proxy,[],[],,SI-10,mitigates,5 +3874,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,5 +3875,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,5 +3876,,T1187,Forced Authentication,[],[],,SI-10,mitigates,5 +3877,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,5 +3878,,T1218.002,Control Panel,[],[],,SI-10,mitigates,5 +3879,,T1218.005,Mshta,[],[],,SI-10,mitigates,5 +3880,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,5 +3881,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,5 +3882,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,5 +3883,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,5 +3884,,T1546.010,AppInit DLLs,[],[],,SI-10,mitigates,5 +3885,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,5 +3886,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,5 +3887,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,5 +3888,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,5 +3889,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,5 +3890,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,5 +3891,,T1564.009,Resource Forking,[],[],,SI-10,mitigates,5 +3892,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,5 +3893,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,5 +3894,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-10,mitigates,5 +3895,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,5 +3896,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,5 +3897,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,5 +3898,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,5 +3899,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,5 +3900,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,5 +3901,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,5 +3902,,T1218.011,Rundll32,[],[],,SI-10,mitigates,5 +3903,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,5 +3904,,T1557,Adversary-in-the-Middle,[],[],,SI-10,mitigates,5 +3905,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,5 +3906,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,5 +3907,,T1204,User Execution,[],[],,SI-10,mitigates,5 +3908,,T1204.002,Malicious File,[],[],,SI-10,mitigates,5 +3909,,T1557.003,DHCP Spoofing,[],[],,SI-10,mitigates,5 +3910,,T1574.013,KernelCallbackTable,[],[],,SI-10,mitigates,5 +3911,,T1622,Debugger Evasion,[],[],,SI-10,mitigates,5 +3912,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,5 +3913,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,5 +3914,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,5 +3915,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,5 +3916,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,5 +3917,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,5 +3918,,T1565,Data Manipulation,[],[],,SI-12,mitigates,5 +3919,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,5 +3920,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,5 +3921,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,5 +3922,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,5 +3923,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,5 +3924,,T1114,Email Collection,[],[],,SI-12,mitigates,5 +3925,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,5 +3926,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,5 +3927,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,5 +3928,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,5 +3929,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,5 +3930,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,5 +3931,,T1552.004,Private Keys,[],[],,SI-12,mitigates,5 +3932,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,5 +3933,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,5 +3934,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,5 +3935,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,5 +3936,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,5 +3937,,T1003.003,NTDS,[],[],,SI-12,mitigates,5 +3938,,T1040,Network Sniffing,[],[],,SI-12,mitigates,5 +3939,,T1119,Automated Collection,[],[],,SI-12,mitigates,5 +3940,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,5 +3941,,T1557,Adversary-in-the-Middle,[],[],,SI-12,mitigates,5 +3942,,T1070.008,Clear Mailbox Data,[],[],,SI-12,mitigates,5 +3943,,T1505,Server Software Component,[],[],,SI-14,mitigates,5 +3944,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-14,mitigates,5 +3945,,T1547.004,Winlogon Helper DLL,[],[],,SI-14,mitigates,5 +3946,,T1547.006,Kernel Modules and Extensions,[],[],,SI-14,mitigates,5 +3947,,T1505.001,SQL Stored Procedures,[],[],,SI-14,mitigates,5 +3948,,T1505.002,Transport Agent,[],[],,SI-14,mitigates,5 +3949,,T1505.004,IIS Components,[],[],,SI-14,mitigates,5 +3950,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,5 +3951,,T1197,BITS Jobs,[],[],,SI-15,mitigates,5 +3952,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,5 +3953,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,5 +3954,,T1218.012,Verclsid,[],[],,SI-15,mitigates,5 +3955,,T1219,Remote Access Software,[],[],,SI-15,mitigates,5 +3956,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,5 +3957,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,5 +3958,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,5 +3959,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,5 +3960,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,5 +3961,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,5 +3962,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,5 +3963,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,5 +3964,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,5 +3965,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,5 +3966,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,5 +3967,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,5 +3968,,T1021.005,VNC,[],[],,SI-15,mitigates,5 +3969,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,5 +3970,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,5 +3971,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,5 +3972,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,5 +3973,,T1071.004,DNS,[],[],,SI-15,mitigates,5 +3974,,T1090,Proxy,[],[],,SI-15,mitigates,5 +3975,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,5 +3976,,T1187,Forced Authentication,[],[],,SI-15,mitigates,5 +3977,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,5 +3978,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,5 +3979,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,5 +3980,,T1564.009,Resource Forking,[],[],,SI-15,mitigates,5 +3981,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,5 +3982,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,5 +3983,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,5 +3984,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,5 +3985,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,5 +3986,,T1557,Adversary-in-the-Middle,[],[],,SI-15,mitigates,5 +3987,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,5 +3988,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,5 +3989,,T1557.003,DHCP Spoofing,[],[],,SI-15,mitigates,5 +3990,,T1622,Debugger Evasion,[],[],,SI-15,mitigates,5 +3991,,T1047,Windows Management Instrumentation,[],[],,SI-16,mitigates,5 +3992,,T1059,Command and Scripting Interpreter,[],[],,SI-16,mitigates,5 +3993,,T1059.001,PowerShell,[],[],,SI-16,mitigates,5 +3994,,T1059.002,AppleScript,[],[],,SI-16,mitigates,5 +3995,,T1059.005,Visual Basic,[],[],,SI-16,mitigates,5 +3996,,T1059.008,Network Device CLI,[],[],,SI-16,mitigates,5 +3997,,T1218.003,CMSTP,[],[],,SI-16,mitigates,5 +3998,,T1218.004,InstallUtil,[],[],,SI-16,mitigates,5 +3999,,T1218.008,Odbcconf,[],[],,SI-16,mitigates,5 +4000,,T1218.009,Regsvcs/Regasm,[],[],,SI-16,mitigates,5 +4001,,T1218.012,Verclsid,[],[],,SI-16,mitigates,5 +4002,,T1218.013,Mavinject,[],[],,SI-16,mitigates,5 +4003,,T1218.014,MMC,[],[],,SI-16,mitigates,5 +4004,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,5 +4005,,T1547.004,Winlogon Helper DLL,[],[],,SI-16,mitigates,5 +4006,,T1547.006,Kernel Modules and Extensions,[],[],,SI-16,mitigates,5 +4007,,T1565,Data Manipulation,[],[],,SI-16,mitigates,5 +4008,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,5 +4009,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,5 +4010,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,5 +4011,,T1059.003,Windows Command Shell,[],[],,SI-16,mitigates,5 +4012,,T1059.004,Unix Shell,[],[],,SI-16,mitigates,5 +4013,,T1059.006,Python,[],[],,SI-16,mitigates,5 +4014,,T1059.007,JavaScript,[],[],,SI-16,mitigates,5 +4015,,T1218.001,Compiled HTML File,[],[],,SI-16,mitigates,5 +4016,,T1218.002,Control Panel,[],[],,SI-16,mitigates,5 +4017,,T1218.005,Mshta,[],[],,SI-16,mitigates,5 +4018,,T1505.004,IIS Components,[],[],,SI-16,mitigates,5 +4019,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,5 +4020,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-16,mitigates,5 +4021,,T1548.004,Elevated Execution with Prompt,[],[],,SI-16,mitigates,5 +4022,,T1003.001,LSASS Memory,[],[],,SI-16,mitigates,5 +4023,,T1218,Signed Binary Proxy Execution,[],[],,SI-16,mitigates,5 +4024,,T1611,Escape to Host,[],[],,SI-16,mitigates,5 +4025,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,5 +4026,,T1027.002,Software Packing,[],[],,SI-2,mitigates,5 +4027,,T1047,Windows Management Instrumentation,[],[],,SI-2,mitigates,5 +4028,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,5 +4029,,T1059.001,PowerShell,[],[],,SI-2,mitigates,5 +4030,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,5 +4031,,T1106,Native API,[],[],,SI-2,mitigates,5 +4032,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,5 +4033,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,5 +4034,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,5 +4035,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,5 +4036,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,5 +4037,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,5 +4038,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,5 +4039,,T1213.003,Code Repositories,[],[],,SI-2,mitigates,5 +4040,,T1221,Template Injection,[],[],,SI-2,mitigates,5 +4041,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,5 +4042,,T1525,Implant Internal Image,[],[],,SI-2,mitigates,5 +4043,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,5 +4044,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,5 +4045,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,5 +4046,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,5 +4047,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,5 +4048,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,5 +4049,,T1003,OS Credential Dumping,[],[],,SI-2,mitigates,5 +4050,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,5 +4051,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,5 +4052,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,5 +4053,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,5 +4054,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,5 +4055,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,5 +4056,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,5 +4057,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,5 +4058,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,5 +4059,,T1059.006,Python,[],[],,SI-2,mitigates,5 +4060,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,5 +4061,,T1137,Office Application Startup,[],[],,SI-2,mitigates,5 +4062,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,5 +4063,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,5 +4064,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,5 +4065,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,5 +4066,,T1204.003,Malicious Image,[],[],,SI-2,mitigates,5 +4067,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,5 +4068,,T1542.001,System Firmware,[],[],,SI-2,mitigates,5 +4069,,T1542.003,Bootkit,[],[],,SI-2,mitigates,5 +4070,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,5 +4071,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,5 +4072,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,5 +4073,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,5 +4074,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,5 +4075,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,5 +4076,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,5 +4077,,T1553,Subvert Trust Controls,[],[],,SI-2,mitigates,5 +4078,,T1553.006,Code Signing Policy Modification,[],[],,SI-2,mitigates,5 +4079,,T1555.005,Password Managers,[],[],,SI-2,mitigates,5 +4080,,T1566,Phishing,[],[],,SI-2,mitigates,5 +4081,,T1566.001,Spearphishing Attachment,[],[],,SI-2,mitigates,5 +4082,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,5 +4083,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,5 +4084,,T1601,Modify System Image,[],[],,SI-2,mitigates,5 +4085,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,5 +4086,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,5 +4087,,T1606,Forge Web Credentials,[],[],,SI-2,mitigates,5 +4088,,T1606.001,Web Cookies,[],[],,SI-2,mitigates,5 +4089,,T1003.001,LSASS Memory,[],[],,SI-2,mitigates,5 +4090,,T1055,Process Injection,[],[],,SI-2,mitigates,5 +4091,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,5 +4092,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,5 +4093,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,5 +4094,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,5 +4095,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,5 +4096,,T1611,Escape to Host,[],[],,SI-2,mitigates,5 +4097,,T1204,User Execution,[],[],,SI-2,mitigates,5 +4098,,T1027.007,Dynamic API Resolution,[],[],,SI-2,mitigates,5 +4099,,T1027.008,Stripped Payloads,[],[],,SI-2,mitigates,5 +4100,,T1027.009,Embedded Payloads,[],[],,SI-2,mitigates,5 +4101,,T1546.016,Installer Packages,[],[],,SI-2,mitigates,5 +4102,,T1574.013,KernelCallbackTable,[],[],,SI-2,mitigates,5 +4103,,T1070,Indicator Removal on Host,[],[],,SI-23,mitigates,5 +4104,,T1070.001,Clear Windows Event Logs,[],[],,SI-23,mitigates,5 +4105,,T1565,Data Manipulation,[],[],,SI-23,mitigates,5 +4106,,T1565.001,Stored Data Manipulation,[],[],,SI-23,mitigates,5 +4107,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-23,mitigates,5 +4108,,T1072,Software Deployment Tools,[],[],,SI-23,mitigates,5 +4109,,T1119,Automated Collection,[],[],,SI-23,mitigates,5 +4110,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,5 +4111,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,5 +4112,,T1027.002,Software Packing,[],[],,SI-3,mitigates,5 +4113,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,5 +4114,,T1037.005,Startup Items,[],[],,SI-3,mitigates,5 +4115,,T1047,Windows Management Instrumentation,[],[],,SI-3,mitigates,5 +4116,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,5 +4117,,T1059.001,PowerShell,[],[],,SI-3,mitigates,5 +4118,,T1059.002,AppleScript,[],[],,SI-3,mitigates,5 +4119,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,5 +4120,,T1059.008,Network Device CLI,[],[],,SI-3,mitigates,5 +4121,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,5 +4122,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,5 +4123,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,5 +4124,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,5 +4125,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,5 +4126,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,5 +4127,,T1106,Native API,[],[],,SI-3,mitigates,5 +4128,,T1176,Browser Extensions,[],[],,SI-3,mitigates,5 +4129,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,5 +4130,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,5 +4131,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,5 +4132,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,5 +4133,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,5 +4134,,T1218.003,CMSTP,[],[],,SI-3,mitigates,5 +4135,,T1218.004,InstallUtil,[],[],,SI-3,mitigates,5 +4136,,T1218.008,Odbcconf,[],[],,SI-3,mitigates,5 +4137,,T1218.009,Regsvcs/Regasm,[],[],,SI-3,mitigates,5 +4138,,T1218.012,Verclsid,[],[],,SI-3,mitigates,5 +4139,,T1218.013,Mavinject,[],[],,SI-3,mitigates,5 +4140,,T1218.014,MMC,[],[],,SI-3,mitigates,5 +4141,,T1219,Remote Access Software,[],[],,SI-3,mitigates,5 +4142,,T1221,Template Injection,[],[],,SI-3,mitigates,5 +4143,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,5 +4144,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,5 +4145,,T1491,Defacement,[],[],,SI-3,mitigates,5 +4146,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,5 +4147,,T1491.002,External Defacement,[],[],,SI-3,mitigates,5 +4148,,T1525,Implant Internal Image,[],[],,SI-3,mitigates,5 +4149,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,5 +4150,,T1546.002,Screensaver,[],[],,SI-3,mitigates,5 +4151,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-3,mitigates,5 +4152,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,5 +4153,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,5 +4154,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,5 +4155,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,5 +4156,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,5 +4157,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,5 +4158,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,5 +4159,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,5 +4160,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,5 +4161,,T1562,Impair Defenses,[],[],,SI-3,mitigates,5 +4162,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,5 +4163,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,5 +4164,,T1567,Exfiltration Over Web Service,[],[],,SI-3,mitigates,5 +4165,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,5 +4166,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,5 +4167,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,5 +4168,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,5 +4169,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,5 +4170,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,5 +4171,,T1001.001,Junk Data,[],[],,SI-3,mitigates,5 +4172,,T1001.002,Steganography,[],[],,SI-3,mitigates,5 +4173,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,5 +4174,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,5 +4175,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,5 +4176,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,5 +4177,,T1003.006,DCSync,[],[],,SI-3,mitigates,5 +4178,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,5 +4179,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,5 +4180,,T1008,Fallback Channels,[],[],,SI-3,mitigates,5 +4181,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,5 +4182,,T1021.005,VNC,[],[],,SI-3,mitigates,5 +4183,,T1025,Data from Removable Media,[],[],,SI-3,mitigates,5 +4184,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,5 +4185,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,5 +4186,,T1036,Masquerading,[],[],,SI-3,mitigates,5 +4187,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,5 +4188,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,5 +4189,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,5 +4190,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,5 +4191,,T1037.004,RC Scripts,[],[],,SI-3,mitigates,5 +4192,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,5 +4193,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,5 +4194,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,5 +4195,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,5 +4196,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,5 +4197,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,5 +4198,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,5 +4199,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,5 +4200,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,5 +4201,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,5 +4202,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,5 +4203,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,5 +4204,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,5 +4205,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,5 +4206,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,5 +4207,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,5 +4208,,T1059.003,Windows Command Shell,[],[],,SI-3,mitigates,5 +4209,,T1059.004,Unix Shell,[],[],,SI-3,mitigates,5 +4210,,T1059.006,Python,[],[],,SI-3,mitigates,5 +4211,,T1059.007,JavaScript,[],[],,SI-3,mitigates,5 +4212,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,5 +4213,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,5 +4214,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,5 +4215,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,5 +4216,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,5 +4217,,T1071.004,DNS,[],[],,SI-3,mitigates,5 +4218,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,5 +4219,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,5 +4220,,T1090,Proxy,[],[],,SI-3,mitigates,5 +4221,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,5 +4222,,T1090.002,External Proxy,[],[],,SI-3,mitigates,5 +4223,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,5 +4224,,T1102,Web Service,[],[],,SI-3,mitigates,5 +4225,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,5 +4226,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,5 +4227,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,5 +4228,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,5 +4229,,T1132,Data Encoding,[],[],,SI-3,mitigates,5 +4230,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,5 +4231,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,5 +4232,,T1137,Office Application Startup,[],[],,SI-3,mitigates,5 +4233,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,5 +4234,,T1185,Browser Session Hijacking,[],[],,SI-3,mitigates,5 +4235,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,5 +4236,,T1204.003,Malicious Image,[],[],,SI-3,mitigates,5 +4237,,T1218.001,Compiled HTML File,[],[],,SI-3,mitigates,5 +4238,,T1218.002,Control Panel,[],[],,SI-3,mitigates,5 +4239,,T1218.005,Mshta,[],[],,SI-3,mitigates,5 +4240,,T1485,Data Destruction,[],[],,SI-3,mitigates,5 +4241,,T1505.004,IIS Components,[],[],,SI-3,mitigates,5 +4242,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,5 +4243,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,5 +4244,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-3,mitigates,5 +4245,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,5 +4246,,T1546.014,Emond,[],[],,SI-3,mitigates,5 +4247,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,5 +4248,,T1547.013,XDG Autostart Entries,[],[],,SI-3,mitigates,5 +4249,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,5 +4250,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,5 +4251,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,5 +4252,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,5 +4253,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,5 +4254,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,5 +4255,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,5 +4256,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,5 +4257,,T1561,Disk Wipe,[],[],,SI-3,mitigates,5 +4258,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,5 +4259,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,5 +4260,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,5 +4261,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,5 +4262,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,5 +4263,,T1564.008,Email Hiding Rules,[],[],,SI-3,mitigates,5 +4264,,T1564.009,Resource Forking,[],[],,SI-3,mitigates,5 +4265,,T1566,Phishing,[],[],,SI-3,mitigates,5 +4266,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,5 +4267,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,5 +4268,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,5 +4269,,T1569,System Services,[],[],,SI-3,mitigates,5 +4270,,T1569.002,Service Execution,[],[],,SI-3,mitigates,5 +4271,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,5 +4272,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,5 +4273,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,5 +4274,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,5 +4275,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,5 +4276,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,5 +4277,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,5 +4278,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,5 +4279,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,5 +4280,,T1598,Phishing for Information,[],[],,SI-3,mitigates,5 +4281,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,5 +4282,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,5 +4283,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,5 +4284,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,5 +4285,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,5 +4286,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,5 +4287,,T1003.003,NTDS,[],[],,SI-3,mitigates,5 +4288,,T1005,Data from Local System,[],[],,SI-3,mitigates,5 +4289,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,5 +4290,,T1055,Process Injection,[],[],,SI-3,mitigates,5 +4291,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,5 +4292,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,5 +4293,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,5 +4294,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,5 +4295,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,5 +4296,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,5 +4297,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,5 +4298,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,5 +4299,,T1218,Signed Binary Proxy Execution,[],[],,SI-3,mitigates,5 +4300,,T1557,Adversary-in-the-Middle,[],[],,SI-3,mitigates,5 +4301,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,5 +4302,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,5 +4303,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,5 +4304,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,5 +4305,,T1611,Escape to Host,[],[],,SI-3,mitigates,5 +4306,,T1204,User Execution,[],[],,SI-3,mitigates,5 +4307,,T1204.002,Malicious File,[],[],,SI-3,mitigates,5 +4308,,T1557.003,DHCP Spoofing,[],[],,SI-3,mitigates,5 +4309,,T1027.007,Dynamic API Resolution,[],[],,SI-3,mitigates,5 +4310,,T1027.008,Stripped Payloads,[],[],,SI-3,mitigates,5 +4311,,T1027.009,Embedded Payloads,[],[],,SI-3,mitigates,5 +4312,,T1070.007,Clear Network Connection History and Configurations,[],[],,SI-3,mitigates,5 +4313,,T1070.008,Clear Mailbox Data,[],[],,SI-3,mitigates,5 +4314,,T1070.009,Clear Persistence,[],[],,SI-3,mitigates,5 +4315,,T1546.016,Installer Packages,[],[],,SI-3,mitigates,5 +4316,,T1574.013,KernelCallbackTable,[],[],,SI-3,mitigates,5 +4317,,T1622,Debugger Evasion,[],[],,SI-3,mitigates,5 +4318,,T1055.015,ListPlanting,[],[],,SI-3,mitigates,5 +4319,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,5 +4320,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,5 +4321,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,5 +4322,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,5 +4323,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,5 +4324,,T1027.002,Software Packing,[],[],,SI-4,mitigates,5 +4325,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,5 +4326,,T1037.005,Startup Items,[],[],,SI-4,mitigates,5 +4327,,T1047,Windows Management Instrumentation,[],[],,SI-4,mitigates,5 +4328,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,5 +4329,,T1053.002,At (Windows),[],[],,SI-4,mitigates,5 +4330,,T1053.003,Cron,[],[],,SI-4,mitigates,5 +4331,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,5 +4332,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,5 +4333,,T1059.001,PowerShell,[],[],,SI-4,mitigates,5 +4334,,T1059.002,AppleScript,[],[],,SI-4,mitigates,5 +4335,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,5 +4336,,T1059.008,Network Device CLI,[],[],,SI-4,mitigates,5 +4337,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,5 +4338,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,5 +4339,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,5 +4340,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,5 +4341,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,5 +4342,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,5 +4343,,T1098,Account Manipulation,[],[],,SI-4,mitigates,5 +4344,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,5 +4345,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,5 +4346,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,5 +4347,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,5 +4348,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,5 +4349,,T1106,Native API,[],[],,SI-4,mitigates,5 +4350,,T1129,Shared Modules,[],[],,SI-4,mitigates,5 +4351,,T1176,Browser Extensions,[],[],,SI-4,mitigates,5 +4352,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,5 +4353,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,5 +4354,,T1197,BITS Jobs,[],[],,SI-4,mitigates,5 +4355,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,5 +4356,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,5 +4357,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,5 +4358,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,5 +4359,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,5 +4360,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,5 +4361,,T1216.001,PubPrn,[],[],,SI-4,mitigates,5 +4362,,T1218.003,CMSTP,[],[],,SI-4,mitigates,5 +4363,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,5 +4364,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,5 +4365,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,5 +4366,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,5 +4367,,T1218.012,Verclsid,[],[],,SI-4,mitigates,5 +4368,,T1218.013,Mavinject,[],[],,SI-4,mitigates,5 +4369,,T1218.014,MMC,[],[],,SI-4,mitigates,5 +4370,,T1219,Remote Access Software,[],[],,SI-4,mitigates,5 +4371,,T1221,Template Injection,[],[],,SI-4,mitigates,5 +4372,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,5 +4373,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,5 +4374,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,5 +4375,,T1491,Defacement,[],[],,SI-4,mitigates,5 +4376,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,5 +4377,,T1491.002,External Defacement,[],[],,SI-4,mitigates,5 +4378,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,5 +4379,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,5 +4380,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,5 +4381,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,5 +4382,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,5 +4383,,T1505,Server Software Component,[],[],,SI-4,mitigates,5 +4384,,T1505.003,Web Shell,[],[],,SI-4,mitigates,5 +4385,,T1525,Implant Internal Image,[],[],,SI-4,mitigates,5 +4386,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,5 +4387,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,5 +4388,,T1546.002,Screensaver,[],[],,SI-4,mitigates,5 +4389,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,SI-4,mitigates,5 +4390,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,5 +4391,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,5 +4392,,T1547.003,Time Providers,[],[],,SI-4,mitigates,5 +4393,,T1547.004,Winlogon Helper DLL,[],[],,SI-4,mitigates,5 +4394,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,5 +4395,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,5 +4396,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,5 +4397,,T1547.009,Shortcut Modification,[],[],,SI-4,mitigates,5 +4398,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,5 +4399,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,5 +4400,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,5 +4401,,T1552.003,Bash History,[],[],,SI-4,mitigates,5 +4402,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,5 +4403,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,5 +4404,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-4,mitigates,5 +4405,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,5 +4406,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,5 +4407,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,5 +4408,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,5 +4409,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,5 +4410,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,5 +4411,,T1562,Impair Defenses,[],[],,SI-4,mitigates,5 +4412,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,5 +4413,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,5 +4414,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,5 +4415,,T1562.010,Downgrade Attack,[],[],,SI-4,mitigates,5 +4416,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,5 +4417,,T1565,Data Manipulation,[],[],,SI-4,mitigates,5 +4418,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,5 +4419,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,5 +4420,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,5 +4421,,T1567,Exfiltration Over Web Service,[],[],,SI-4,mitigates,5 +4422,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,5 +4423,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,5 +4424,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,5 +4425,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,5 +4426,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,5 +4427,,T1610,Deploy Container,[],[],,SI-4,mitigates,5 +4428,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,5 +4429,,T1001.001,Junk Data,[],[],,SI-4,mitigates,5 +4430,,T1001.002,Steganography,[],[],,SI-4,mitigates,5 +4431,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,5 +4432,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,5 +4433,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,5 +4434,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,5 +4435,,T1003.006,DCSync,[],[],,SI-4,mitigates,5 +4436,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,5 +4437,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,5 +4438,,T1008,Fallback Channels,[],[],,SI-4,mitigates,5 +4439,,T1021,Remote Services,[],[],,SI-4,mitigates,5 +4440,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,5 +4441,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,5 +4442,,T1021.004,SSH,[],[],,SI-4,mitigates,5 +4443,,T1021.005,VNC,[],[],,SI-4,mitigates,5 +4444,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,5 +4445,,T1025,Data from Removable Media,[],[],,SI-4,mitigates,5 +4446,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,5 +4447,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,5 +4448,,T1036,Masquerading,[],[],,SI-4,mitigates,5 +4449,,T1036.001,Invalid Code Signature,[],[],,SI-4,mitigates,5 +4450,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,5 +4451,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,5 +4452,,T1036.007,Double File Extension,[],[],,SI-4,mitigates,5 +4453,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,5 +4454,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,5 +4455,,T1037.004,RC Scripts,[],[],,SI-4,mitigates,5 +4456,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,5 +4457,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,5 +4458,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,5 +4459,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,5 +4460,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,5 +4461,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,5 +4462,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,5 +4463,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,5 +4464,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,5 +4465,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,5 +4466,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,5 +4467,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,5 +4468,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,5 +4469,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,5 +4470,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,5 +4471,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,5 +4472,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,5 +4473,,T1059.003,Windows Command Shell,[],[],,SI-4,mitigates,5 +4474,,T1059.004,Unix Shell,[],[],,SI-4,mitigates,5 +4475,,T1059.006,Python,[],[],,SI-4,mitigates,5 +4476,,T1059.007,JavaScript,[],[],,SI-4,mitigates,5 +4477,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,5 +4478,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,5 +4479,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,5 +4480,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,5 +4481,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,5 +4482,,T1071.004,DNS,[],[],,SI-4,mitigates,5 +4483,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,5 +4484,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,5 +4485,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,5 +4486,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,5 +4487,,T1087,Account Discovery,[],[],,SI-4,mitigates,5 +4488,,T1090,Proxy,[],[],,SI-4,mitigates,5 +4489,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,5 +4490,,T1090.002,External Proxy,[],[],,SI-4,mitigates,5 +4491,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,5 +4492,,T1102,Web Service,[],[],,SI-4,mitigates,5 +4493,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,5 +4494,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,5 +4495,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,5 +4496,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,5 +4497,,T1110,Brute Force,[],[],,SI-4,mitigates,5 +4498,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,5 +4499,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,5 +4500,,T1114,Email Collection,[],[],,SI-4,mitigates,5 +4501,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,5 +4502,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,5 +4503,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,5 +4504,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,5 +4505,,T1127.001,MSBuild,[],[],,SI-4,mitigates,5 +4506,,T1132,Data Encoding,[],[],,SI-4,mitigates,5 +4507,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,5 +4508,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,5 +4509,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,5 +4510,,T1136,Create Account,[],[],,SI-4,mitigates,5 +4511,,T1136.001,Local Account,[],[],,SI-4,mitigates,5 +4512,,T1136.002,Domain Account,[],[],,SI-4,mitigates,5 +4513,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,5 +4514,,T1137,Office Application Startup,[],[],,SI-4,mitigates,5 +4515,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,5 +4516,,T1185,Browser Session Hijacking,[],[],,SI-4,mitigates,5 +4517,,T1187,Forced Authentication,[],[],,SI-4,mitigates,5 +4518,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,5 +4519,,T1204.003,Malicious Image,[],[],,SI-4,mitigates,5 +4520,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,5 +4521,,T1213.001,Confluence,[],[],,SI-4,mitigates,5 +4522,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,5 +4523,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,5 +4524,,T1218.002,Control Panel,[],[],,SI-4,mitigates,5 +4525,,T1218.005,Mshta,[],[],,SI-4,mitigates,5 +4526,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,5 +4527,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,5 +4528,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,5 +4529,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,5 +4530,,T1485,Data Destruction,[],[],,SI-4,mitigates,5 +4531,,T1489,Service Stop,[],[],,SI-4,mitigates,5 +4532,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,5 +4533,,T1505.004,IIS Components,[],[],,SI-4,mitigates,5 +4534,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,5 +4535,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,5 +4536,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,5 +4537,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,5 +4538,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-4,mitigates,5 +4539,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,5 +4540,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,5 +4541,,T1546.014,Emond,[],[],,SI-4,mitigates,5 +4542,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,5 +4543,,T1547.012,Print Processors,[],[],,SI-4,mitigates,5 +4544,,T1547.013,XDG Autostart Entries,[],[],,SI-4,mitigates,5 +4545,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,5 +4546,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,5 +4547,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,5 +4548,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,5 +4549,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,5 +4550,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,5 +4551,,T1552.004,Private Keys,[],[],,SI-4,mitigates,5 +4552,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,5 +4553,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,5 +4554,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,5 +4555,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,5 +4556,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,5 +4557,,T1555.005,Password Managers,[],[],,SI-4,mitigates,5 +4558,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,5 +4559,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,5 +4560,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,5 +4561,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,5 +4562,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,5 +4563,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,5 +4564,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,5 +4565,,T1561,Disk Wipe,[],[],,SI-4,mitigates,5 +4566,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,5 +4567,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,5 +4568,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,5 +4569,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,5 +4570,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,5 +4571,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,5 +4572,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,5 +4573,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,5 +4574,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,5 +4575,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,5 +4576,,T1564.008,Email Hiding Rules,[],[],,SI-4,mitigates,5 +4577,,T1564.009,Resource Forking,[],[],,SI-4,mitigates,5 +4578,,T1566,Phishing,[],[],,SI-4,mitigates,5 +4579,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,5 +4580,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,5 +4581,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,5 +4582,,T1569,System Services,[],[],,SI-4,mitigates,5 +4583,,T1569.002,Service Execution,[],[],,SI-4,mitigates,5 +4584,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,5 +4585,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,5 +4586,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,5 +4587,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,5 +4588,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,5 +4589,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,5 +4590,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,5 +4591,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,5 +4592,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,5 +4593,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,5 +4594,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,5 +4595,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,5 +4596,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,5 +4597,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,5 +4598,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,5 +4599,,T1598,Phishing for Information,[],[],,SI-4,mitigates,5 +4600,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,5 +4601,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,5 +4602,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,5 +4603,,T1601,Modify System Image,[],[],,SI-4,mitigates,5 +4604,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,5 +4605,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,5 +4606,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,5 +4607,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,5 +4608,,T1612,Build Image on Host,[],[],,SI-4,mitigates,5 +4609,,T1613,Container and Resource Discovery,[],[],,SI-4,mitigates,5 +4610,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,5 +4611,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,5 +4612,,T1003.003,NTDS,[],[],,SI-4,mitigates,5 +4613,,T1005,Data from Local System,[],[],,SI-4,mitigates,5 +4614,,T1040,Network Sniffing,[],[],,SI-4,mitigates,5 +4615,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,5 +4616,,T1055,Process Injection,[],[],,SI-4,mitigates,5 +4617,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,5 +4618,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,5 +4619,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,5 +4620,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,5 +4621,,T1078,Valid Accounts,[],[],,SI-4,mitigates,5 +4622,,T1087.001,Local Account,[],[],,SI-4,mitigates,5 +4623,,T1087.002,Domain Account,[],[],,SI-4,mitigates,5 +4624,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,5 +4625,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,5 +4626,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,5 +4627,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,5 +4628,,T1119,Automated Collection,[],[],,SI-4,mitigates,5 +4629,,T1133,External Remote Services,[],[],,SI-4,mitigates,5 +4630,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,5 +4631,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,5 +4632,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,5 +4633,,T1218.011,Rundll32,[],[],,SI-4,mitigates,5 +4634,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,5 +4635,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,5 +4636,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,5 +4637,,T1555.001,Keychain,[],[],,SI-4,mitigates,5 +4638,,T1555.004,Windows Credential Manager,[],[],,SI-4,mitigates,5 +4639,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,5 +4640,,T1557,Adversary-in-the-Middle,[],[],,SI-4,mitigates,5 +4641,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,5 +4642,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,5 +4643,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,5 +4644,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,5 +4645,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,5 +4646,,T1611,Escape to Host,[],[],,SI-4,mitigates,5 +4647,,T1204,User Execution,[],[],,SI-4,mitigates,5 +4648,,T1204.002,Malicious File,[],[],,SI-4,mitigates,5 +4649,,T1557.003,DHCP Spoofing,[],[],,SI-4,mitigates,5 +4650,,T1027.007,Dynamic API Resolution,[],[],,SI-4,mitigates,5 +4651,,T1027.008,Stripped Payloads,[],[],,SI-4,mitigates,5 +4652,,T1027.009,Embedded Payloads,[],[],,SI-4,mitigates,5 +4653,,T1070.007,Clear Network Connection History and Configurations,[],[],,SI-4,mitigates,5 +4654,,T1070.008,Clear Mailbox Data,[],[],,SI-4,mitigates,5 +4655,,T1070.009,Clear Persistence,[],[],,SI-4,mitigates,5 +4656,,T1505.005,Terminal Services DLL,[],[],,SI-4,mitigates,5 +4657,,T1546.016,Installer Packages,[],[],,SI-4,mitigates,5 +4658,,T1559.003,XPC Services,[],[],,SI-4,mitigates,5 +4659,,T1564.010,Process Argument Spoofing,[],[],,SI-4,mitigates,5 +4660,,T1574.013,KernelCallbackTable,[],[],,SI-4,mitigates,5 +4661,,T1622,Debugger Evasion,[],[],,SI-4,mitigates,5 +4662,,T1647,Plist File Modification,[],[],,SI-4,mitigates,5 +4663,,T1648,Serverless Execution,[],[],,SI-4,mitigates,5 +4664,,T1205.002,Socket Filters,[],[],,SI-4,mitigates,5 +4665,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,5 +4666,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,5 +4667,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,5 +4668,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,5 +4669,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,5 +4670,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,5 +4671,,T1027.002,Software Packing,[],[],,SI-7,mitigates,5 +4672,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,5 +4673,,T1037.005,Startup Items,[],[],,SI-7,mitigates,5 +4674,,T1047,Windows Management Instrumentation,[],[],,SI-7,mitigates,5 +4675,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,5 +4676,,T1059.001,PowerShell,[],[],,SI-7,mitigates,5 +4677,,T1059.002,AppleScript,[],[],,SI-7,mitigates,5 +4678,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,5 +4679,,T1059.008,Network Device CLI,[],[],,SI-7,mitigates,5 +4680,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,5 +4681,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,5 +4682,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,5 +4683,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,5 +4684,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,5 +4685,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,5 +4686,,T1129,Shared Modules,[],[],,SI-7,mitigates,5 +4687,,T1176,Browser Extensions,[],[],,SI-7,mitigates,5 +4688,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,5 +4689,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,5 +4690,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,5 +4691,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,5 +4692,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,5 +4693,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,5 +4694,,T1216.001,PubPrn,[],[],,SI-7,mitigates,5 +4695,,T1218.003,CMSTP,[],[],,SI-7,mitigates,5 +4696,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,5 +4697,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,5 +4698,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,5 +4699,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,5 +4700,,T1218.012,Verclsid,[],[],,SI-7,mitigates,5 +4701,,T1218.013,Mavinject,[],[],,SI-7,mitigates,5 +4702,,T1218.014,MMC,[],[],,SI-7,mitigates,5 +4703,,T1219,Remote Access Software,[],[],,SI-7,mitigates,5 +4704,,T1221,Template Injection,[],[],,SI-7,mitigates,5 +4705,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,5 +4706,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,5 +4707,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,5 +4708,,T1491,Defacement,[],[],,SI-7,mitigates,5 +4709,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,5 +4710,,T1491.002,External Defacement,[],[],,SI-7,mitigates,5 +4711,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,5 +4712,,T1505,Server Software Component,[],[],,SI-7,mitigates,5 +4713,,T1525,Implant Internal Image,[],[],,SI-7,mitigates,5 +4714,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,5 +4715,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,5 +4716,,T1546.002,Screensaver,[],[],,SI-7,mitigates,5 +4717,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,5 +4718,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,5 +4719,,T1547.003,Time Providers,[],[],,SI-7,mitigates,5 +4720,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,5 +4721,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,5 +4722,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,5 +4723,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,5 +4724,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,5 +4725,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-7,mitigates,5 +4726,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,5 +4727,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,5 +4728,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,5 +4729,,T1562,Impair Defenses,[],[],,SI-7,mitigates,5 +4730,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,5 +4731,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,5 +4732,,T1565,Data Manipulation,[],[],,SI-7,mitigates,5 +4733,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,5 +4734,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,5 +4735,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,5 +4736,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,5 +4737,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,5 +4738,,T1609,Container Administration Command,[],[],,SI-7,mitigates,5 +4739,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,5 +4740,,T1036,Masquerading,[],[],,SI-7,mitigates,5 +4741,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,5 +4742,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,5 +4743,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,5 +4744,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,5 +4745,,T1037.004,RC Scripts,[],[],,SI-7,mitigates,5 +4746,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,5 +4747,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,5 +4748,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,5 +4749,,T1059.006,Python,[],[],,SI-7,mitigates,5 +4750,,T1059.007,JavaScript,[],[],,SI-7,mitigates,5 +4751,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,5 +4752,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,5 +4753,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,5 +4754,,T1114,Email Collection,[],[],,SI-7,mitigates,5 +4755,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,5 +4756,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,5 +4757,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,5 +4758,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,5 +4759,,T1136,Create Account,[],[],,SI-7,mitigates,5 +4760,,T1136.001,Local Account,[],[],,SI-7,mitigates,5 +4761,,T1136.002,Domain Account,[],[],,SI-7,mitigates,5 +4762,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,5 +4763,,T1185,Browser Session Hijacking,[],[],,SI-7,mitigates,5 +4764,,T1204.003,Malicious Image,[],[],,SI-7,mitigates,5 +4765,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,5 +4766,,T1213.001,Confluence,[],[],,SI-7,mitigates,5 +4767,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,5 +4768,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,5 +4769,,T1218.002,Control Panel,[],[],,SI-7,mitigates,5 +4770,,T1218.005,Mshta,[],[],,SI-7,mitigates,5 +4771,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,5 +4772,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,5 +4773,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,5 +4774,,T1485,Data Destruction,[],[],,SI-7,mitigates,5 +4775,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,5 +4776,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,5 +4777,,T1505.004,IIS Components,[],[],,SI-7,mitigates,5 +4778,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,5 +4779,,T1542.001,System Firmware,[],[],,SI-7,mitigates,5 +4780,,T1542.003,Bootkit,[],[],,SI-7,mitigates,5 +4781,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,5 +4782,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,5 +4783,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,5 +4784,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-7,mitigates,5 +4785,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,5 +4786,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,5 +4787,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,5 +4788,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,5 +4789,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,5 +4790,,T1547.013,XDG Autostart Entries,[],[],,SI-7,mitigates,5 +4791,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,5 +4792,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,5 +4793,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,5 +4794,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,5 +4795,,T1552.004,Private Keys,[],[],,SI-7,mitigates,5 +4796,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,5 +4797,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,5 +4798,,T1553.006,Code Signing Policy Modification,[],[],,SI-7,mitigates,5 +4799,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,5 +4800,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,5 +4801,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,5 +4802,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,5 +4803,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,5 +4804,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,5 +4805,,T1561,Disk Wipe,[],[],,SI-7,mitigates,5 +4806,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,5 +4807,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,5 +4808,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,5 +4809,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,5 +4810,,T1562.009,Safe Mode Boot,[],[],,SI-7,mitigates,5 +4811,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,5 +4812,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,5 +4813,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,5 +4814,,T1564.008,Email Hiding Rules,[],[],,SI-7,mitigates,5 +4815,,T1564.009,Resource Forking,[],[],,SI-7,mitigates,5 +4816,,T1569,System Services,[],[],,SI-7,mitigates,5 +4817,,T1569.002,Service Execution,[],[],,SI-7,mitigates,5 +4818,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,5 +4819,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,5 +4820,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-7,mitigates,5 +4821,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,5 +4822,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,5 +4823,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,5 +4824,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,5 +4825,,T1601,Modify System Image,[],[],,SI-7,mitigates,5 +4826,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,5 +4827,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,5 +4828,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,5 +4829,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,5 +4830,,T1003.003,NTDS,[],[],,SI-7,mitigates,5 +4831,,T1040,Network Sniffing,[],[],,SI-7,mitigates,5 +4832,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,5 +4833,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,5 +4834,,T1119,Automated Collection,[],[],,SI-7,mitigates,5 +4835,,T1133,External Remote Services,[],[],,SI-7,mitigates,5 +4836,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,5 +4837,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,5 +4838,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,5 +4839,,T1218.011,Rundll32,[],[],,SI-7,mitigates,5 +4840,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,5 +4841,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,5 +4842,,T1557,Adversary-in-the-Middle,[],[],,SI-7,mitigates,5 +4843,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,5 +4844,,T1611,Escape to Host,[],[],,SI-7,mitigates,5 +4845,,T1204,User Execution,[],[],,SI-7,mitigates,5 +4846,,T1204.002,Malicious File,[],[],,SI-7,mitigates,5 +4847,,T1027.007,Dynamic API Resolution,[],[],,SI-7,mitigates,5 +4848,,T1027.008,Stripped Payloads,[],[],,SI-7,mitigates,5 +4849,,T1027.009,Embedded Payloads,[],[],,SI-7,mitigates,5 +4850,,T1070.007,Clear Network Connection History and Configurations,[],[],,SI-7,mitigates,5 +4851,,T1070.008,Clear Mailbox Data,[],[],,SI-7,mitigates,5 +4852,,T1070.009,Clear Persistence,[],[],,SI-7,mitigates,5 +4853,,T1564.010,Process Argument Spoofing,[],[],,SI-7,mitigates,5 +4854,,T1565.003,Runtime Data Manipulation,[],[],,SI-7,mitigates,5 +4855,,T1574.013,KernelCallbackTable,[],[],,SI-7,mitigates,5 +4856,,T1647,Plist File Modification,[],[],,SI-7,mitigates,5 +4857,,T1221,Template Injection,[],[],,SI-8,mitigates,5 +4858,,T1137,Office Application Startup,[],[],,SI-8,mitigates,5 +4859,,T1137.001,Office Template Macros,[],[],,SI-8,mitigates,5 +4860,,T1137.002,Office Test,[],[],,SI-8,mitigates,5 +4861,,T1137.003,Outlook Forms,[],[],,SI-8,mitigates,5 +4862,,T1137.004,Outlook Home Page,[],[],,SI-8,mitigates,5 +4863,,T1137.005,Outlook Rules,[],[],,SI-8,mitigates,5 +4864,,T1137.006,Add-ins,[],[],,SI-8,mitigates,5 +4865,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,5 +4866,,T1204.003,Malicious Image,[],[],,SI-8,mitigates,5 +4867,,T1566,Phishing,[],[],,SI-8,mitigates,5 +4868,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,5 +4869,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,5 +4870,,T1598,Phishing for Information,[],[],,SI-8,mitigates,5 +4871,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,5 +4872,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,5 +4873,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,5 +4874,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,5 +4875,,T1204,User Execution,[],[],,SI-8,mitigates,5 +4876,,T1204.002,Malicious File,[],[],,SI-8,mitigates,5 +4877,,T1059.002,AppleScript,[],[],,SR-11,mitigates,5 +4878,,T1505,Server Software Component,[],[],,SR-11,mitigates,5 +4879,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-11,mitigates,5 +4880,,T1204.003,Malicious Image,[],[],,SR-11,mitigates,5 +4881,,T1505.001,SQL Stored Procedures,[],[],,SR-11,mitigates,5 +4882,,T1505.002,Transport Agent,[],[],,SR-11,mitigates,5 +4883,,T1505.004,IIS Components,[],[],,SR-11,mitigates,5 +4884,,T1554,Compromise Client Software Binary,[],[],,SR-11,mitigates,5 +4885,,T1601,Modify System Image,[],[],,SR-11,mitigates,5 +4886,,T1601.001,Patch System Image,[],[],,SR-11,mitigates,5 +4887,,T1601.002,Downgrade System Image,[],[],,SR-11,mitigates,5 +4888,,T1059.002,AppleScript,[],[],,SR-4,mitigates,5 +4889,,T1505,Server Software Component,[],[],,SR-4,mitigates,5 +4890,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-4,mitigates,5 +4891,,T1567,Exfiltration Over Web Service,[],[],,SR-4,mitigates,5 +4892,,T1041,Exfiltration Over C2 Channel,[],[],,SR-4,mitigates,5 +4893,,T1048,Exfiltration Over Alternative Protocol,[],[],,SR-4,mitigates,5 +4894,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SR-4,mitigates,5 +4895,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SR-4,mitigates,5 +4896,,T1052,Exfiltration Over Physical Medium,[],[],,SR-4,mitigates,5 +4897,,T1052.001,Exfiltration over USB,[],[],,SR-4,mitigates,5 +4898,,T1204.003,Malicious Image,[],[],,SR-4,mitigates,5 +4899,,T1505.001,SQL Stored Procedures,[],[],,SR-4,mitigates,5 +4900,,T1505.002,Transport Agent,[],[],,SR-4,mitigates,5 +4901,,T1505.004,IIS Components,[],[],,SR-4,mitigates,5 +4902,,T1554,Compromise Client Software Binary,[],[],,SR-4,mitigates,5 +4903,,T1601,Modify System Image,[],[],,SR-4,mitigates,5 +4904,,T1601.001,Patch System Image,[],[],,SR-4,mitigates,5 +4905,,T1601.002,Downgrade System Image,[],[],,SR-4,mitigates,5 +4906,,T1059.002,AppleScript,[],[],,SR-5,mitigates,5 +4907,,T1505,Server Software Component,[],[],,SR-5,mitigates,5 +4908,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-5,mitigates,5 +4909,,T1204.003,Malicious Image,[],[],,SR-5,mitigates,5 +4910,,T1505.001,SQL Stored Procedures,[],[],,SR-5,mitigates,5 +4911,,T1505.002,Transport Agent,[],[],,SR-5,mitigates,5 +4912,,T1505.004,IIS Components,[],[],,SR-5,mitigates,5 +4913,,T1554,Compromise Client Software Binary,[],[],,SR-5,mitigates,5 +4914,,T1601,Modify System Image,[],[],,SR-5,mitigates,5 +4915,,T1601.001,Patch System Image,[],[],,SR-5,mitigates,5 +4916,,T1601.002,Downgrade System Image,[],[],,SR-5,mitigates,5 +4917,,T1059.002,AppleScript,[],[],,SR-6,mitigates,5 +4918,,T1505,Server Software Component,[],[],,SR-6,mitigates,5 +4919,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-6,mitigates,5 +4920,,T1204.003,Malicious Image,[],[],,SR-6,mitigates,5 +4921,,T1505.001,SQL Stored Procedures,[],[],,SR-6,mitigates,5 +4922,,T1505.002,Transport Agent,[],[],,SR-6,mitigates,5 +4923,,T1505.004,IIS Components,[],[],,SR-6,mitigates,5 +4924,,T1554,Compromise Client Software Binary,[],[],,SR-6,mitigates,5 +4925,,T1601,Modify System Image,[],[],,SR-6,mitigates,5 +4926,,T1601.001,Patch System Image,[],[],,SR-6,mitigates,5 +4927,,T1601.002,Downgrade System Image,[],[],,SR-6,mitigates,5 +4928,,T1078,Valid Accounts,[],[],,SR-6,mitigates,5 diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata.csv new file mode 100644 index 00000000..81e1e225 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,12.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,5 diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata_object.csv new file mode 100644 index 00000000..81e1e225 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,12.1,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,5 diff --git a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_navigator_layer.json index b7e91ff3..fea1ff04 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/12.1/r5/parsed_nist800-53-r5-12.1_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "12.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1556.006", "score": 8, "comment": "Related to Policy and Procedures, Account Management, Access Enforcement, Least Privilege, Policy and Procedures, Event Logging, Re-authentication, Identification and Authentication (Organizational Users)"}, {"techniqueID": "T1556.007", "score": 8, "comment": "Related to Policy and Procedures, Account Management, Access Enforcement, Least Privilege, Policy and Procedures, Event Logging, Re-authentication, Identification and Authentication (Organizational Users)"}, {"techniqueID": "T1137", "score": 13, "comment": "Related to Concurrent Session Control, Remote Access, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Detonation Chambers, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1137.002", "score": 10, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Mobile Code, Detonation Chambers, Spam Protection"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to Concurrent Session Control, Session Termination, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users), Session Authenticity, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Monitoring"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to Session Termination, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Key Establishment and Management, Public Key Infrastructure Certificates, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.005", "score": 11, "comment": "Related to Session Termination, Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Information Exchange, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Transmission of Security and Privacy Attributes, Non-persistence, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Identification and Authentication (non-organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Penetration Testing, Software Usage Restrictions, User-installed Software, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Protection of Information at Rest, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security and Privacy Attributes, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification and Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1567", "score": 17, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Security and Privacy Engineering Principles, External System Services, Protection of Information at Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003", "score": 22, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Backup, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1025", "score": 15, "comment": "Related to Security and Privacy Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information Location, System Backup, Media Use, Security and Privacy Engineering Principles, Cryptographic Protection, Protection of Information at Rest, Operations Security, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1041", "score": 18, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Security and Privacy Engineering Principles, External System Services, Cryptographic Protection, Protection of Information at Rest, Covert Channel Analysis, Boundary Protection, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1048", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security and Privacy Engineering Principles, External System Services, Protection of Information at Rest, Covert Channel Analysis, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1048.002", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security and Privacy Engineering Principles, External System Services, Protection of Information at Rest, Covert Channel Analysis, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1048.003", "score": 24, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Information Exchange, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Security and Privacy Engineering Principles, External System Services, Cryptographic Protection, Protection of Information at Rest, Covert Channel Analysis, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1052", "score": 19, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Protection of Information at Rest, Port and I/O Device Access, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1052.001", "score": 19, "comment": "Related to Security and Privacy Attributes, Account Management, Use of External Systems, Data Mining Protection, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Protection of Information at Rest, Port and I/O Device Access, Malicious Code Protection, System Monitoring, Provenance"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.003", "score": 11, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Configuration Settings, Usage Restrictions, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.002", "score": 23, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Transmission of Security and Privacy Attributes, Non-persistence, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Backup, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1005", "score": 13, "comment": "Related to Security and Privacy Attributes, Account Management, Data Mining Protection, Access Enforcement, Least Privilege, Information Location, System Backup, Security and Privacy Engineering Principles, Cryptographic Protection, Protection of Information at Rest, Operations Security, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Authentication Feedback, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Session Authenticity, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.008", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1647", "score": 15, "comment": "Related to Security Attributes, Remote Access, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Developer Configuration Management, Developer Security Testing And Evaluation, Security Engineering Principles, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Security Function Isolation, Non-modifiable Executable Programs, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059", "score": 24, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1059.005", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.008", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.004", "score": 13, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Non-persistence, Memory Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1609", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, System Monitoring"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1059.003", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.004", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Information Input Validation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.007", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.004", "score": 24, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Boundary Protection, Non-persistence, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, System Monitoring"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Session Authenticity, System Monitoring"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Boundary Protection, System Monitoring"}, {"techniqueID": "T1613", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Usage Restrictions, Boundary Protection, System Monitoring"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to Remote Access, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.007", "score": 14, "comment": "Related to Remote Access, Account Management, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1053", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Development Life Cycle, Security and Privacy Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1543.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Non-persistence, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.006", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Non-persistence, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Session Authenticity, Transmission Confidentiality and Integrity, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053.006", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053.007", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.004", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Software Usage Restrictions, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Session Authenticity, Transmission Confidentiality and Integrity, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Public Key Infrastructure Certificates, Flaw Remediation"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Flaw Remediation"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to Account Management, Access Enforcement, Least Privilege"}, {"techniqueID": "T1003.001", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Security Function Isolation, Process Isolation, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1068", "score": 25, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1078", "score": 22, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring, Supplier Assessments and Reviews"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1611", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Separation of System and User Functionality, Security Function Isolation, Non-modifiable Executable Programs, Process Isolation, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.007", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.009", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.005", "score": 7, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings"}, {"techniqueID": "T1648", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, System Monitoring"}, {"techniqueID": "T1556.005", "score": 4, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Authenticator Management"}, {"techniqueID": "T1585.003", "score": 2, "comment": "Related to Account Management, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1586.003", "score": 2, "comment": "Related to Account Management, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1621", "score": 6, "comment": "Related to Account Management, Least Privilege, Access Restriction for Change, Identification and Authentication (Organizational Users) , Device Identification and Authentication , Authenticator Management"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Testing and Evaluation, Developer Security and Privacy Architecture and Design, Acquisition Process, Security and Privacy Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Media Use, Port and I/O Device Access"}, {"techniqueID": "T1098.004", "score": 15, "comment": "Related to Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1583.007", "score": 2, "comment": "Related to Use of External Information Systems, Boundary Protection"}, {"techniqueID": "T1584.007", "score": 2, "comment": "Related to Use of External Information Systems, Boundary Protection "}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1218.012", "score": 16, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1565.003", "score": 13, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, System Backup, Protection of Information at Rest, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Memory Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information in Shared System Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1218.002", "score": 11, "comment": "Related to Access Enforcement, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1557.003", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1622", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Unsupported System Components, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1203", "score": 15, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, System Component Inventory, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1204.003", "score": 18, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to Information Flow Enforcement, Configuration Change Control, Access Restrictions for Change, Least Functionality, Incident Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Developer Security and Privacy Architecture and Design, Security and Privacy Engineering Principles, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1205.002", "score": 2, "comment": "Related to Information Flow Enforncement, Information System Monitoring"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions for Change"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1137.001", "score": 10, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Detonation Chambers, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1137.003", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.004", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.005", "score": 7, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Flaw Remediation, Spam Protection"}, {"techniqueID": "T1137.006", "score": 6, "comment": "Related to Least Privilege, Baseline Configuration, Configuration Settings, Mobile Code, Detonation Chambers, Spam Protection"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1553", "score": 19, "comment": "Related to Least Privilege, Penetration Testing, Software Usage Restrictions, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Service Identification and Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Information Input Validation, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.006", "score": 13, "comment": "Related to Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1546.016", "score": 7, "comment": "Related to Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1593.003", "score": 3, "comment": "Related to Response to Audit Processing Failure, Audit Review, Analysis, & Reporting, Information System Component Inventory"}, {"techniqueID": "T1649", "score": 3, "comment": "Related to Audit Review, Analysis, and Reporting , Identification and Authentication (Organizational Users) , Authenticator Management"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1564.010", "score": 3, "comment": "Related to Continuous Monitoring, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.013", "score": 7, "comment": "Related to Continuous Monitoring, Penetration Testing, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.001", "score": 14, "comment": "Related to Penetration Testing, User-installed Software, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Non-persistence, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions for Change, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), System Monitoring"}, {"techniqueID": "T1218.003", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.004", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.008", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.009", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.013", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.014", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.001", "score": 10, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.005", "score": 11, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to User-installed Software, Baseline Configuration, Configuration Settings, Least Functionality, Developer Configuration Management, Information in Shared System Resources, Detonation Chambers, Resource Availability, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Service Identification and Authentication, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, System Monitoring"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Authenticator Management, System Monitoring"}, {"techniqueID": "T1559.003", "score": 7, "comment": "Related to Access Restrictions for Change, Configuration Settings, Least Functionality, Developer Configuration Management, Developer Security Testing And Evaluation, Security Engineering Principles, Information System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality and Integrity, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1595.003", "score": 1, "comment": "Related to Information in Shared System Resources"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality and Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1027.007", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.008", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.009", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1055.015", "score": 1, "comment": "Related to Malicious Code Protection"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "12.1"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1556.006", "score": 8, "comment": "Related to AC-1, AC-2, AC-3, AC-6, AU-1, AU-2, IA-11, IA-2"}, {"techniqueID": "T1556.007", "score": 8, "comment": "Related to AC-1, AC-2, AC-3, AC-6, AU-1, AU-2, IA-11, IA-2"}, {"techniqueID": "T1137", "score": 13, "comment": "Related to AC-10, AC-17, AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SC-44, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.002", "score": 10, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5, CM-6, SC-18, SC-44, SI-8"}, {"techniqueID": "T1185", "score": 14, "comment": "Related to AC-10, AC-12, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SC-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-46, SC-7, SI-2, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.005", "score": 11, "comment": "Related to AC-12, AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1020.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-4, CA-3, CM-2, CM-6, CM-8, SC-4, SC-7, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1505", "score": 23, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, RA-5, SA-10, SA-11, SC-16, SI-14, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CA-8, CM-10, CM-11, CM-2, CM-6, IA-2, IA-4, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-46, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1567", "score": 17, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-28, SC-31, SC-7, SI-3, SI-4, SR-4"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 22, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-39, SI-12, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1025", "score": 15, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CM-12, CP-9, MP-7, SA-8, SC-13, SC-28, SC-38, SC-41, SI-3, SI-4"}, {"techniqueID": "T1041", "score": 18, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-7, SI-3, SI-4, SR-4"}, {"techniqueID": "T1048", "score": 23, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4, SR-4"}, {"techniqueID": "T1048.002", "score": 23, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-28, SC-31, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4, SR-4"}, {"techniqueID": "T1048.003", "score": 24, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-4, AC-6, CA-3, CA-7, CM-2, CM-6, CM-7, SA-8, SA-9, SC-13, SC-28, SC-31, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4, SR-4"}, {"techniqueID": "T1052", "score": 19, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4, SR-4"}, {"techniqueID": "T1052.001", "score": 19, "comment": "Related to AC-16, AC-2, AC-20, AC-23, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SA-8, SC-28, SC-41, SI-3, SI-4, SR-4"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 11, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, CM-6, SC-43, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1505.002", "score": 23, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, RA-5, SA-10, SA-11, SC-16, SI-14, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1005", "score": 13, "comment": "Related to AC-16, AC-2, AC-23, AC-3, AC-6, CM-12, CP-9, SA-8, SC-13, SC-28, SC-38, SI-3, SI-4"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-46, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.008", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1647", "score": 15, "comment": "Related to AC-16, AC-17, AC-3, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SA-10, SA-11, SA-8, SI-4, SI-7"}, {"techniqueID": "T1047", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SC-3, SC-34, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059", "score": 24, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-8, IA-2, IA-8, IA-9, RA-5, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, IA-9, SI-10, SI-16, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1059.005", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-8, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1547.004", "score": 13, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-14, SI-16, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1609", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-6, CM-7, SC-7, SI-10, SI-7"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1059.003", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.004", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-2, CM-6, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-11, CM-2, CM-3, CM-5, CM-6, SI-10, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.004", "score": 24, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-8, CM-11, CM-2, CM-6, CM-7, CM-8, IA-2, RA-5, SA-10, SA-11, SC-7, SI-14, SI-16, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-8, CM-6, CM-7, RA-5, SA-11, SC-7, SI-4"}, {"techniqueID": "T1613", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-43, SC-7, SI-4"}, {"techniqueID": "T1619", "score": 7, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1552.007", "score": 14, "comment": "Related to AC-17, AC-2, AC-23, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SC-8"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1053", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-12, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-12, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-46, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-46, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1213.003", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, IA-2, IA-9, RA-5, SA-10, SA-11, SA-15, SA-3, SA-8, SI-2"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, RA-9, SA-10, SA-11, SI-2, SI-7"}, {"techniqueID": "T1505.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1543.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1546.003", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SI-14, SI-3, SI-4"}, {"techniqueID": "T1547.006", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-10, SI-14, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-10, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053.006", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, IA-2, SI-4, SI-7"}, {"techniqueID": "T1053.007", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, IA-8"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-12, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.004", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-2, CM-5, IA-2"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, SC-18, SC-3, SC-7, SI-3"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.009", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-10, CM-5, CM-6, CM-7, IA-2, IA-9, SC-23, SC-8, SI-7"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1606", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, SC-17, SI-2"}, {"techniqueID": "T1606.001", "score": 4, "comment": "Related to AC-2, AC-3, AC-6, SI-2"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to AC-2, AC-3, AC-6"}, {"techniqueID": "T1003.001", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-3, SC-39, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1068", "score": 25, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1078", "score": 22, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-12, IA-2, IA-5, RA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4, SR-6"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1218", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1611", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-2, SC-3, SC-34, SC-39, SC-7, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.007", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.009", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1098.005", "score": 7, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6"}, {"techniqueID": "T1648", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1556.005", "score": 4, "comment": "Related to AC-2, AC-5, AC-6, IA-5"}, {"techniqueID": "T1585.003", "score": 2, "comment": "Related to AC-2, IA-2"}, {"techniqueID": "T1586.003", "score": 2, "comment": "Related to AC-2, IA-2"}, {"techniqueID": "T1621", "score": 6, "comment": "Related to AC-2, AC-6, CM-5, IA-2, IA-3, IA-5"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1098.004", "score": 15, "comment": "Related to AC-20, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1583.007", "score": 2, "comment": "Related to AC-20, SC-7"}, {"techniqueID": "T1584.007", "score": 2, "comment": "Related to AC-20, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.012", "score": 16, "comment": "Related to AC-3, AC-4, CA-7, CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1565.003", "score": 13, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-46, SC-7, SI-16, SI-4, SI-7"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 11, "comment": "Related to AC-3, CA-7, CM-11, CM-2, CM-6, CM-7, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-46, SC-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1557.003", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1622", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 15, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-44, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.003", "score": 18, "comment": "Related to AC-4, CA-7, CA-8, CM-2, CM-6, CM-7, RA-5, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1564.008", "score": 8, "comment": "Related to AC-4, CM-3, CM-5, CM-7, IR-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to AC-4, CA-8, CM-6, CM-7, RA-5, SA-17, SA-8, SC-46, SC-7"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1205.002", "score": 2, "comment": "Related to AC-4, SI-4"}, {"techniqueID": "T1106", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, CM-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1137.001", "score": 10, "comment": "Related to AC-6, CM-2, CM-6, CM-8, RA-5, SC-18, SC-44, SI-3, SI-4, SI-8"}, {"techniqueID": "T1137.003", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-2, SI-8"}, {"techniqueID": "T1137.004", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-2, SI-8"}, {"techniqueID": "T1137.005", "score": 7, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-2, SI-8"}, {"techniqueID": "T1137.006", "score": 6, "comment": "Related to AC-6, CM-2, CM-6, SC-18, SC-44, SI-8"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1553", "score": 19, "comment": "Related to AC-6, CA-8, CM-10, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, IA-9, RA-9, SA-10, SA-11, SC-34, SI-10, SI-2, SI-4, SI-7"}, {"techniqueID": "T1553.006", "score": 13, "comment": "Related to AC-6, CA-8, CM-3, CM-5, CM-7, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1546.016", "score": 7, "comment": "Related to AC-6, CA-7, CM-5, CM-6, SI-2, SI-3, SI-4"}, {"techniqueID": "T1593.003", "score": 3, "comment": "Related to AU-5, AU-6, CM-8"}, {"techniqueID": "T1649", "score": 3, "comment": "Related to AU-5, IA-2, IA-5"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1036.007", "score": 6, "comment": "Related to CA-7, CM-2, CM-6, CM-7, IA-2, SI-4"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1564.010", "score": 3, "comment": "Related to CA-7, SI-4, SI-7"}, {"techniqueID": "T1574.013", "score": 7, "comment": "Related to CA-7, CA-8, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1505.001", "score": 14, "comment": "Related to CA-8, CM-11, CM-2, CM-6, CM-8, RA-5, SA-10, SA-11, SI-14, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1218.003", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.013", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.014", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.001", "score": 10, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SC-18, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 11, "comment": "Related to CM-11, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.009", "score": 13, "comment": "Related to CM-11, CM-2, CM-6, CM-7, SA-10, SC-4, SC-44, SC-6, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to CM-2, CM-6, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SI-10, SI-2, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1562.010", "score": 4, "comment": "Related to CM-2, CM-6, RA-5, SI-4"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to CM-2, CM-6, IA-9, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to CM-2, CM-6, IA-2, IA-5, SI-2, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to CM-2, CM-6, CM-7, IA-5, SI-4"}, {"techniqueID": "T1559.003", "score": 7, "comment": "Related to CM-5, CM-6, CM-7, SA-10, SA-11, SA-8, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to CM-6, CM-7, SI-10, SI-7"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SI-2"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1595.003", "score": 1, "comment": "Related to SC-4"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.007", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.008", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.009", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1055.015", "score": 1, "comment": "Related to SI-3"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings.yaml index 4c982cf2..bd2153e4 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification Or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: LD_PRELOAD - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Information Security Architecture + capability-id: PL-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Security Architecture + capability-id: PL-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Trustworthiness + capability-id: SA-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SA-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: LD_PRELOAD - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: LD_PRELOAD - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_attack_objects.csv new file mode 100644 index 00000000..3f1759d1 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_attack_objects.csv @@ -0,0 +1,4120 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,6 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,6 +2,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,6 +3,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,6 +4,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,6 +5,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,6 +6,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,6 +7,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,6 +8,,T1137.002,Office Test,[],[],,AC-14,mitigates,6 +9,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,6 +10,,T1003.003,NTDS,[],[],,AC-16,mitigates,6 +11,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,6 +12,,T1040,Network Sniffing,[],[],,AC-16,mitigates,6 +13,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,6 +14,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,6 +15,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,6 +16,,T1114,Email Collection,[],[],,AC-16,mitigates,6 +17,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,6 +18,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,6 +19,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,6 +20,,T1119,Automated Collection,[],[],,AC-16,mitigates,6 +21,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,6 +22,,T1213.001,Confluence,[],[],,AC-16,mitigates,6 +23,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,6 +24,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,6 +25,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,6 +26,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,6 +27,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,6 +28,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,6 +29,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,6 +30,,T1547.011,Plist Modification,[],[],,AC-16,mitigates,6 +31,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,6 +32,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,6 +33,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,6 +34,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,6 +35,,T1552.004,Private Keys,[],[],,AC-16,mitigates,6 +36,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,6 +37,,T1557,Man-in-the-Middle,[],[],,AC-16,mitigates,6 +38,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,6 +39,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,6 +40,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,6 +41,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,6 +42,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,6 +43,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,6 +44,,T1565,Data Manipulation,[],[],,AC-16,mitigates,6 +45,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,6 +46,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,6 +47,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,6 +48,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,6 +49,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,6 +50,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,6 +51,,T1021,Remote Services,[],[],,AC-17,mitigates,6 +52,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,6 +53,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,6 +54,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,6 +55,,T1021.004,SSH,[],[],,AC-17,mitigates,6 +56,,T1021.005,VNC,[],[],,AC-17,mitigates,6 +57,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,6 +58,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,6 +59,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,6 +60,,T1040,Network Sniffing,[],[],,AC-17,mitigates,6 +61,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,6 +62,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,6 +63,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,6 +64,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,6 +65,,T1114,Email Collection,[],[],,AC-17,mitigates,6 +66,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,6 +67,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,6 +68,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,6 +69,,T1119,Automated Collection,[],[],,AC-17,mitigates,6 +70,,T1133,External Remote Services,[],[],,AC-17,mitigates,6 +71,,T1137,Office Application Startup,[],[],,AC-17,mitigates,6 +72,,T1137.002,Office Test,[],[],,AC-17,mitigates,6 +73,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,6 +74,,T1213.001,Confluence,[],[],,AC-17,mitigates,6 +75,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,6 +76,,T1219,Remote Access Software,[],[],,AC-17,mitigates,6 +77,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,6 +78,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,6 +79,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,6 +80,,T1543.003,Windows Service,[],[],,AC-17,mitigates,6 +81,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,6 +82,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,6 +83,,T1552.004,Private Keys,[],[],,AC-17,mitigates,6 +84,,T1557,Man-in-the-Middle,[],[],,AC-17,mitigates,6 +85,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,6 +86,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,6 +87,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,6 +88,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,6 +89,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,6 +90,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,6 +91,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,6 +92,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,6 +93,,T1565,Data Manipulation,[],[],,AC-17,mitigates,6 +94,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,6 +95,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,6 +96,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,6 +97,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,6 +98,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,6 +99,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,6 +100,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,6 +101,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,6 +102,,T1040,Network Sniffing,[],[],,AC-18,mitigates,6 +103,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,6 +104,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,6 +105,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,6 +106,,T1119,Automated Collection,[],[],,AC-18,mitigates,6 +107,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,6 +108,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,6 +109,,T1552.004,Private Keys,[],[],,AC-18,mitigates,6 +110,,T1557,Man-in-the-Middle,[],[],,AC-18,mitigates,6 +111,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,6 +112,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,6 +113,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,6 +114,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,6 +115,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,6 +116,,T1565,Data Manipulation,[],[],,AC-18,mitigates,6 +117,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,6 +118,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,6 +119,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,6 +120,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,6 +121,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,6 +122,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,6 +123,,T1040,Network Sniffing,[],[],,AC-19,mitigates,6 +124,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,6 +125,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,6 +126,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,6 +127,,T1114,Email Collection,[],[],,AC-19,mitigates,6 +128,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,6 +129,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,6 +130,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,6 +131,,T1119,Automated Collection,[],[],,AC-19,mitigates,6 +132,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,6 +133,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,6 +134,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,6 +135,,T1552.004,Private Keys,[],[],,AC-19,mitigates,6 +136,,T1557,Man-in-the-Middle,[],[],,AC-19,mitigates,6 +137,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,6 +138,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,6 +139,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,6 +140,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,6 +141,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,6 +142,,T1565,Data Manipulation,[],[],,AC-19,mitigates,6 +143,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,6 +144,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,6 +145,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,6 +146,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,6 +147,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,6 +148,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,6 +149,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,6 +150,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,6 +151,,T1003.003,NTDS,[],[],,AC-2,mitigates,6 +152,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,6 +153,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,6 +154,,T1003.006,DCSync,[],[],,AC-2,mitigates,6 +155,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,6 +156,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,6 +157,,T1021,Remote Services,[],[],,AC-2,mitigates,6 +158,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,6 +159,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,6 +160,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,6 +161,,T1021.004,SSH,[],[],,AC-2,mitigates,6 +162,,T1021.005,VNC,[],[],,AC-2,mitigates,6 +163,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,6 +164,,T1036,Masquerading,[],[],,AC-2,mitigates,6 +165,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,6 +166,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,6 +167,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,6 +168,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,6 +169,,T1053.001,At (Linux),[],[],,AC-2,mitigates,6 +170,,T1053.002,At (Windows),[],[],,AC-2,mitigates,6 +171,,T1053.003,Cron,[],[],,AC-2,mitigates,6 +172,,T1053.004,Launchd,[],[],,AC-2,mitigates,6 +173,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,6 +174,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,6 +175,,T1055,Process Injection,[],[],,AC-2,mitigates,6 +176,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,6 +177,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,6 +178,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,6 +179,,T1059.001,PowerShell,[],[],,AC-2,mitigates,6 +180,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,6 +181,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,6 +182,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,6 +183,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,6 +184,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,6 +185,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,6 +186,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,6 +187,,T1078,Valid Accounts,[],[],,AC-2,mitigates,6 +188,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,6 +189,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,6 +190,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,6 +191,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,6 +192,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,6 +193,,T1098,Account Manipulation,[],[],,AC-2,mitigates,6 +194,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,6 +195,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,6 +196,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,6 +197,,T1110,Brute Force,[],[],,AC-2,mitigates,6 +198,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,6 +199,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,6 +200,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,6 +201,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,6 +202,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,6 +203,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,6 +204,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,6 +205,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,6 +206,,T1136,Create Account,[],[],,AC-2,mitigates,6 +207,,T1136.001,Local Account,[],[],,AC-2,mitigates,6 +208,,T1136.002,Domain Account,[],[],,AC-2,mitigates,6 +209,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,6 +210,,T1185,Man in the Browser,[],[],,AC-2,mitigates,6 +211,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,6 +212,,T1197,BITS Jobs,[],[],,AC-2,mitigates,6 +213,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,6 +214,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,6 +215,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,6 +216,,T1213.001,Confluence,[],[],,AC-2,mitigates,6 +217,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,6 +218,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,6 +219,,T1218.007,Msiexec,[],[],,AC-2,mitigates,6 +220,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,6 +221,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,6 +222,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,6 +223,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,6 +224,,T1489,Service Stop,[],[],,AC-2,mitigates,6 +225,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,6 +226,,T1505,Server Software Component,[],[],,AC-2,mitigates,6 +227,,T1505.001,SQL Stored Procedures,[],[],,AC-2,mitigates,6 +228,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,6 +229,,T1525,Implant Container Image,[],[],,AC-2,mitigates,6 +230,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,6 +231,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,6 +232,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,6 +233,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,6 +234,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,6 +235,,T1542.001,System Firmware,[],[],,AC-2,mitigates,6 +236,,T1542.003,Bootkit,[],[],,AC-2,mitigates,6 +237,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,6 +238,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,6 +239,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,6 +240,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,6 +241,,T1543.003,Windows Service,[],[],,AC-2,mitigates,6 +242,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,6 +243,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,6 +244,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,6 +245,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,6 +246,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,6 +247,,T1547.012,Print Processors,[],[],,AC-2,mitigates,6 +248,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,6 +249,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,6 +250,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,6 +251,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,6 +252,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,6 +253,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,6 +254,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,6 +255,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,6 +256,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,6 +257,,T1552.004,Private Keys,[],[],,AC-2,mitigates,6 +258,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,6 +259,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,6 +260,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,6 +261,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,6 +262,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,6 +263,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,6 +264,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,6 +265,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,6 +266,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,6 +267,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,6 +268,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,6 +269,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,6 +270,,T1562,Impair Defenses,[],[],,AC-2,mitigates,6 +271,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,6 +272,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,6 +273,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,6 +274,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,6 +275,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,6 +276,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,6 +277,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,6 +278,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,6 +279,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,6 +280,,T1569,System Services,[],[],,AC-2,mitigates,6 +281,,T1569.001,Launchctl,[],[],,AC-2,mitigates,6 +282,,T1569.002,Service Execution,[],[],,AC-2,mitigates,6 +283,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,6 +284,,T1574.002,DLL Side-Loading,[],[],,AC-2,mitigates,6 +285,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,6 +286,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,6 +287,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,6 +288,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,6 +289,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,6 +290,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,6 +291,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,6 +292,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,6 +293,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,6 +294,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,6 +295,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,6 +296,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,6 +297,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,6 +298,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,6 +299,,T1601,Modify System Image,[],[],,AC-2,mitigates,6 +300,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,6 +301,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,6 +302,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,6 +303,,T1021,Remote Services,[],[],,AC-20,mitigates,6 +304,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,6 +305,,T1021.004,SSH,[],[],,AC-20,mitigates,6 +306,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,6 +307,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,6 +308,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,6 +309,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,6 +310,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,6 +311,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,6 +312,,T1110,Brute Force,[],[],,AC-20,mitigates,6 +313,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,6 +314,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,6 +315,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,6 +316,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,6 +317,,T1114,Email Collection,[],[],,AC-20,mitigates,6 +318,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,6 +319,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,6 +320,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,6 +321,,T1119,Automated Collection,[],[],,AC-20,mitigates,6 +322,,T1133,External Remote Services,[],[],,AC-20,mitigates,6 +323,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,6 +324,,T1136,Create Account,[],[],,AC-20,mitigates,6 +325,,T1136.001,Local Account,[],[],,AC-20,mitigates,6 +326,,T1136.002,Domain Account,[],[],,AC-20,mitigates,6 +327,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,6 +328,,T1200,Hardware Additions,[],[],,AC-20,mitigates,6 +329,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,6 +330,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,6 +331,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,6 +332,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,6 +333,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,6 +334,,T1552.004,Private Keys,[],[],,AC-20,mitigates,6 +335,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,6 +336,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,6 +337,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,6 +338,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,6 +339,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,6 +340,,T1557,Man-in-the-Middle,[],[],,AC-20,mitigates,6 +341,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,6 +342,,T1565,Data Manipulation,[],[],,AC-20,mitigates,6 +343,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,6 +344,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,6 +345,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,6 +346,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,6 +347,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,6 +348,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,6 +349,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,6 +350,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,6 +351,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,6 +352,,T1213.001,Confluence,[],[],,AC-21,mitigates,6 +353,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,6 +354,,T1133,External Remote Services,[],[],,AC-23,mitigates,6 +355,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,6 +356,,T1213.001,Confluence,[],[],,AC-23,mitigates,6 +357,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,6 +358,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,6 +359,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,6 +360,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,6 +361,,T1003.003,NTDS,[],[],,AC-3,mitigates,6 +362,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,6 +363,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,6 +364,,T1003.006,DCSync,[],[],,AC-3,mitigates,6 +365,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,6 +366,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,6 +367,,T1021,Remote Services,[],[],,AC-3,mitigates,6 +368,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,6 +369,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,6 +370,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,6 +371,,T1021.004,SSH,[],[],,AC-3,mitigates,6 +372,,T1021.005,VNC,[],[],,AC-3,mitigates,6 +373,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,6 +374,,T1036,Masquerading,[],[],,AC-3,mitigates,6 +375,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,6 +376,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,6 +377,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,6 +378,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,6 +379,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,6 +380,,T1037.004,Rc.common,[],[],,AC-3,mitigates,6 +381,,T1037.005,Startup Items,[],[],,AC-3,mitigates,6 +382,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,6 +383,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,6 +384,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,6 +385,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,6 +386,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,6 +387,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,6 +388,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,6 +389,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,6 +390,,T1053.001,At (Linux),[],[],,AC-3,mitigates,6 +391,,T1053.002,At (Windows),[],[],,AC-3,mitigates,6 +392,,T1053.003,Cron,[],[],,AC-3,mitigates,6 +393,,T1053.004,Launchd,[],[],,AC-3,mitigates,6 +394,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,6 +395,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,6 +396,,T1055,Process Injection,[],[],,AC-3,mitigates,6 +397,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,6 +398,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,6 +399,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,6 +400,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,6 +401,,T1059.001,PowerShell,[],[],,AC-3,mitigates,6 +402,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,6 +403,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,6 +404,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,6 +405,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,6 +406,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,6 +407,,T1071.004,DNS,[],[],,AC-3,mitigates,6 +408,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,6 +409,,T1078,Valid Accounts,[],[],,AC-3,mitigates,6 +410,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,6 +411,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,6 +412,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,6 +413,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,6 +414,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,6 +415,,T1090,Proxy,[],[],,AC-3,mitigates,6 +416,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,6 +417,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,6 +418,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,6 +419,,T1098,Account Manipulation,[],[],,AC-3,mitigates,6 +420,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,6 +421,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,6 +422,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,6 +423,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,6 +424,,T1110,Brute Force,[],[],,AC-3,mitigates,6 +425,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,6 +426,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,6 +427,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,6 +428,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,6 +429,,T1114,Email Collection,[],[],,AC-3,mitigates,6 +430,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,6 +431,,T1133,External Remote Services,[],[],,AC-3,mitigates,6 +432,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,6 +433,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,6 +434,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,6 +435,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,6 +436,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,6 +437,,T1136,Create Account,[],[],,AC-3,mitigates,6 +438,,T1136.001,Local Account,[],[],,AC-3,mitigates,6 +439,,T1136.002,Domain Account,[],[],,AC-3,mitigates,6 +440,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,6 +441,,T1185,Man in the Browser,[],[],,AC-3,mitigates,6 +442,,T1187,Forced Authentication,[],[],,AC-3,mitigates,6 +443,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,6 +444,,T1197,BITS Jobs,[],[],,AC-3,mitigates,6 +445,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,6 +446,,T1200,Hardware Additions,[],[],,AC-3,mitigates,6 +447,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,6 +448,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,6 +449,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,6 +450,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,6 +451,,T1213.001,Confluence,[],[],,AC-3,mitigates,6 +452,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,6 +453,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,6 +454,,T1218.002,Control Panel,[],[],,AC-3,mitigates,6 +455,,T1218.007,Msiexec,[],[],,AC-3,mitigates,6 +456,,T1218.012,Verclsid,[],[],,AC-3,mitigates,6 +457,,T1219,Remote Access Software,[],[],,AC-3,mitigates,6 +458,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,6 +459,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,6 +460,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,6 +461,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,6 +462,,T1485,Data Destruction,[],[],,AC-3,mitigates,6 +463,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,6 +464,,T1489,Service Stop,[],[],,AC-3,mitigates,6 +465,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,6 +466,,T1491,Defacement,[],[],,AC-3,mitigates,6 +467,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,6 +468,,T1491.002,External Defacement,[],[],,AC-3,mitigates,6 +469,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,6 +470,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,6 +471,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,6 +472,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,6 +473,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,6 +474,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,6 +475,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,6 +476,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,6 +477,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,6 +478,,T1505,Server Software Component,[],[],,AC-3,mitigates,6 +479,,T1505.001,SQL Stored Procedures,[],[],,AC-3,mitigates,6 +480,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,6 +481,,T1525,Implant Container Image,[],[],,AC-3,mitigates,6 +482,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,6 +483,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,6 +484,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,6 +485,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,6 +486,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,6 +487,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,6 +488,,T1542.001,System Firmware,[],[],,AC-3,mitigates,6 +489,,T1542.003,Bootkit,[],[],,AC-3,mitigates,6 +490,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,6 +491,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,6 +492,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,6 +493,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,6 +494,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,6 +495,,T1543.003,Windows Service,[],[],,AC-3,mitigates,6 +496,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,6 +497,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,6 +498,,T1546.004,.bash_profile and .bashrc,[],[],,AC-3,mitigates,6 +499,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,6 +500,,T1547.003,Time Providers,[],[],,AC-3,mitigates,6 +501,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,6 +502,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,6 +503,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,6 +504,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,6 +505,,T1547.011,Plist Modification,[],[],,AC-3,mitigates,6 +506,,T1547.012,Print Processors,[],[],,AC-3,mitigates,6 +507,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,6 +508,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,6 +509,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,6 +510,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,6 +511,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,6 +512,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,6 +513,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,6 +514,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,6 +515,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,6 +516,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,6 +517,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,6 +518,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,6 +519,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,6 +520,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,6 +521,,T1557,Man-in-the-Middle,[],[],,AC-3,mitigates,6 +522,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,6 +523,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,6 +524,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,6 +525,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,6 +526,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,6 +527,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,6 +528,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,6 +529,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,6 +530,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,6 +531,,T1561,Disk Wipe,[],[],,AC-3,mitigates,6 +532,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,6 +533,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,6 +534,,T1562,Impair Defenses,[],[],,AC-3,mitigates,6 +535,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,6 +536,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,6 +537,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,6 +538,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,6 +539,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,6 +540,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,6 +541,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,6 +542,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,6 +543,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,6 +544,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,6 +545,,T1565,Data Manipulation,[],[],,AC-3,mitigates,6 +546,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,6 +547,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,6 +548,,T1569,System Services,[],[],,AC-3,mitigates,6 +549,,T1569.001,Launchctl,[],[],,AC-3,mitigates,6 +550,,T1569.002,Service Execution,[],[],,AC-3,mitigates,6 +551,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,6 +552,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,6 +553,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,6 +554,,T1574.002,DLL Side-Loading,[],[],,AC-3,mitigates,6 +555,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,6 +556,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,6 +557,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,6 +558,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,6 +559,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,6 +560,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,6 +561,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,6 +562,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,6 +563,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,6 +564,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,6 +565,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,6 +566,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,6 +567,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,6 +568,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,6 +569,,T1601,Modify System Image,[],[],,AC-3,mitigates,6 +570,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,6 +571,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,6 +572,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,6 +573,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,6 +574,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,6 +575,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,6 +576,,T1001.001,Junk Data,[],[],,AC-4,mitigates,6 +577,,T1001.002,Steganography,[],[],,AC-4,mitigates,6 +578,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,6 +579,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,6 +580,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,6 +581,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,6 +582,,T1003.006,DCSync,[],[],,AC-4,mitigates,6 +583,,T1008,Fallback Channels,[],[],,AC-4,mitigates,6 +584,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,6 +585,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,6 +586,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,6 +587,,T1021.005,VNC,[],[],,AC-4,mitigates,6 +588,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,6 +589,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,6 +590,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,6 +591,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,6 +592,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,6 +593,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,6 +594,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,6 +595,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,6 +596,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,6 +597,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,6 +598,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,6 +599,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,6 +600,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,6 +601,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,6 +602,,T1071.004,DNS,[],[],,AC-4,mitigates,6 +603,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,6 +604,,T1090,Proxy,[],[],,AC-4,mitigates,6 +605,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,6 +606,,T1090.002,External Proxy,[],[],,AC-4,mitigates,6 +607,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,6 +608,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,6 +609,,T1098,Account Manipulation,[],[],,AC-4,mitigates,6 +610,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,6 +611,,T1102,Web Service,[],[],,AC-4,mitigates,6 +612,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,6 +613,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,6 +614,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,6 +615,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,6 +616,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,6 +617,,T1114,Email Collection,[],[],,AC-4,mitigates,6 +618,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,6 +619,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,6 +620,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,6 +621,,T1132,Data Encoding,[],[],,AC-4,mitigates,6 +622,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,6 +623,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,6 +624,,T1133,External Remote Services,[],[],,AC-4,mitigates,6 +625,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,6 +626,,T1136,Create Account,[],[],,AC-4,mitigates,6 +627,,T1136.002,Domain Account,[],[],,AC-4,mitigates,6 +628,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,6 +629,,T1187,Forced Authentication,[],[],,AC-4,mitigates,6 +630,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,6 +631,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,6 +632,,T1197,BITS Jobs,[],[],,AC-4,mitigates,6 +633,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,6 +634,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,6 +635,,T1204,User Execution,[],[],,AC-4,mitigates,6 +636,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,6 +637,,T1204.002,Malicious File,[],[],,AC-4,mitigates,6 +638,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,6 +639,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,6 +640,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,6 +641,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,6 +642,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,6 +643,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,6 +644,,T1213.001,Confluence,[],[],,AC-4,mitigates,6 +645,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,6 +646,,T1218.012,Verclsid,[],[],,AC-4,mitigates,6 +647,,T1219,Remote Access Software,[],[],,AC-4,mitigates,6 +648,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,6 +649,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,6 +650,,T1489,Service Stop,[],[],,AC-4,mitigates,6 +651,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,6 +652,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,6 +653,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,6 +654,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,6 +655,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,6 +656,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,6 +657,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,6 +658,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,6 +659,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,6 +660,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,6 +661,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,6 +662,,T1547.003,Time Providers,[],[],,AC-4,mitigates,6 +663,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,6 +664,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,6 +665,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,6 +666,,T1557,Man-in-the-Middle,[],[],,AC-4,mitigates,6 +667,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,6 +668,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,6 +669,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,6 +670,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,6 +671,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,6 +672,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,6 +673,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,6 +674,,T1565,Data Manipulation,[],[],,AC-4,mitigates,6 +675,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,6 +676,,T1566,Phishing,[],[],,AC-4,mitigates,6 +677,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,6 +678,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,6 +679,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,6 +680,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,6 +681,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,6 +682,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,6 +683,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,6 +684,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,6 +685,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,6 +686,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,6 +687,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,6 +688,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,6 +689,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,6 +690,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,6 +691,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,6 +692,,T1574.002,DLL Side-Loading,[],[],,AC-4,mitigates,6 +693,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,6 +694,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,6 +695,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,6 +696,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,6 +697,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,6 +698,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,6 +699,,T1598,Phishing for Information,[],[],,AC-4,mitigates,6 +700,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,6 +701,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,6 +702,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,6 +703,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,6 +704,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,6 +705,,T1601,Modify System Image,[],[],,AC-4,mitigates,6 +706,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,6 +707,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,6 +708,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,6 +709,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,6 +710,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,6 +711,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,6 +712,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,6 +713,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,6 +714,,T1003.003,NTDS,[],[],,AC-5,mitigates,6 +715,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,6 +716,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,6 +717,,T1003.006,DCSync,[],[],,AC-5,mitigates,6 +718,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,6 +719,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,6 +720,,T1021,Remote Services,[],[],,AC-5,mitigates,6 +721,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,6 +722,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,6 +723,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,6 +724,,T1021.004,SSH,[],[],,AC-5,mitigates,6 +725,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,6 +726,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,6 +727,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,6 +728,,T1053.001,At (Linux),[],[],,AC-5,mitigates,6 +729,,T1053.002,At (Windows),[],[],,AC-5,mitigates,6 +730,,T1053.003,Cron,[],[],,AC-5,mitigates,6 +731,,T1053.004,Launchd,[],[],,AC-5,mitigates,6 +732,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,6 +733,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,6 +734,,T1055,Process Injection,[],[],,AC-5,mitigates,6 +735,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,6 +736,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,6 +737,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,6 +738,,T1059.001,PowerShell,[],[],,AC-5,mitigates,6 +739,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,6 +740,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,6 +741,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,6 +742,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,6 +743,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,6 +744,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,6 +745,,T1078,Valid Accounts,[],[],,AC-5,mitigates,6 +746,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,6 +747,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,6 +748,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,6 +749,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,6 +750,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,6 +751,,T1098,Account Manipulation,[],[],,AC-5,mitigates,6 +752,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,6 +753,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,6 +754,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,6 +755,,T1110,Brute Force,[],[],,AC-5,mitigates,6 +756,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,6 +757,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,6 +758,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,6 +759,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,6 +760,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,6 +761,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,6 +762,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,6 +763,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,6 +764,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,6 +765,,T1136,Create Account,[],[],,AC-5,mitigates,6 +766,,T1136.001,Local Account,[],[],,AC-5,mitigates,6 +767,,T1136.002,Domain Account,[],[],,AC-5,mitigates,6 +768,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,6 +769,,T1185,Man in the Browser,[],[],,AC-5,mitigates,6 +770,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,6 +771,,T1197,BITS Jobs,[],[],,AC-5,mitigates,6 +772,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,6 +773,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,6 +774,,T1213.001,Confluence,[],[],,AC-5,mitigates,6 +775,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,6 +776,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,6 +777,,T1218.007,Msiexec,[],[],,AC-5,mitigates,6 +778,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,6 +779,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,6 +780,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,6 +781,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,6 +782,,T1489,Service Stop,[],[],,AC-5,mitigates,6 +783,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,6 +784,,T1505,Server Software Component,[],[],,AC-5,mitigates,6 +785,,T1505.001,SQL Stored Procedures,[],[],,AC-5,mitigates,6 +786,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,6 +787,,T1525,Implant Container Image,[],[],,AC-5,mitigates,6 +788,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,6 +789,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,6 +790,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,6 +791,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,6 +792,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,6 +793,,T1542.001,System Firmware,[],[],,AC-5,mitigates,6 +794,,T1542.003,Bootkit,[],[],,AC-5,mitigates,6 +795,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,6 +796,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,6 +797,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,6 +798,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,6 +799,,T1543.003,Windows Service,[],[],,AC-5,mitigates,6 +800,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,6 +801,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,6 +802,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,6 +803,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,6 +804,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,6 +805,,T1547.012,Print Processors,[],[],,AC-5,mitigates,6 +806,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,6 +807,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,6 +808,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,6 +809,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,6 +810,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,6 +811,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,6 +812,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,6 +813,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,6 +814,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,6 +815,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,6 +816,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,6 +817,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,6 +818,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,6 +819,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,6 +820,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,6 +821,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,6 +822,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,6 +823,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,6 +824,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,6 +825,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,6 +826,,T1562,Impair Defenses,[],[],,AC-5,mitigates,6 +827,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,6 +828,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,6 +829,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,6 +830,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,6 +831,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,6 +832,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,6 +833,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,6 +834,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,6 +835,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,6 +836,,T1569,System Services,[],[],,AC-5,mitigates,6 +837,,T1569.001,Launchctl,[],[],,AC-5,mitigates,6 +838,,T1569.002,Service Execution,[],[],,AC-5,mitigates,6 +839,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,6 +840,,T1574.002,DLL Side-Loading,[],[],,AC-5,mitigates,6 +841,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,6 +842,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,6 +843,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,6 +844,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,6 +845,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,6 +846,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,6 +847,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,6 +848,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,6 +849,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,6 +850,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,6 +851,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,6 +852,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,6 +853,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,6 +854,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,6 +855,,T1601,Modify System Image,[],[],,AC-5,mitigates,6 +856,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,6 +857,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,6 +858,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,6 +859,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,6 +860,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,6 +861,,T1003.003,NTDS,[],[],,AC-6,mitigates,6 +862,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,6 +863,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,6 +864,,T1003.006,DCSync,[],[],,AC-6,mitigates,6 +865,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,6 +866,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,6 +867,,T1021,Remote Services,[],[],,AC-6,mitigates,6 +868,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,6 +869,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,6 +870,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,6 +871,,T1021.004,SSH,[],[],,AC-6,mitigates,6 +872,,T1021.005,VNC,[],[],,AC-6,mitigates,6 +873,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,6 +874,,T1036,Masquerading,[],[],,AC-6,mitigates,6 +875,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,6 +876,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,6 +877,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,6 +878,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,6 +879,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,6 +880,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,6 +881,,T1053.001,At (Linux),[],[],,AC-6,mitigates,6 +882,,T1053.002,At (Windows),[],[],,AC-6,mitigates,6 +883,,T1053.003,Cron,[],[],,AC-6,mitigates,6 +884,,T1053.004,Launchd,[],[],,AC-6,mitigates,6 +885,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,6 +886,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,6 +887,,T1055,Process Injection,[],[],,AC-6,mitigates,6 +888,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,6 +889,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,6 +890,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,6 +891,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,6 +892,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,6 +893,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,6 +894,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,6 +895,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,6 +896,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,6 +897,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,6 +898,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,6 +899,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,6 +900,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,6 +901,,T1059.001,PowerShell,[],[],,AC-6,mitigates,6 +902,,T1059.006,Python,[],[],,AC-6,mitigates,6 +903,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,6 +904,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,6 +905,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,6 +906,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,6 +907,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,6 +908,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,6 +909,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,6 +910,,T1078,Valid Accounts,[],[],,AC-6,mitigates,6 +911,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,6 +912,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,6 +913,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,6 +914,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,6 +915,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,6 +916,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,6 +917,,T1098,Account Manipulation,[],[],,AC-6,mitigates,6 +918,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,6 +919,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,6 +920,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,6 +921,,T1110,Brute Force,[],[],,AC-6,mitigates,6 +922,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,6 +923,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,6 +924,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,6 +925,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,6 +926,,T1112,Modify Registry,[],[],,AC-6,mitigates,6 +927,,T1133,External Remote Services,[],[],,AC-6,mitigates,6 +928,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,6 +929,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,6 +930,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,6 +931,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,6 +932,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,6 +933,,T1136,Create Account,[],[],,AC-6,mitigates,6 +934,,T1136.001,Local Account,[],[],,AC-6,mitigates,6 +935,,T1136.002,Domain Account,[],[],,AC-6,mitigates,6 +936,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,6 +937,,T1137.002,Office Test,[],[],,AC-6,mitigates,6 +938,,T1176,Browser Extensions,[],[],,AC-6,mitigates,6 +939,,T1185,Man in the Browser,[],[],,AC-6,mitigates,6 +940,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,6 +941,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,6 +942,,T1197,BITS Jobs,[],[],,AC-6,mitigates,6 +943,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,6 +944,,T1200,Hardware Additions,[],[],,AC-6,mitigates,6 +945,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,6 +946,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,6 +947,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,6 +948,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,6 +949,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,6 +950,,T1213.001,Confluence,[],[],,AC-6,mitigates,6 +951,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,6 +952,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,6 +953,,T1218.007,Msiexec,[],[],,AC-6,mitigates,6 +954,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,6 +955,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,6 +956,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,6 +957,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,6 +958,,T1485,Data Destruction,[],[],,AC-6,mitigates,6 +959,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,6 +960,,T1489,Service Stop,[],[],,AC-6,mitigates,6 +961,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,6 +962,,T1491,Defacement,[],[],,AC-6,mitigates,6 +963,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,6 +964,,T1491.002,External Defacement,[],[],,AC-6,mitigates,6 +965,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,6 +966,,T1505,Server Software Component,[],[],,AC-6,mitigates,6 +967,,T1505.001,SQL Stored Procedures,[],[],,AC-6,mitigates,6 +968,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,6 +969,,T1525,Implant Container Image,[],[],,AC-6,mitigates,6 +970,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,6 +971,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,6 +972,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,6 +973,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,6 +974,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,6 +975,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,6 +976,,T1542.001,System Firmware,[],[],,AC-6,mitigates,6 +977,,T1542.003,Bootkit,[],[],,AC-6,mitigates,6 +978,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,6 +979,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,6 +980,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,6 +981,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,6 +982,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,6 +983,,T1543.003,Windows Service,[],[],,AC-6,mitigates,6 +984,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,6 +985,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,6 +986,,T1546.004,.bash_profile and .bashrc,[],[],,AC-6,mitigates,6 +987,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,6 +988,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,6 +989,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,6 +990,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,6 +991,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,6 +992,,T1547.012,Print Processors,[],[],,AC-6,mitigates,6 +993,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,6 +994,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,6 +995,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,6 +996,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,6 +997,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,6 +998,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,6 +999,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,6 +1000,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,6 +1001,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,6 +1002,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,6 +1003,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,6 +1004,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,6 +1005,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,6 +1006,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,6 +1007,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,6 +1008,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,6 +1009,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,6 +1010,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,6 +1011,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,6 +1012,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,6 +1013,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,6 +1014,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,6 +1015,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,6 +1016,,T1561,Disk Wipe,[],[],,AC-6,mitigates,6 +1017,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,6 +1018,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,6 +1019,,T1562,Impair Defenses,[],[],,AC-6,mitigates,6 +1020,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,6 +1021,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,6 +1022,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,6 +1023,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,6 +1024,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,6 +1025,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,6 +1026,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,6 +1027,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,6 +1028,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,6 +1029,,T1569,System Services,[],[],,AC-6,mitigates,6 +1030,,T1569.001,Launchctl,[],[],,AC-6,mitigates,6 +1031,,T1569.002,Service Execution,[],[],,AC-6,mitigates,6 +1032,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,6 +1033,,T1574.002,DLL Side-Loading,[],[],,AC-6,mitigates,6 +1034,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,6 +1035,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,6 +1036,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,6 +1037,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,6 +1038,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,6 +1039,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,6 +1040,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,6 +1041,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,6 +1042,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,6 +1043,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,6 +1044,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,6 +1045,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,6 +1046,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,6 +1047,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,6 +1048,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,6 +1049,,T1601,Modify System Image,[],[],,AC-6,mitigates,6 +1050,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,6 +1051,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,6 +1052,,T1021,Remote Services,[],[],,AC-7,mitigates,6 +1053,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,6 +1054,,T1021.004,SSH,[],[],,AC-7,mitigates,6 +1055,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,6 +1056,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,6 +1057,,T1110,Brute Force,[],[],,AC-7,mitigates,6 +1058,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,6 +1059,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,6 +1060,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,6 +1061,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,6 +1062,,T1133,External Remote Services,[],[],,AC-7,mitigates,6 +1063,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,6 +1064,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,6 +1065,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,6 +1066,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,6 +1067,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,6 +1068,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,6 +1069,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,6 +1070,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,6 +1071,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,6 +1072,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,6 +1073,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,6 +1074,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,6 +1075,,T1001.001,Junk Data,[],[],,CA-7,mitigates,6 +1076,,T1001.002,Steganography,[],[],,CA-7,mitigates,6 +1077,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,6 +1078,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,6 +1079,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,6 +1080,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,6 +1081,,T1003.003,NTDS,[],[],,CA-7,mitigates,6 +1082,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,6 +1083,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,6 +1084,,T1003.006,DCSync,[],[],,CA-7,mitigates,6 +1085,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,6 +1086,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,6 +1087,,T1008,Fallback Channels,[],[],,CA-7,mitigates,6 +1088,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,6 +1089,,T1021.005,VNC,[],[],,CA-7,mitigates,6 +1090,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,6 +1091,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,6 +1092,,T1036,Masquerading,[],[],,CA-7,mitigates,6 +1093,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,6 +1094,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,6 +1095,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,6 +1096,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,6 +1097,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,6 +1098,,T1037.004,Rc.common,[],[],,CA-7,mitigates,6 +1099,,T1037.005,Startup Items,[],[],,CA-7,mitigates,6 +1100,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,6 +1101,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,6 +1102,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,6 +1103,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,6 +1104,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,6 +1105,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,6 +1106,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,6 +1107,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,6 +1108,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,6 +1109,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,6 +1110,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,6 +1111,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,6 +1112,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,6 +1113,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,6 +1114,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,6 +1115,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,6 +1116,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,6 +1117,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,6 +1118,,T1071.004,DNS,[],[],,CA-7,mitigates,6 +1119,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,6 +1120,,T1078,Valid Accounts,[],[],,CA-7,mitigates,6 +1121,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,6 +1122,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,6 +1123,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,6 +1124,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,6 +1125,,T1090,Proxy,[],[],,CA-7,mitigates,6 +1126,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,6 +1127,,T1090.002,External Proxy,[],[],,CA-7,mitigates,6 +1128,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,6 +1129,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,6 +1130,,T1102,Web Service,[],[],,CA-7,mitigates,6 +1131,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,6 +1132,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,6 +1133,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,6 +1134,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,6 +1135,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,6 +1136,,T1110,Brute Force,[],[],,CA-7,mitigates,6 +1137,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,6 +1138,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,6 +1139,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,6 +1140,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,6 +1141,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,6 +1142,,T1132,Data Encoding,[],[],,CA-7,mitigates,6 +1143,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,6 +1144,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,6 +1145,,T1176,Browser Extensions,[],[],,CA-7,mitigates,6 +1146,,T1185,Man in the Browser,[],[],,CA-7,mitigates,6 +1147,,T1187,Forced Authentication,[],[],,CA-7,mitigates,6 +1148,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,6 +1149,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,6 +1150,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,6 +1151,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,6 +1152,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,6 +1153,,T1197,BITS Jobs,[],[],,CA-7,mitigates,6 +1154,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,6 +1155,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,6 +1156,,T1204,User Execution,[],[],,CA-7,mitigates,6 +1157,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,6 +1158,,T1204.002,Malicious File,[],[],,CA-7,mitigates,6 +1159,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,6 +1160,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,6 +1161,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,6 +1162,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,6 +1163,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,6 +1164,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,6 +1165,,T1213.001,Confluence,[],[],,CA-7,mitigates,6 +1166,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,6 +1167,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,6 +1168,,T1218.002,Control Panel,[],[],,CA-7,mitigates,6 +1169,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,6 +1170,,T1218.011,Rundll32,[],[],,CA-7,mitigates,6 +1171,,T1218.012,Verclsid,[],[],,CA-7,mitigates,6 +1172,,T1219,Remote Access Software,[],[],,CA-7,mitigates,6 +1173,,T1221,Template Injection,[],[],,CA-7,mitigates,6 +1174,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,6 +1175,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,6 +1176,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,6 +1177,,T1489,Service Stop,[],[],,CA-7,mitigates,6 +1178,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,6 +1179,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,6 +1180,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,6 +1181,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,6 +1182,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,6 +1183,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,6 +1184,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,6 +1185,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,6 +1186,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,6 +1187,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,6 +1188,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,6 +1189,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,6 +1190,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,6 +1191,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,6 +1192,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,6 +1193,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,6 +1194,,T1546.004,.bash_profile and .bashrc,[],[],,CA-7,mitigates,6 +1195,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,6 +1196,,T1547.003,Time Providers,[],[],,CA-7,mitigates,6 +1197,,T1547.011,Plist Modification,[],[],,CA-7,mitigates,6 +1198,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,6 +1199,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,6 +1200,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,6 +1201,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,6 +1202,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,6 +1203,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,6 +1204,,T1552.004,Private Keys,[],[],,CA-7,mitigates,6 +1205,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,6 +1206,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,6 +1207,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,6 +1208,,T1555.001,Keychain,[],[],,CA-7,mitigates,6 +1209,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,6 +1210,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,6 +1211,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,6 +1212,,T1557,Man-in-the-Middle,[],[],,CA-7,mitigates,6 +1213,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,6 +1214,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,6 +1215,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,6 +1216,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,6 +1217,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,6 +1218,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,6 +1219,,T1562,Impair Defenses,[],[],,CA-7,mitigates,6 +1220,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,6 +1221,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,6 +1222,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,6 +1223,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,6 +1224,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,6 +1225,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,6 +1226,,T1565,Data Manipulation,[],[],,CA-7,mitigates,6 +1227,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,6 +1228,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,6 +1229,,T1566,Phishing,[],[],,CA-7,mitigates,6 +1230,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,6 +1231,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,6 +1232,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,6 +1233,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,6 +1234,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,6 +1235,,T1569,System Services,[],[],,CA-7,mitigates,6 +1236,,T1569.002,Service Execution,[],[],,CA-7,mitigates,6 +1237,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,6 +1238,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,6 +1239,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,6 +1240,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,6 +1241,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,6 +1242,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,6 +1243,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,6 +1244,,T1574.002,DLL Side-Loading,[],[],,CA-7,mitigates,6 +1245,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,6 +1246,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,6 +1247,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,6 +1248,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,6 +1249,,T1598,Phishing for Information,[],[],,CA-7,mitigates,6 +1250,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,6 +1251,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,6 +1252,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,6 +1253,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,6 +1254,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,6 +1255,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,6 +1256,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,6 +1257,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,6 +1258,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,6 +1259,,T1021.005,VNC,[],[],,CA-8,mitigates,6 +1260,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,6 +1261,,T1053.001,At (Linux),[],[],,CA-8,mitigates,6 +1262,,T1053.002,At (Windows),[],[],,CA-8,mitigates,6 +1263,,T1053.003,Cron,[],[],,CA-8,mitigates,6 +1264,,T1053.004,Launchd,[],[],,CA-8,mitigates,6 +1265,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,6 +1266,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,6 +1267,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,6 +1268,,T1078,Valid Accounts,[],[],,CA-8,mitigates,6 +1269,,T1176,Browser Extensions,[],[],,CA-8,mitigates,6 +1270,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,6 +1271,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,6 +1272,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,6 +1273,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,6 +1274,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,6 +1275,,T1213.001,Confluence,[],[],,CA-8,mitigates,6 +1276,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,6 +1277,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,6 +1278,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,6 +1279,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,6 +1280,,T1505,Server Software Component,[],[],,CA-8,mitigates,6 +1281,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,6 +1282,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,6 +1283,,T1525,Implant Container Image,[],[],,CA-8,mitigates,6 +1284,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,6 +1285,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,6 +1286,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,6 +1287,,T1542.001,System Firmware,[],[],,CA-8,mitigates,6 +1288,,T1542.003,Bootkit,[],[],,CA-8,mitigates,6 +1289,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,6 +1290,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,6 +1291,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,6 +1292,,T1543.003,Windows Service,[],[],,CA-8,mitigates,6 +1293,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,6 +1294,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,6 +1295,,T1550,Use Alternate Authentication Material,[],[],,CA-8,mitigates,6 +1296,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,6 +1297,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,6 +1298,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,6 +1299,,T1552.004,Private Keys,[],[],,CA-8,mitigates,6 +1300,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,6 +1301,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,6 +1302,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,6 +1303,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,6 +1304,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,6 +1305,,T1562,Impair Defenses,[],[],,CA-8,mitigates,6 +1306,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,6 +1307,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,6 +1308,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,6 +1309,,T1574.002,DLL Side-Loading,[],[],,CA-8,mitigates,6 +1310,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,6 +1311,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,6 +1312,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,6 +1313,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,6 +1314,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,6 +1315,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,6 +1316,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,6 +1317,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,6 +1318,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,6 +1319,,T1601,Modify System Image,[],[],,CA-8,mitigates,6 +1320,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,6 +1321,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,6 +1322,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,6 +1323,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,6 +1324,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,6 +1325,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,6 +1326,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,6 +1327,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,6 +1328,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,6 +1329,,T1021.005,VNC,[],[],,CM-11,mitigates,6 +1330,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,6 +1331,,T1059.006,Python,[],[],,CM-11,mitigates,6 +1332,,T1176,Browser Extensions,[],[],,CM-11,mitigates,6 +1333,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,6 +1334,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,6 +1335,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,6 +1336,,T1505,Server Software Component,[],[],,CM-11,mitigates,6 +1337,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,6 +1338,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,6 +1339,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,6 +1340,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,6 +1341,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,6 +1342,,T1543.003,Windows Service,[],[],,CM-11,mitigates,6 +1343,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,6 +1344,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,6 +1345,,T1569,System Services,[],[],,CM-11,mitigates,6 +1346,,T1569.001,Launchctl,[],[],,CM-11,mitigates,6 +1347,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,6 +1348,,T1001.001,Junk Data,[],[],,CM-2,mitigates,6 +1349,,T1001.002,Steganography,[],[],,CM-2,mitigates,6 +1350,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,6 +1351,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,6 +1352,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,6 +1353,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,6 +1354,,T1003.003,NTDS,[],[],,CM-2,mitigates,6 +1355,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,6 +1356,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,6 +1357,,T1003.006,DCSync,[],[],,CM-2,mitigates,6 +1358,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,6 +1359,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,6 +1360,,T1008,Fallback Channels,[],[],,CM-2,mitigates,6 +1361,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,6 +1362,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,6 +1363,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,6 +1364,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,6 +1365,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,6 +1366,,T1021.004,SSH,[],[],,CM-2,mitigates,6 +1367,,T1021.005,VNC,[],[],,CM-2,mitigates,6 +1368,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,6 +1369,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,6 +1370,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,6 +1371,,T1036,Masquerading,[],[],,CM-2,mitigates,6 +1372,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,6 +1373,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,6 +1374,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,6 +1375,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,6 +1376,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,6 +1377,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,6 +1378,,T1037.004,Rc.common,[],[],,CM-2,mitigates,6 +1379,,T1037.005,Startup Items,[],[],,CM-2,mitigates,6 +1380,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,6 +1381,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,6 +1382,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,6 +1383,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,6 +1384,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,6 +1385,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,6 +1386,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,6 +1387,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,6 +1388,,T1053.002,At (Windows),[],[],,CM-2,mitigates,6 +1389,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,6 +1390,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,6 +1391,,T1059.001,PowerShell,[],[],,CM-2,mitigates,6 +1392,,T1059.002,AppleScript,[],[],,CM-2,mitigates,6 +1393,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,6 +1394,,T1059.007,JavaScript/JScript,[],[],,CM-2,mitigates,6 +1395,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,6 +1396,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,6 +1397,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,6 +1398,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,6 +1399,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,6 +1400,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,6 +1401,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,6 +1402,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,6 +1403,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,6 +1404,,T1071.004,DNS,[],[],,CM-2,mitigates,6 +1405,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,6 +1406,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,6 +1407,,T1090,Proxy,[],[],,CM-2,mitigates,6 +1408,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,6 +1409,,T1090.002,External Proxy,[],[],,CM-2,mitigates,6 +1410,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,6 +1411,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,6 +1412,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,6 +1413,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,6 +1414,,T1102,Web Service,[],[],,CM-2,mitigates,6 +1415,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,6 +1416,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,6 +1417,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,6 +1418,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,6 +1419,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,6 +1420,,T1110,Brute Force,[],[],,CM-2,mitigates,6 +1421,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,6 +1422,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,6 +1423,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,6 +1424,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,6 +1425,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,6 +1426,,T1114,Email Collection,[],[],,CM-2,mitigates,6 +1427,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,6 +1428,,T1119,Automated Collection,[],[],,CM-2,mitigates,6 +1429,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,6 +1430,,T1127.001,MSBuild,[],[],,CM-2,mitigates,6 +1431,,T1129,Shared Modules,[],[],,CM-2,mitigates,6 +1432,,T1132,Data Encoding,[],[],,CM-2,mitigates,6 +1433,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,6 +1434,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,6 +1435,,T1133,External Remote Services,[],[],,CM-2,mitigates,6 +1436,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,6 +1437,,T1137,Office Application Startup,[],[],,CM-2,mitigates,6 +1438,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,6 +1439,,T1137.002,Office Test,[],[],,CM-2,mitigates,6 +1440,,T1176,Browser Extensions,[],[],,CM-2,mitigates,6 +1441,,T1185,Man in the Browser,[],[],,CM-2,mitigates,6 +1442,,T1187,Forced Authentication,[],[],,CM-2,mitigates,6 +1443,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,6 +1444,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,6 +1445,,T1204,User Execution,[],[],,CM-2,mitigates,6 +1446,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,6 +1447,,T1204.002,Malicious File,[],[],,CM-2,mitigates,6 +1448,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,6 +1449,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,6 +1450,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,6 +1451,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,6 +1452,,T1213.001,Confluence,[],[],,CM-2,mitigates,6 +1453,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,6 +1454,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,6 +1455,,T1216.001,PubPrn,[],[],,CM-2,mitigates,6 +1456,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,6 +1457,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,6 +1458,,T1218.002,Control Panel,[],[],,CM-2,mitigates,6 +1459,,T1218.003,CMSTP,[],[],,CM-2,mitigates,6 +1460,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,6 +1461,,T1218.005,Mshta,[],[],,CM-2,mitigates,6 +1462,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,6 +1463,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,6 +1464,,T1218.012,Verclsid,[],[],,CM-2,mitigates,6 +1465,,T1219,Remote Access Software,[],[],,CM-2,mitigates,6 +1466,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,6 +1467,,T1221,Template Injection,[],[],,CM-2,mitigates,6 +1468,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,6 +1469,,T1485,Data Destruction,[],[],,CM-2,mitigates,6 +1470,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,6 +1471,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,6 +1472,,T1491,Defacement,[],[],,CM-2,mitigates,6 +1473,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,6 +1474,,T1491.002,External Defacement,[],[],,CM-2,mitigates,6 +1475,,T1505,Server Software Component,[],[],,CM-2,mitigates,6 +1476,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,6 +1477,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,6 +1478,,T1525,Implant Container Image,[],[],,CM-2,mitigates,6 +1479,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,6 +1480,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,6 +1481,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,6 +1482,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,6 +1483,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,6 +1484,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,6 +1485,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,6 +1486,,T1543.003,Windows Service,[],[],,CM-2,mitigates,6 +1487,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,6 +1488,,T1546.002,Screensaver,[],[],,CM-2,mitigates,6 +1489,,T1546.004,.bash_profile and .bashrc,[],[],,CM-2,mitigates,6 +1490,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,6 +1491,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,6 +1492,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,6 +1493,,T1546.014,Emond,[],[],,CM-2,mitigates,6 +1494,,T1547.003,Time Providers,[],[],,CM-2,mitigates,6 +1495,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,6 +1496,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,6 +1497,,T1547.011,Plist Modification,[],[],,CM-2,mitigates,6 +1498,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,6 +1499,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,6 +1500,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,6 +1501,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,6 +1502,,T1550,Use Alternate Authentication Material,[],[],,CM-2,mitigates,6 +1503,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,6 +1504,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,6 +1505,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,6 +1506,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,6 +1507,,T1552.004,Private Keys,[],[],,CM-2,mitigates,6 +1508,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,6 +1509,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,6 +1510,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,6 +1511,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,6 +1512,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,6 +1513,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,6 +1514,,T1557,Man-in-the-Middle,[],[],,CM-2,mitigates,6 +1515,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,6 +1516,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,6 +1517,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,6 +1518,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,6 +1519,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,6 +1520,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,6 +1521,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,6 +1522,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,6 +1523,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,6 +1524,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,6 +1525,,T1561,Disk Wipe,[],[],,CM-2,mitigates,6 +1526,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,6 +1527,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,6 +1528,,T1562,Impair Defenses,[],[],,CM-2,mitigates,6 +1529,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,6 +1530,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,6 +1531,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,6 +1532,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,6 +1533,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,6 +1534,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,6 +1535,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,6 +1536,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,6 +1537,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,6 +1538,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,6 +1539,,T1565,Data Manipulation,[],[],,CM-2,mitigates,6 +1540,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,6 +1541,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,6 +1542,,T1569,System Services,[],[],,CM-2,mitigates,6 +1543,,T1569.002,Service Execution,[],[],,CM-2,mitigates,6 +1544,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,6 +1545,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,6 +1546,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,6 +1547,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,6 +1548,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,6 +1549,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,6 +1550,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,6 +1551,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,6 +1552,,T1574.002,DLL Side-Loading,[],[],,CM-2,mitigates,6 +1553,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,6 +1554,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,6 +1555,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,6 +1556,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,6 +1557,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,6 +1558,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,6 +1559,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,6 +1560,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,6 +1561,,T1601,Modify System Image,[],[],,CM-2,mitigates,6 +1562,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,6 +1563,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,6 +1564,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,6 +1565,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,6 +1566,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,6 +1567,,T1021.005,VNC,[],[],,CM-3,mitigates,6 +1568,,T1059.006,Python,[],[],,CM-3,mitigates,6 +1569,,T1176,Browser Extensions,[],[],,CM-3,mitigates,6 +1570,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,6 +1571,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,6 +1572,,T1213.001,Confluence,[],[],,CM-3,mitigates,6 +1573,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,6 +1574,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,6 +1575,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,6 +1576,,T1542.001,System Firmware,[],[],,CM-3,mitigates,6 +1577,,T1542.003,Bootkit,[],[],,CM-3,mitigates,6 +1578,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,6 +1579,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,6 +1580,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,6 +1581,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,6 +1582,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,6 +1583,,T1547.011,Plist Modification,[],[],,CM-3,mitigates,6 +1584,,T1601,Modify System Image,[],[],,CM-3,mitigates,6 +1585,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,6 +1586,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,6 +1587,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,6 +1588,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,6 +1589,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,6 +1590,,T1003.003,NTDS,[],[],,CM-5,mitigates,6 +1591,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,6 +1592,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,6 +1593,,T1003.006,DCSync,[],[],,CM-5,mitigates,6 +1594,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,6 +1595,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,6 +1596,,T1021,Remote Services,[],[],,CM-5,mitigates,6 +1597,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,6 +1598,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,6 +1599,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,6 +1600,,T1021.004,SSH,[],[],,CM-5,mitigates,6 +1601,,T1021.005,VNC,[],[],,CM-5,mitigates,6 +1602,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,6 +1603,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,6 +1604,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,6 +1605,,T1053.001,At (Linux),[],[],,CM-5,mitigates,6 +1606,,T1053.002,At (Windows),[],[],,CM-5,mitigates,6 +1607,,T1053.003,Cron,[],[],,CM-5,mitigates,6 +1608,,T1053.004,Launchd,[],[],,CM-5,mitigates,6 +1609,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,6 +1610,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,6 +1611,,T1055,Process Injection,[],[],,CM-5,mitigates,6 +1612,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,6 +1613,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,6 +1614,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,6 +1615,,T1059.001,PowerShell,[],[],,CM-5,mitigates,6 +1616,,T1059.006,Python,[],[],,CM-5,mitigates,6 +1617,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,6 +1618,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,6 +1619,,T1078,Valid Accounts,[],[],,CM-5,mitigates,6 +1620,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,6 +1621,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,6 +1622,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,6 +1623,,T1098,Account Manipulation,[],[],,CM-5,mitigates,6 +1624,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,6 +1625,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,6 +1626,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,6 +1627,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,6 +1628,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,6 +1629,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,6 +1630,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,6 +1631,,T1136,Create Account,[],[],,CM-5,mitigates,6 +1632,,T1136.001,Local Account,[],[],,CM-5,mitigates,6 +1633,,T1136.002,Domain Account,[],[],,CM-5,mitigates,6 +1634,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,6 +1635,,T1137.002,Office Test,[],[],,CM-5,mitigates,6 +1636,,T1176,Browser Extensions,[],[],,CM-5,mitigates,6 +1637,,T1185,Man in the Browser,[],[],,CM-5,mitigates,6 +1638,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,6 +1639,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,6 +1640,,T1197,BITS Jobs,[],[],,CM-5,mitigates,6 +1641,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,6 +1642,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,6 +1643,,T1213.001,Confluence,[],[],,CM-5,mitigates,6 +1644,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,6 +1645,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,6 +1646,,T1218.007,Msiexec,[],[],,CM-5,mitigates,6 +1647,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,6 +1648,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,6 +1649,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,6 +1650,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,6 +1651,,T1489,Service Stop,[],[],,CM-5,mitigates,6 +1652,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,6 +1653,,T1505,Server Software Component,[],[],,CM-5,mitigates,6 +1654,,T1505.001,SQL Stored Procedures,[],[],,CM-5,mitigates,6 +1655,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,6 +1656,,T1525,Implant Container Image,[],[],,CM-5,mitigates,6 +1657,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,6 +1658,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,6 +1659,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,6 +1660,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,6 +1661,,T1542.001,System Firmware,[],[],,CM-5,mitigates,6 +1662,,T1542.003,Bootkit,[],[],,CM-5,mitigates,6 +1663,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,6 +1664,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,6 +1665,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,6 +1666,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,6 +1667,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,6 +1668,,T1543.003,Windows Service,[],[],,CM-5,mitigates,6 +1669,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,6 +1670,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,6 +1671,,T1547.003,Time Providers,[],[],,CM-5,mitigates,6 +1672,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,6 +1673,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,6 +1674,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,6 +1675,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,6 +1676,,T1547.011,Plist Modification,[],[],,CM-5,mitigates,6 +1677,,T1547.012,Print Processors,[],[],,CM-5,mitigates,6 +1678,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,6 +1679,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,6 +1680,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,6 +1681,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,6 +1682,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,6 +1683,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,6 +1684,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,6 +1685,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,6 +1686,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,6 +1687,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,6 +1688,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,6 +1689,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,6 +1690,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,6 +1691,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,6 +1692,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,6 +1693,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,6 +1694,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,6 +1695,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,6 +1696,,T1562,Impair Defenses,[],[],,CM-5,mitigates,6 +1697,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,6 +1698,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,6 +1699,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,6 +1700,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,6 +1701,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,6 +1702,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,6 +1703,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,6 +1704,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,6 +1705,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,6 +1706,,T1569,System Services,[],[],,CM-5,mitigates,6 +1707,,T1569.001,Launchctl,[],[],,CM-5,mitigates,6 +1708,,T1569.002,Service Execution,[],[],,CM-5,mitigates,6 +1709,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,6 +1710,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,6 +1711,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,6 +1712,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,6 +1713,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,6 +1714,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,6 +1715,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,6 +1716,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,6 +1717,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,6 +1718,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,6 +1719,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,6 +1720,,T1601,Modify System Image,[],[],,CM-5,mitigates,6 +1721,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,6 +1722,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,6 +1723,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,6 +1724,,T1001.001,Junk Data,[],[],,CM-6,mitigates,6 +1725,,T1001.002,Steganography,[],[],,CM-6,mitigates,6 +1726,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,6 +1727,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,6 +1728,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,6 +1729,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,6 +1730,,T1003.003,NTDS,[],[],,CM-6,mitigates,6 +1731,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,6 +1732,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,6 +1733,,T1003.006,DCSync,[],[],,CM-6,mitigates,6 +1734,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,6 +1735,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,6 +1736,,T1008,Fallback Channels,[],[],,CM-6,mitigates,6 +1737,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,6 +1738,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,6 +1739,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,6 +1740,,T1021,Remote Services,[],[],,CM-6,mitigates,6 +1741,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,6 +1742,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,6 +1743,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,6 +1744,,T1021.004,SSH,[],[],,CM-6,mitigates,6 +1745,,T1021.005,VNC,[],[],,CM-6,mitigates,6 +1746,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,6 +1747,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,6 +1748,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,6 +1749,,T1036,Masquerading,[],[],,CM-6,mitigates,6 +1750,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,6 +1751,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,6 +1752,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,6 +1753,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,6 +1754,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,6 +1755,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,6 +1756,,T1037.004,Rc.common,[],[],,CM-6,mitigates,6 +1757,,T1037.005,Startup Items,[],[],,CM-6,mitigates,6 +1758,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,6 +1759,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,6 +1760,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,6 +1761,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,6 +1762,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,6 +1763,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,6 +1764,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,6 +1765,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,6 +1766,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,6 +1767,,T1053.002,At (Windows),[],[],,CM-6,mitigates,6 +1768,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,6 +1769,,T1053.006,Systemd Timers,[],[],,CM-6,mitigates,6 +1770,,T1055,Process Injection,[],[],,CM-6,mitigates,6 +1771,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,6 +1772,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,6 +1773,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,6 +1774,,T1059.001,PowerShell,[],[],,CM-6,mitigates,6 +1775,,T1059.002,AppleScript,[],[],,CM-6,mitigates,6 +1776,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,6 +1777,,T1059.007,JavaScript/JScript,[],[],,CM-6,mitigates,6 +1778,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,6 +1779,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,6 +1780,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,6 +1781,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,6 +1782,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,6 +1783,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,6 +1784,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,6 +1785,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,6 +1786,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,6 +1787,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,6 +1788,,T1071.004,DNS,[],[],,CM-6,mitigates,6 +1789,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,6 +1790,,T1078,Valid Accounts,[],[],,CM-6,mitigates,6 +1791,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,6 +1792,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,6 +1793,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,6 +1794,,T1087,Account Discovery,[],[],,CM-6,mitigates,6 +1795,,T1087.001,Local Account,[],[],,CM-6,mitigates,6 +1796,,T1087.002,Domain Account,[],[],,CM-6,mitigates,6 +1797,,T1090,Proxy,[],[],,CM-6,mitigates,6 +1798,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,6 +1799,,T1090.002,External Proxy,[],[],,CM-6,mitigates,6 +1800,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,6 +1801,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,6 +1802,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,6 +1803,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,6 +1804,,T1098,Account Manipulation,[],[],,CM-6,mitigates,6 +1805,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,6 +1806,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,6 +1807,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,6 +1808,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,6 +1809,,T1102,Web Service,[],[],,CM-6,mitigates,6 +1810,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,6 +1811,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,6 +1812,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,6 +1813,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,6 +1814,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,6 +1815,,T1110,Brute Force,[],[],,CM-6,mitigates,6 +1816,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,6 +1817,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,6 +1818,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,6 +1819,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,6 +1820,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,6 +1821,,T1114,Email Collection,[],[],,CM-6,mitigates,6 +1822,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,6 +1823,,T1119,Automated Collection,[],[],,CM-6,mitigates,6 +1824,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,6 +1825,,T1127.001,MSBuild,[],[],,CM-6,mitigates,6 +1826,,T1132,Data Encoding,[],[],,CM-6,mitigates,6 +1827,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,6 +1828,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,6 +1829,,T1133,External Remote Services,[],[],,CM-6,mitigates,6 +1830,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,6 +1831,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,6 +1832,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,6 +1833,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,6 +1834,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,6 +1835,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,6 +1836,,T1136,Create Account,[],[],,CM-6,mitigates,6 +1837,,T1136.001,Local Account,[],[],,CM-6,mitigates,6 +1838,,T1136.002,Domain Account,[],[],,CM-6,mitigates,6 +1839,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,6 +1840,,T1137,Office Application Startup,[],[],,CM-6,mitigates,6 +1841,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,6 +1842,,T1176,Browser Extensions,[],[],,CM-6,mitigates,6 +1843,,T1187,Forced Authentication,[],[],,CM-6,mitigates,6 +1844,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,6 +1845,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,6 +1846,,T1197,BITS Jobs,[],[],,CM-6,mitigates,6 +1847,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,6 +1848,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,6 +1849,,T1204,User Execution,[],[],,CM-6,mitigates,6 +1850,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,6 +1851,,T1204.002,Malicious File,[],[],,CM-6,mitigates,6 +1852,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,6 +1853,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,6 +1854,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,6 +1855,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,6 +1856,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,6 +1857,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,6 +1858,,T1213.001,Confluence,[],[],,CM-6,mitigates,6 +1859,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,6 +1860,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,6 +1861,,T1216.001,PubPrn,[],[],,CM-6,mitigates,6 +1862,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,6 +1863,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,6 +1864,,T1218.002,Control Panel,[],[],,CM-6,mitigates,6 +1865,,T1218.003,CMSTP,[],[],,CM-6,mitigates,6 +1866,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,6 +1867,,T1218.005,Mshta,[],[],,CM-6,mitigates,6 +1868,,T1218.007,Msiexec,[],[],,CM-6,mitigates,6 +1869,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,6 +1870,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,6 +1871,,T1218.012,Verclsid,[],[],,CM-6,mitigates,6 +1872,,T1219,Remote Access Software,[],[],,CM-6,mitigates,6 +1873,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,6 +1874,,T1221,Template Injection,[],[],,CM-6,mitigates,6 +1875,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,6 +1876,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,6 +1877,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,6 +1878,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,6 +1879,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,6 +1880,,T1489,Service Stop,[],[],,CM-6,mitigates,6 +1881,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,6 +1882,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,6 +1883,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,6 +1884,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,6 +1885,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,6 +1886,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,6 +1887,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,6 +1888,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,6 +1889,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,6 +1890,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,6 +1891,,T1505,Server Software Component,[],[],,CM-6,mitigates,6 +1892,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,6 +1893,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,6 +1894,,T1525,Implant Container Image,[],[],,CM-6,mitigates,6 +1895,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,6 +1896,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,6 +1897,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,6 +1898,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,6 +1899,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,6 +1900,,T1542.001,System Firmware,[],[],,CM-6,mitigates,6 +1901,,T1542.003,Bootkit,[],[],,CM-6,mitigates,6 +1902,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,6 +1903,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,6 +1904,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,6 +1905,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,6 +1906,,T1543.003,Windows Service,[],[],,CM-6,mitigates,6 +1907,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,6 +1908,,T1546.002,Screensaver,[],[],,CM-6,mitigates,6 +1909,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,6 +1910,,T1546.004,.bash_profile and .bashrc,[],[],,CM-6,mitigates,6 +1911,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,6 +1912,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,6 +1913,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,6 +1914,,T1546.014,Emond,[],[],,CM-6,mitigates,6 +1915,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,6 +1916,,T1547.003,Time Providers,[],[],,CM-6,mitigates,6 +1917,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,6 +1918,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,6 +1919,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,6 +1920,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,6 +1921,,T1547.011,Plist Modification,[],[],,CM-6,mitigates,6 +1922,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,6 +1923,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,6 +1924,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,6 +1925,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,6 +1926,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,6 +1927,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,6 +1928,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,6 +1929,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,6 +1930,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,6 +1931,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,6 +1932,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,6 +1933,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,6 +1934,,T1552.003,Bash History,[],[],,CM-6,mitigates,6 +1935,,T1552.004,Private Keys,[],[],,CM-6,mitigates,6 +1936,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,6 +1937,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,6 +1938,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,6 +1939,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,6 +1940,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,6 +1941,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,6 +1942,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,6 +1943,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,6 +1944,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,6 +1945,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,6 +1946,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,6 +1947,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,6 +1948,,T1557,Man-in-the-Middle,[],[],,CM-6,mitigates,6 +1949,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,6 +1950,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,6 +1951,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,6 +1952,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,6 +1953,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,6 +1954,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,6 +1955,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,6 +1956,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,6 +1957,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,6 +1958,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,6 +1959,,T1562,Impair Defenses,[],[],,CM-6,mitigates,6 +1960,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,6 +1961,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,6 +1962,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,6 +1963,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,6 +1964,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,6 +1965,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,6 +1966,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,6 +1967,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,6 +1968,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,6 +1969,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,6 +1970,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,6 +1971,,T1565,Data Manipulation,[],[],,CM-6,mitigates,6 +1972,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,6 +1973,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,6 +1974,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,6 +1975,,T1569,System Services,[],[],,CM-6,mitigates,6 +1976,,T1569.002,Service Execution,[],[],,CM-6,mitigates,6 +1977,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,6 +1978,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,6 +1979,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,6 +1980,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,6 +1981,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,6 +1982,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,6 +1983,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,6 +1984,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,6 +1985,,T1574.002,DLL Side-Loading,[],[],,CM-6,mitigates,6 +1986,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,6 +1987,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,6 +1988,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,6 +1989,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,6 +1990,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,6 +1991,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,6 +1992,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,6 +1993,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,6 +1994,,T1601,Modify System Image,[],[],,CM-6,mitigates,6 +1995,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,6 +1996,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,6 +1997,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,6 +1998,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,6 +1999,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,6 +2000,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,6 +2001,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,6 +2002,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,6 +2003,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,6 +2004,,T1008,Fallback Channels,[],[],,CM-7,mitigates,6 +2005,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,6 +2006,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,6 +2007,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,6 +2008,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,6 +2009,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,6 +2010,,T1021.005,VNC,[],[],,CM-7,mitigates,6 +2011,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,6 +2012,,T1036,Masquerading,[],[],,CM-7,mitigates,6 +2013,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,6 +2014,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,6 +2015,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,6 +2016,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,6 +2017,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,6 +2018,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,6 +2019,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,6 +2020,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,6 +2021,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,6 +2022,,T1053.002,At (Windows),[],[],,CM-7,mitigates,6 +2023,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,6 +2024,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,6 +2025,,T1059.002,AppleScript,[],[],,CM-7,mitigates,6 +2026,,T1059.003,Windows Command Shell,[],[],,CM-7,mitigates,6 +2027,,T1059.004,Unix Shell,[],[],,CM-7,mitigates,6 +2028,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,6 +2029,,T1059.006,Python,[],[],,CM-7,mitigates,6 +2030,,T1059.007,JavaScript/JScript,[],[],,CM-7,mitigates,6 +2031,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,6 +2032,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,6 +2033,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,6 +2034,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,6 +2035,,T1071.004,DNS,[],[],,CM-7,mitigates,6 +2036,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,6 +2037,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,6 +2038,,T1087,Account Discovery,[],[],,CM-7,mitigates,6 +2039,,T1087.001,Local Account,[],[],,CM-7,mitigates,6 +2040,,T1087.002,Domain Account,[],[],,CM-7,mitigates,6 +2041,,T1090,Proxy,[],[],,CM-7,mitigates,6 +2042,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,6 +2043,,T1090.002,External Proxy,[],[],,CM-7,mitigates,6 +2044,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,6 +2045,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,6 +2046,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,6 +2047,,T1098,Account Manipulation,[],[],,CM-7,mitigates,6 +2048,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,6 +2049,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,6 +2050,,T1102,Web Service,[],[],,CM-7,mitigates,6 +2051,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,6 +2052,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,6 +2053,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,6 +2054,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,6 +2055,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,6 +2056,,T1106,Native API,[],[],,CM-7,mitigates,6 +2057,,T1112,Modify Registry,[],[],,CM-7,mitigates,6 +2058,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,6 +2059,,T1129,Shared Modules,[],[],,CM-7,mitigates,6 +2060,,T1133,External Remote Services,[],[],,CM-7,mitigates,6 +2061,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,6 +2062,,T1136,Create Account,[],[],,CM-7,mitigates,6 +2063,,T1136.002,Domain Account,[],[],,CM-7,mitigates,6 +2064,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,6 +2065,,T1176,Browser Extensions,[],[],,CM-7,mitigates,6 +2066,,T1187,Forced Authentication,[],[],,CM-7,mitigates,6 +2067,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,6 +2068,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,6 +2069,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,6 +2070,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,6 +2071,,T1197,BITS Jobs,[],[],,CM-7,mitigates,6 +2072,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,6 +2073,,T1204,User Execution,[],[],,CM-7,mitigates,6 +2074,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,6 +2075,,T1204.002,Malicious File,[],[],,CM-7,mitigates,6 +2076,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,6 +2077,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,6 +2078,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,6 +2079,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,6 +2080,,T1213.001,Confluence,[],[],,CM-7,mitigates,6 +2081,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,6 +2082,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,6 +2083,,T1216.001,PubPrn,[],[],,CM-7,mitigates,6 +2084,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,6 +2085,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,6 +2086,,T1218.002,Control Panel,[],[],,CM-7,mitigates,6 +2087,,T1218.003,CMSTP,[],[],,CM-7,mitigates,6 +2088,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,6 +2089,,T1218.005,Mshta,[],[],,CM-7,mitigates,6 +2090,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,6 +2091,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,6 +2092,,T1218.012,Verclsid,[],[],,CM-7,mitigates,6 +2093,,T1219,Remote Access Software,[],[],,CM-7,mitigates,6 +2094,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,6 +2095,,T1221,Template Injection,[],[],,CM-7,mitigates,6 +2096,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,6 +2097,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,6 +2098,,T1489,Service Stop,[],[],,CM-7,mitigates,6 +2099,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,6 +2100,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,6 +2101,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,6 +2102,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,6 +2103,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,6 +2104,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,6 +2105,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,6 +2106,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,6 +2107,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,6 +2108,,T1525,Implant Container Image,[],[],,CM-7,mitigates,6 +2109,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,6 +2110,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,6 +2111,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,6 +2112,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,6 +2113,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,6 +2114,,T1543.003,Windows Service,[],[],,CM-7,mitigates,6 +2115,,T1546.002,Screensaver,[],[],,CM-7,mitigates,6 +2116,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,6 +2117,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,6 +2118,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,6 +2119,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,6 +2120,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,6 +2121,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,6 +2122,,T1547.011,Plist Modification,[],[],,CM-7,mitigates,6 +2123,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,6 +2124,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,6 +2125,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,6 +2126,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,6 +2127,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,6 +2128,,T1552.003,Bash History,[],[],,CM-7,mitigates,6 +2129,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,6 +2130,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,6 +2131,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,6 +2132,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,6 +2133,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,6 +2134,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,6 +2135,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,6 +2136,,T1557,Man-in-the-Middle,[],[],,CM-7,mitigates,6 +2137,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,6 +2138,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,6 +2139,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,6 +2140,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,6 +2141,,T1562,Impair Defenses,[],[],,CM-7,mitigates,6 +2142,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,6 +2143,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,6 +2144,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,6 +2145,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,6 +2146,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,6 +2147,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,6 +2148,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,6 +2149,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,6 +2150,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,6 +2151,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,6 +2152,,T1565,Data Manipulation,[],[],,CM-7,mitigates,6 +2153,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,6 +2154,,T1569,System Services,[],[],,CM-7,mitigates,6 +2155,,T1569.002,Service Execution,[],[],,CM-7,mitigates,6 +2156,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,6 +2157,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,6 +2158,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,6 +2159,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,6 +2160,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,6 +2161,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,6 +2162,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,6 +2163,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,6 +2164,,T1574.006,LD_PRELOAD,[],[],,CM-7,mitigates,6 +2165,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,6 +2166,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,6 +2167,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,6 +2168,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,6 +2169,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,6 +2170,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,6 +2171,,T1601,Modify System Image,[],[],,CM-7,mitigates,6 +2172,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,6 +2173,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,6 +2174,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,6 +2175,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,6 +2176,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,6 +2177,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,6 +2178,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,6 +2179,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,6 +2180,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,6 +2181,,T1021.004,SSH,[],[],,CM-8,mitigates,6 +2182,,T1021.005,VNC,[],[],,CM-8,mitigates,6 +2183,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,6 +2184,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,6 +2185,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,6 +2186,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,6 +2187,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,6 +2188,,T1053.002,At (Windows),[],[],,CM-8,mitigates,6 +2189,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,6 +2190,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,6 +2191,,T1059.001,PowerShell,[],[],,CM-8,mitigates,6 +2192,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,6 +2193,,T1059.007,JavaScript/JScript,[],[],,CM-8,mitigates,6 +2194,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,6 +2195,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,6 +2196,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,6 +2197,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,6 +2198,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,6 +2199,,T1119,Automated Collection,[],[],,CM-8,mitigates,6 +2200,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,6 +2201,,T1127.001,MSBuild,[],[],,CM-8,mitigates,6 +2202,,T1133,External Remote Services,[],[],,CM-8,mitigates,6 +2203,,T1137,Office Application Startup,[],[],,CM-8,mitigates,6 +2204,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,6 +2205,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,6 +2206,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,6 +2207,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,6 +2208,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,6 +2209,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,6 +2210,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,6 +2211,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,6 +2212,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,6 +2213,,T1213.001,Confluence,[],[],,CM-8,mitigates,6 +2214,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,6 +2215,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,6 +2216,,T1218.003,CMSTP,[],[],,CM-8,mitigates,6 +2217,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,6 +2218,,T1218.005,Mshta,[],[],,CM-8,mitigates,6 +2219,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,6 +2220,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,6 +2221,,T1218.012,Verclsid,[],[],,CM-8,mitigates,6 +2222,,T1221,Template Injection,[],[],,CM-8,mitigates,6 +2223,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,6 +2224,,T1505,Server Software Component,[],[],,CM-8,mitigates,6 +2225,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,6 +2226,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,6 +2227,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,6 +2228,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,6 +2229,,T1542.001,System Firmware,[],[],,CM-8,mitigates,6 +2230,,T1542.003,Bootkit,[],[],,CM-8,mitigates,6 +2231,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,6 +2232,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,6 +2233,,T1546.002,Screensaver,[],[],,CM-8,mitigates,6 +2234,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,6 +2235,,T1546.014,Emond,[],[],,CM-8,mitigates,6 +2236,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,6 +2237,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,6 +2238,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,6 +2239,,T1557,Man-in-the-Middle,[],[],,CM-8,mitigates,6 +2240,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,6 +2241,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,6 +2242,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,6 +2243,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,6 +2244,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,6 +2245,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,6 +2246,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,6 +2247,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,6 +2248,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,6 +2249,,T1565,Data Manipulation,[],[],,CM-8,mitigates,6 +2250,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,6 +2251,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,6 +2252,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,6 +2253,,T1574.002,DLL Side-Loading,[],[],,CM-8,mitigates,6 +2254,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,6 +2255,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,6 +2256,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,6 +2257,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,6 +2258,,T1601,Modify System Image,[],[],,CM-8,mitigates,6 +2259,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,6 +2260,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,6 +2261,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,6 +2262,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,6 +2263,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,6 +2264,,T1485,Data Destruction,[],[],,CP-10,mitigates,6 +2265,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,6 +2266,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,6 +2267,,T1491,Defacement,[],[],,CP-10,mitigates,6 +2268,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,6 +2269,,T1491.002,External Defacement,[],[],,CP-10,mitigates,6 +2270,,T1561,Disk Wipe,[],[],,CP-10,mitigates,6 +2271,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,6 +2272,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,6 +2273,,T1565,Data Manipulation,[],[],,CP-10,mitigates,6 +2274,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,6 +2275,,T1485,Data Destruction,[],[],,CP-2,mitigates,6 +2276,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,6 +2277,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,6 +2278,,T1491,Defacement,[],[],,CP-2,mitigates,6 +2279,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,6 +2280,,T1491.002,External Defacement,[],[],,CP-2,mitigates,6 +2281,,T1561,Disk Wipe,[],[],,CP-2,mitigates,6 +2282,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,6 +2283,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,6 +2284,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,6 +2285,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,6 +2286,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,6 +2287,,T1119,Automated Collection,[],[],,CP-6,mitigates,6 +2288,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,6 +2289,,T1565,Data Manipulation,[],[],,CP-6,mitigates,6 +2290,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,6 +2291,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,6 +2292,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,6 +2293,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,6 +2294,,T1119,Automated Collection,[],[],,CP-7,mitigates,6 +2295,,T1485,Data Destruction,[],[],,CP-7,mitigates,6 +2296,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,6 +2297,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,6 +2298,,T1491,Defacement,[],[],,CP-7,mitigates,6 +2299,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,6 +2300,,T1491.002,External Defacement,[],[],,CP-7,mitigates,6 +2301,,T1561,Disk Wipe,[],[],,CP-7,mitigates,6 +2302,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,6 +2303,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,6 +2304,,T1565,Data Manipulation,[],[],,CP-7,mitigates,6 +2305,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,6 +2306,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,6 +2307,,T1003.003,NTDS,[],[],,CP-9,mitigates,6 +2308,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,6 +2309,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,6 +2310,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,6 +2311,,T1119,Automated Collection,[],[],,CP-9,mitigates,6 +2312,,T1485,Data Destruction,[],[],,CP-9,mitigates,6 +2313,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,6 +2314,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,6 +2315,,T1491,Defacement,[],[],,CP-9,mitigates,6 +2316,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,6 +2317,,T1491.002,External Defacement,[],[],,CP-9,mitigates,6 +2318,,T1561,Disk Wipe,[],[],,CP-9,mitigates,6 +2319,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,6 +2320,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,6 +2321,,T1565,Data Manipulation,[],[],,CP-9,mitigates,6 +2322,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,6 +2323,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,6 +2324,,T1110,Brute Force,[],[],,IA-11,mitigates,6 +2325,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,6 +2326,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,6 +2327,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,6 +2328,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,6 +2329,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,6 +2330,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,6 +2331,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,6 +2332,,T1003.003,NTDS,[],[],,IA-2,mitigates,6 +2333,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,6 +2334,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,6 +2335,,T1003.006,DCSync,[],[],,IA-2,mitigates,6 +2336,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,6 +2337,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,6 +2338,,T1021,Remote Services,[],[],,IA-2,mitigates,6 +2339,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,6 +2340,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,6 +2341,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,6 +2342,,T1021.004,SSH,[],[],,IA-2,mitigates,6 +2343,,T1021.005,VNC,[],[],,IA-2,mitigates,6 +2344,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,6 +2345,,T1040,Network Sniffing,[],[],,IA-2,mitigates,6 +2346,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,6 +2347,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,6 +2348,,T1053.001,At (Linux),[],[],,IA-2,mitigates,6 +2349,,T1053.002,At (Windows),[],[],,IA-2,mitigates,6 +2350,,T1053.003,Cron,[],[],,IA-2,mitigates,6 +2351,,T1053.004,Launchd,[],[],,IA-2,mitigates,6 +2352,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,6 +2353,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,6 +2354,,T1055,Process Injection,[],[],,IA-2,mitigates,6 +2355,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,6 +2356,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,6 +2357,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,6 +2358,,T1059.001,PowerShell,[],[],,IA-2,mitigates,6 +2359,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,6 +2360,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,6 +2361,,T1078,Valid Accounts,[],[],,IA-2,mitigates,6 +2362,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,6 +2363,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,6 +2364,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,6 +2365,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,6 +2366,,T1098,Account Manipulation,[],[],,IA-2,mitigates,6 +2367,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,6 +2368,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,6 +2369,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,6 +2370,,T1110,Brute Force,[],[],,IA-2,mitigates,6 +2371,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,6 +2372,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,6 +2373,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,6 +2374,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,6 +2375,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,6 +2376,,T1114,Email Collection,[],[],,IA-2,mitigates,6 +2377,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,6 +2378,,T1133,External Remote Services,[],[],,IA-2,mitigates,6 +2379,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,6 +2380,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,6 +2381,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,6 +2382,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,6 +2383,,T1136,Create Account,[],[],,IA-2,mitigates,6 +2384,,T1136.001,Local Account,[],[],,IA-2,mitigates,6 +2385,,T1136.002,Domain Account,[],[],,IA-2,mitigates,6 +2386,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,6 +2387,,T1185,Man in the Browser,[],[],,IA-2,mitigates,6 +2388,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,6 +2389,,T1197,BITS Jobs,[],[],,IA-2,mitigates,6 +2390,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,6 +2391,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,6 +2392,,T1213.001,Confluence,[],[],,IA-2,mitigates,6 +2393,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,6 +2394,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,6 +2395,,T1218.007,Msiexec,[],[],,IA-2,mitigates,6 +2396,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,6 +2397,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,6 +2398,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,6 +2399,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,6 +2400,,T1489,Service Stop,[],[],,IA-2,mitigates,6 +2401,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,6 +2402,,T1505,Server Software Component,[],[],,IA-2,mitigates,6 +2403,,T1505.001,SQL Stored Procedures,[],[],,IA-2,mitigates,6 +2404,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,6 +2405,,T1525,Implant Container Image,[],[],,IA-2,mitigates,6 +2406,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,6 +2407,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,6 +2408,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,6 +2409,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,6 +2410,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,6 +2411,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,6 +2412,,T1542.001,System Firmware,[],[],,IA-2,mitigates,6 +2413,,T1542.003,Bootkit,[],[],,IA-2,mitigates,6 +2414,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,6 +2415,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,6 +2416,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,6 +2417,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,6 +2418,,T1543.003,Windows Service,[],[],,IA-2,mitigates,6 +2419,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,6 +2420,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,6 +2421,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,6 +2422,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,6 +2423,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,6 +2424,,T1547.012,Print Processors,[],[],,IA-2,mitigates,6 +2425,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,6 +2426,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,6 +2427,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,6 +2428,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,6 +2429,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,6 +2430,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,6 +2431,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,6 +2432,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,6 +2433,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,6 +2434,,T1552.004,Private Keys,[],[],,IA-2,mitigates,6 +2435,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,6 +2436,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,6 +2437,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,6 +2438,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,6 +2439,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,6 +2440,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,6 +2441,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,6 +2442,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,6 +2443,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,6 +2444,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,6 +2445,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,6 +2446,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,6 +2447,,T1562,Impair Defenses,[],[],,IA-2,mitigates,6 +2448,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,6 +2449,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,6 +2450,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,6 +2451,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,6 +2452,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,6 +2453,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,6 +2454,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,6 +2455,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,6 +2456,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,6 +2457,,T1569,System Services,[],[],,IA-2,mitigates,6 +2458,,T1569.001,Launchctl,[],[],,IA-2,mitigates,6 +2459,,T1569.002,Service Execution,[],[],,IA-2,mitigates,6 +2460,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,6 +2461,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,6 +2462,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,6 +2463,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,6 +2464,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,6 +2465,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,6 +2466,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,6 +2467,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,6 +2468,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,6 +2469,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,6 +2470,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,6 +2471,,T1601,Modify System Image,[],[],,IA-2,mitigates,6 +2472,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,6 +2473,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,6 +2474,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,6 +2475,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,6 +2476,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,6 +2477,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,6 +2478,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,6 +2479,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,6 +2480,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,6 +2481,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,6 +2482,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,6 +2483,,T1003.006,DCSync,[],[],,IA-4,mitigates,6 +2484,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,6 +2485,,T1021.005,VNC,[],[],,IA-4,mitigates,6 +2486,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,6 +2487,,T1053.002,At (Windows),[],[],,IA-4,mitigates,6 +2488,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,6 +2489,,T1110,Brute Force,[],[],,IA-4,mitigates,6 +2490,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,6 +2491,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,6 +2492,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,6 +2493,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,6 +2494,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,6 +2495,,T1213.001,Confluence,[],[],,IA-4,mitigates,6 +2496,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,6 +2497,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,6 +2498,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,6 +2499,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,6 +2500,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,6 +2501,,T1543.003,Windows Service,[],[],,IA-4,mitigates,6 +2502,,T1550,Use Alternate Authentication Material,[],[],,IA-4,mitigates,6 +2503,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,6 +2504,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,6 +2505,,T1562,Impair Defenses,[],[],,IA-4,mitigates,6 +2506,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,6 +2507,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,6 +2508,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,6 +2509,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,6 +2510,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,6 +2511,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,6 +2512,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,6 +2513,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,6 +2514,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,6 +2515,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,6 +2516,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,6 +2517,,T1003.003,NTDS,[],[],,IA-5,mitigates,6 +2518,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,6 +2519,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,6 +2520,,T1003.006,DCSync,[],[],,IA-5,mitigates,6 +2521,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,6 +2522,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,6 +2523,,T1021,Remote Services,[],[],,IA-5,mitigates,6 +2524,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,6 +2525,,T1021.004,SSH,[],[],,IA-5,mitigates,6 +2526,,T1040,Network Sniffing,[],[],,IA-5,mitigates,6 +2527,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,6 +2528,,T1078,Valid Accounts,[],[],,IA-5,mitigates,6 +2529,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,6 +2530,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,6 +2531,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,6 +2532,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,6 +2533,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,6 +2534,,T1110,Brute Force,[],[],,IA-5,mitigates,6 +2535,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,6 +2536,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,6 +2537,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,6 +2538,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,6 +2539,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,6 +2540,,T1114,Email Collection,[],[],,IA-5,mitigates,6 +2541,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,6 +2542,,T1133,External Remote Services,[],[],,IA-5,mitigates,6 +2543,,T1136,Create Account,[],[],,IA-5,mitigates,6 +2544,,T1136.001,Local Account,[],[],,IA-5,mitigates,6 +2545,,T1136.002,Domain Account,[],[],,IA-5,mitigates,6 +2546,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,6 +2547,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,6 +2548,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,6 +2549,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,6 +2550,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,6 +2551,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,6 +2552,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,6 +2553,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,6 +2554,,T1552.004,Private Keys,[],[],,IA-5,mitigates,6 +2555,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,6 +2556,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,6 +2557,,T1555.001,Keychain,[],[],,IA-5,mitigates,6 +2558,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,6 +2559,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,6 +2560,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,6 +2561,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,6 +2562,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,6 +2563,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,6 +2564,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,6 +2565,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,6 +2566,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,6 +2567,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,6 +2568,,T1559,Inter-Process Communication,[],[],,IA-5,mitigates,6 +2569,,T1559.001,Component Object Model,[],[],,IA-5,mitigates,6 +2570,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,6 +2571,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,6 +2572,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,6 +2573,,T1601,Modify System Image,[],[],,IA-5,mitigates,6 +2574,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,6 +2575,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,6 +2576,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,6 +2577,,T1021.005,VNC,[],[],,IA-6,mitigates,6 +2578,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,6 +2579,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,6 +2580,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,6 +2581,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,6 +2582,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,6 +2583,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,6 +2584,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,6 +2585,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,6 +2586,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,6 +2587,,T1542.001,System Firmware,[],[],,IA-7,mitigates,6 +2588,,T1542.003,Bootkit,[],[],,IA-7,mitigates,6 +2589,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,6 +2590,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,6 +2591,,T1601,Modify System Image,[],[],,IA-7,mitigates,6 +2592,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,6 +2593,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,6 +2594,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,6 +2595,,T1059.001,PowerShell,[],[],,IA-8,mitigates,6 +2596,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,6 +2597,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,6 +2598,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,6 +2599,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,6 +2600,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,6 +2601,,T1213.001,Confluence,[],[],,IA-8,mitigates,6 +2602,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,6 +2603,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,6 +2604,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,6 +2605,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,6 +2606,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,6 +2607,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,6 +2608,,T1542.001,System Firmware,[],[],,IA-8,mitigates,6 +2609,,T1542.003,Bootkit,[],[],,IA-8,mitigates,6 +2610,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,6 +2611,,T1036,Masquerading,[],[],,IA-9,mitigates,6 +2612,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,6 +2613,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,6 +2614,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,6 +2615,,T1059.001,PowerShell,[],[],,IA-9,mitigates,6 +2616,,T1059.002,AppleScript,[],[],,IA-9,mitigates,6 +2617,,T1505,Server Software Component,[],[],,IA-9,mitigates,6 +2618,,T1505.001,SQL Stored Procedures,[],[],,IA-9,mitigates,6 +2619,,T1505.002,Transport Agent,[],[],,IA-9,mitigates,6 +2620,,T1525,Implant Container Image,[],[],,IA-9,mitigates,6 +2621,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,6 +2622,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,6 +2623,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,6 +2624,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,6 +2625,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,6 +2626,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,6 +2627,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,6 +2628,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,6 +2629,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,6 +2630,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,6 +2631,,T1200,Hardware Additions,[],[],,MP-7,mitigates,6 +2632,,T1078,Valid Accounts,[],[],,PL-8,mitigates,6 +2633,,T1482,Domain Trust Discovery,[],[],,PL-8,mitigates,6 +2634,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,6 +2635,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,6 +2636,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,6 +2637,,T1021.004,SSH,[],[],,RA-5,mitigates,6 +2638,,T1021.005,VNC,[],[],,RA-5,mitigates,6 +2639,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,6 +2640,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,6 +2641,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,6 +2642,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,6 +2643,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,6 +2644,,T1053.001,At (Linux),[],[],,RA-5,mitigates,6 +2645,,T1053.002,At (Windows),[],[],,RA-5,mitigates,6 +2646,,T1053.003,Cron,[],[],,RA-5,mitigates,6 +2647,,T1053.004,Launchd,[],[],,RA-5,mitigates,6 +2648,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,6 +2649,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,6 +2650,,T1059.001,PowerShell,[],[],,RA-5,mitigates,6 +2651,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,6 +2652,,T1059.007,JavaScript/JScript,[],[],,RA-5,mitigates,6 +2653,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,6 +2654,,T1078,Valid Accounts,[],[],,RA-5,mitigates,6 +2655,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,6 +2656,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,6 +2657,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,6 +2658,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,6 +2659,,T1127.001,MSBuild,[],[],,RA-5,mitigates,6 +2660,,T1133,External Remote Services,[],[],,RA-5,mitigates,6 +2661,,T1137,Office Application Startup,[],[],,RA-5,mitigates,6 +2662,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,6 +2663,,T1176,Browser Extensions,[],[],,RA-5,mitigates,6 +2664,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,6 +2665,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,6 +2666,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,6 +2667,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,6 +2668,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,6 +2669,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,6 +2670,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,6 +2671,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,6 +2672,,T1213.001,Confluence,[],[],,RA-5,mitigates,6 +2673,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,6 +2674,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,6 +2675,,T1218.003,CMSTP,[],[],,RA-5,mitigates,6 +2676,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,6 +2677,,T1218.005,Mshta,[],[],,RA-5,mitigates,6 +2678,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,6 +2679,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,6 +2680,,T1218.012,Verclsid,[],[],,RA-5,mitigates,6 +2681,,T1221,Template Injection,[],[],,RA-5,mitigates,6 +2682,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,6 +2683,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,6 +2684,,T1505,Server Software Component,[],[],,RA-5,mitigates,6 +2685,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,6 +2686,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,6 +2687,,T1525,Implant Container Image,[],[],,RA-5,mitigates,6 +2688,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,6 +2689,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,6 +2690,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,6 +2691,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,6 +2692,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,6 +2693,,T1543.003,Windows Service,[],[],,RA-5,mitigates,6 +2694,,T1546.002,Screensaver,[],[],,RA-5,mitigates,6 +2695,,T1546.014,Emond,[],[],,RA-5,mitigates,6 +2696,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,6 +2697,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,6 +2698,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,6 +2699,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,6 +2700,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,6 +2701,,T1550,Use Alternate Authentication Material,[],[],,RA-5,mitigates,6 +2702,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,6 +2703,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,6 +2704,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,6 +2705,,T1552.004,Private Keys,[],[],,RA-5,mitigates,6 +2706,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,6 +2707,,T1557,Man-in-the-Middle,[],[],,RA-5,mitigates,6 +2708,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,RA-5,mitigates,6 +2709,,T1557.002,ARP Cache Poisoning,[],[],,RA-5,mitigates,6 +2710,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,6 +2711,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,6 +2712,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,6 +2713,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,6 +2714,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,6 +2715,,T1562,Impair Defenses,[],[],,RA-5,mitigates,6 +2716,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,6 +2717,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,6 +2718,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,6 +2719,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,6 +2720,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,6 +2721,,T1574.002,DLL Side-Loading,[],[],,RA-5,mitigates,6 +2722,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,6 +2723,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,6 +2724,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,6 +2725,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,6 +2726,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,6 +2727,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,6 +2728,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,6 +2729,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,6 +2730,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,6 +2731,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,6 +2732,,T1078,Valid Accounts,[],[],,SA-10,mitigates,6 +2733,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,6 +2734,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,6 +2735,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,6 +2736,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,6 +2737,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,6 +2738,,T1505,Server Software Component,[],[],,SA-10,mitigates,6 +2739,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,6 +2740,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,6 +2741,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,6 +2742,,T1542.001,System Firmware,[],[],,SA-10,mitigates,6 +2743,,T1542.003,Bootkit,[],[],,SA-10,mitigates,6 +2744,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,6 +2745,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,6 +2746,,T1601,Modify System Image,[],[],,SA-10,mitigates,6 +2747,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,6 +2748,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,6 +2749,,T1078,Valid Accounts,[],[],,SA-11,mitigates,6 +2750,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,6 +2751,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,6 +2752,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,6 +2753,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,6 +2754,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,6 +2755,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,6 +2756,,T1505,Server Software Component,[],[],,SA-11,mitigates,6 +2757,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,6 +2758,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,6 +2759,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,6 +2760,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,6 +2761,,T1542.001,System Firmware,[],[],,SA-11,mitigates,6 +2762,,T1542.003,Bootkit,[],[],,SA-11,mitigates,6 +2763,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,6 +2764,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,6 +2765,,T1550,Use Alternate Authentication Material,[],[],,SA-11,mitigates,6 +2766,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,6 +2767,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,6 +2768,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,6 +2769,,T1552.004,Private Keys,[],[],,SA-11,mitigates,6 +2770,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,6 +2771,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,6 +2772,,T1601,Modify System Image,[],[],,SA-11,mitigates,6 +2773,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,6 +2774,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,6 +2775,,T1059.002,AppleScript,[],[],,SA-12,mitigates,6 +2776,,T1078,Valid Accounts,[],[],,SA-12,mitigates,6 +2777,,T1505,Server Software Component,[],[],,SA-12,mitigates,6 +2778,,T1505.001,SQL Stored Procedures,[],[],,SA-12,mitigates,6 +2779,,T1505.002,Transport Agent,[],[],,SA-12,mitigates,6 +2780,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SA-12,mitigates,6 +2781,,T1554,Compromise Client Software Binary,[],[],,SA-12,mitigates,6 +2782,,T1601,Modify System Image,[],[],,SA-12,mitigates,6 +2783,,T1601.001,Patch System Image,[],[],,SA-12,mitigates,6 +2784,,T1601.002,Downgrade System Image,[],[],,SA-12,mitigates,6 +2785,,T1482,Domain Trust Discovery,[],[],,SA-13,mitigates,6 +2786,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-14,mitigates,6 +2787,,T1495,Firmware Corruption,[],[],,SA-14,mitigates,6 +2788,,T1542,Pre-OS Boot,[],[],,SA-14,mitigates,6 +2789,,T1542.001,System Firmware,[],[],,SA-14,mitigates,6 +2790,,T1542.003,Bootkit,[],[],,SA-14,mitigates,6 +2791,,T1542.004,ROMMONkit,[],[],,SA-14,mitigates,6 +2792,,T1542.005,TFTP Boot,[],[],,SA-14,mitigates,6 +2793,,T1601,Modify System Image,[],[],,SA-14,mitigates,6 +2794,,T1601.001,Patch System Image,[],[],,SA-14,mitigates,6 +2795,,T1601.002,Downgrade System Image,[],[],,SA-14,mitigates,6 +2796,,T1078,Valid Accounts,[],[],,SA-15,mitigates,6 +2797,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,6 +2798,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,6 +2799,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,6 +2800,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,6 +2801,,T1550,Use Alternate Authentication Material,[],[],,SA-15,mitigates,6 +2802,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,6 +2803,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,6 +2804,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,6 +2805,,T1552.004,Private Keys,[],[],,SA-15,mitigates,6 +2806,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,6 +2807,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,6 +2808,,T1078,Valid Accounts,[],[],,SA-16,mitigates,6 +2809,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,6 +2810,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,6 +2811,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,6 +2812,,T1078,Valid Accounts,[],[],,SA-17,mitigates,6 +2813,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,6 +2814,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,6 +2815,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,6 +2816,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,6 +2817,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,6 +2818,,T1554,Compromise Client Software Binary,[],[],,SA-19,mitigates,6 +2819,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,6 +2820,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,6 +2821,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,6 +2822,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,6 +2823,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,6 +2824,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,6 +2825,,T1078,Valid Accounts,[],[],,SA-3,mitigates,6 +2826,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,6 +2827,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,6 +2828,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,6 +2829,,T1078,Valid Accounts,[],[],,SA-4,mitigates,6 +2830,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,6 +2831,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,6 +2832,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,6 +2833,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,6 +2834,,T1078,Valid Accounts,[],[],,SA-8,mitigates,6 +2835,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,6 +2836,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,6 +2837,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,6 +2838,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,6 +2839,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,6 +2840,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,6 +2841,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,6 +2842,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,6 +2843,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,6 +2844,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,6 +2845,,T1071.004,DNS,[],[],,SC-10,mitigates,6 +2846,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,6 +2847,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,6 +2848,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,6 +2849,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,6 +2850,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,6 +2851,,T1552.004,Private Keys,[],[],,SC-12,mitigates,6 +2852,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,6 +2853,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,6 +2854,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,6 +2855,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,6 +2856,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,6 +2857,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,6 +2858,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,6 +2859,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,6 +2860,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,6 +2861,,T1055,Process Injection,[],[],,SC-18,mitigates,6 +2862,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,6 +2863,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,6 +2864,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,6 +2865,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,6 +2866,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,6 +2867,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,6 +2868,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,6 +2869,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,6 +2870,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,6 +2871,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,6 +2872,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,6 +2873,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,6 +2874,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,6 +2875,,T1059.007,JavaScript/JScript,[],[],,SC-18,mitigates,6 +2876,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,6 +2877,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,6 +2878,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,6 +2879,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,6 +2880,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,6 +2881,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,6 +2882,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,6 +2883,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,6 +2884,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,6 +2885,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,6 +2886,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,6 +2887,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,6 +2888,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,6 +2889,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,6 +2890,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,6 +2891,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,6 +2892,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,6 +2893,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,6 +2894,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,6 +2895,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,6 +2896,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,6 +2897,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,6 +2898,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,6 +2899,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,6 +2900,,T1071.004,DNS,[],[],,SC-20,mitigates,6 +2901,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,6 +2902,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,6 +2903,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,6 +2904,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,6 +2905,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,6 +2906,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,6 +2907,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,6 +2908,,T1071.004,DNS,[],[],,SC-21,mitigates,6 +2909,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,6 +2910,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,6 +2911,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,6 +2912,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,6 +2913,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,6 +2914,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,6 +2915,,T1071.004,DNS,[],[],,SC-22,mitigates,6 +2916,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,6 +2917,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,6 +2918,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,6 +2919,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,6 +2920,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,6 +2921,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,6 +2922,,T1071.004,DNS,[],[],,SC-23,mitigates,6 +2923,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,6 +2924,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,6 +2925,,T1557,Man-in-the-Middle,[],[],,SC-23,mitigates,6 +2926,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,6 +2927,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,6 +2928,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,6 +2929,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,6 +2930,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,6 +2931,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,6 +2932,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,6 +2933,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,6 +2934,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,6 +2935,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,6 +2936,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,6 +2937,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,6 +2938,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,6 +2939,,T1003.003,NTDS,[],[],,SC-28,mitigates,6 +2940,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,6 +2941,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,6 +2942,,T1003.006,DCSync,[],[],,SC-28,mitigates,6 +2943,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,6 +2944,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,6 +2945,,T1078,Valid Accounts,[],[],,SC-28,mitigates,6 +2946,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,6 +2947,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,6 +2948,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,6 +2949,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,6 +2950,,T1213.001,Confluence,[],[],,SC-28,mitigates,6 +2951,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,6 +2952,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,6 +2953,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,6 +2954,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,6 +2955,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,6 +2956,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,6 +2957,,T1552.003,Bash History,[],[],,SC-28,mitigates,6 +2958,,T1552.004,Private Keys,[],[],,SC-28,mitigates,6 +2959,,T1565,Data Manipulation,[],[],,SC-28,mitigates,6 +2960,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,6 +2961,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,6 +2962,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,6 +2963,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,6 +2964,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,6 +2965,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,6 +2966,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,6 +2967,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,6 +2968,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,6 +2969,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,6 +2970,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,6 +2971,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,6 +2972,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,6 +2973,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,6 +2974,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,6 +2975,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,6 +2976,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,6 +2977,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,6 +2978,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,6 +2979,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,6 +2980,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,6 +2981,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,6 +2982,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,6 +2983,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,6 +2984,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,6 +2985,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,6 +2986,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,6 +2987,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,6 +2988,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,6 +2989,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,6 +2990,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,6 +2991,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,6 +2992,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,6 +2993,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,6 +2994,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,6 +2995,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,6 +2996,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,6 +2997,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,6 +2998,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,6 +2999,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,6 +3000,,T1071.004,DNS,[],[],,SC-31,mitigates,6 +3001,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,6 +3002,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,6 +3003,,T1542.001,System Firmware,[],[],,SC-34,mitigates,6 +3004,,T1542.003,Bootkit,[],[],,SC-34,mitigates,6 +3005,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,6 +3006,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,6 +3007,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,6 +3008,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,6 +3009,,T1601,Modify System Image,[],[],,SC-34,mitigates,6 +3010,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,6 +3011,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,6 +3012,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,6 +3013,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,6 +3014,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,6 +3015,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,6 +3016,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,6 +3017,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,6 +3018,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,6 +3019,,T1119,Automated Collection,[],[],,SC-36,mitigates,6 +3020,,T1565,Data Manipulation,[],[],,SC-36,mitigates,6 +3021,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,6 +3022,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,6 +3023,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,6 +3024,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,6 +3025,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,6 +3026,,T1071.004,DNS,[],[],,SC-37,mitigates,6 +3027,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,6 +3028,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,6 +3029,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,6 +3030,,T1003.003,NTDS,[],[],,SC-39,mitigates,6 +3031,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,6 +3032,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,6 +3033,,T1003.006,DCSync,[],[],,SC-39,mitigates,6 +3034,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,6 +3035,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,6 +3036,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,6 +3037,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,6 +3038,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,6 +3039,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,6 +3040,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,6 +3041,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,6 +3042,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,6 +3043,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,6 +3044,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,6 +3045,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,6 +3046,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,6 +3047,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,6 +3048,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,6 +3049,,T1040,Network Sniffing,[],[],,SC-4,mitigates,6 +3050,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,6 +3051,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,6 +3052,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,6 +3053,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,6 +3054,,T1119,Automated Collection,[],[],,SC-4,mitigates,6 +3055,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,6 +3056,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,6 +3057,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,6 +3058,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,6 +3059,,T1552.004,Private Keys,[],[],,SC-4,mitigates,6 +3060,,T1557,Man-in-the-Middle,[],[],,SC-4,mitigates,6 +3061,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,6 +3062,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,6 +3063,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,6 +3064,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,6 +3065,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,6 +3066,,T1565,Data Manipulation,[],[],,SC-4,mitigates,6 +3067,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,6 +3068,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,6 +3069,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,6 +3070,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,6 +3071,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,6 +3072,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,6 +3073,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,6 +3074,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,6 +3075,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,6 +3076,,T1200,Hardware Additions,[],[],,SC-41,mitigates,6 +3077,,T1204,User Execution,[],[],,SC-44,mitigates,6 +3078,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,6 +3079,,T1204.002,Malicious File,[],[],,SC-44,mitigates,6 +3080,,T1221,Template Injection,[],[],,SC-44,mitigates,6 +3081,,T1566,Phishing,[],[],,SC-44,mitigates,6 +3082,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,6 +3083,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,6 +3084,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,6 +3085,,T1598,Phishing for Information,[],[],,SC-44,mitigates,6 +3086,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,6 +3087,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,6 +3088,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,6 +3089,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,6 +3090,,T1001.001,Junk Data,[],[],,SC-7,mitigates,6 +3091,,T1001.002,Steganography,[],[],,SC-7,mitigates,6 +3092,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,6 +3093,,T1008,Fallback Channels,[],[],,SC-7,mitigates,6 +3094,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,6 +3095,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,6 +3096,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,6 +3097,,T1021.005,VNC,[],[],,SC-7,mitigates,6 +3098,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,6 +3099,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,6 +3100,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,6 +3101,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,6 +3102,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,6 +3103,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,6 +3104,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,6 +3105,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,6 +3106,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,6 +3107,,T1055,Process Injection,[],[],,SC-7,mitigates,6 +3108,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,6 +3109,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,6 +3110,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,6 +3111,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,6 +3112,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,6 +3113,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,6 +3114,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,6 +3115,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,6 +3116,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,6 +3117,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,6 +3118,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,6 +3119,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,6 +3120,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,6 +3121,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,6 +3122,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,6 +3123,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,6 +3124,,T1071.004,DNS,[],[],,SC-7,mitigates,6 +3125,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,6 +3126,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,6 +3127,,T1090,Proxy,[],[],,SC-7,mitigates,6 +3128,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,6 +3129,,T1090.002,External Proxy,[],[],,SC-7,mitigates,6 +3130,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,6 +3131,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,6 +3132,,T1098,Account Manipulation,[],[],,SC-7,mitigates,6 +3133,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,6 +3134,,T1102,Web Service,[],[],,SC-7,mitigates,6 +3135,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,6 +3136,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,6 +3137,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,6 +3138,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,6 +3139,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,6 +3140,,T1114,Email Collection,[],[],,SC-7,mitigates,6 +3141,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,6 +3142,,T1132,Data Encoding,[],[],,SC-7,mitigates,6 +3143,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,6 +3144,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,6 +3145,,T1133,External Remote Services,[],[],,SC-7,mitigates,6 +3146,,T1136,Create Account,[],[],,SC-7,mitigates,6 +3147,,T1136.002,Domain Account,[],[],,SC-7,mitigates,6 +3148,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,6 +3149,,T1176,Browser Extensions,[],[],,SC-7,mitigates,6 +3150,,T1187,Forced Authentication,[],[],,SC-7,mitigates,6 +3151,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,6 +3152,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,6 +3153,,T1197,BITS Jobs,[],[],,SC-7,mitigates,6 +3154,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,6 +3155,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,6 +3156,,T1204,User Execution,[],[],,SC-7,mitigates,6 +3157,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,6 +3158,,T1204.002,Malicious File,[],[],,SC-7,mitigates,6 +3159,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,6 +3160,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,6 +3161,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,6 +3162,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,6 +3163,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,6 +3164,,T1218.012,Verclsid,[],[],,SC-7,mitigates,6 +3165,,T1219,Remote Access Software,[],[],,SC-7,mitigates,6 +3166,,T1221,Template Injection,[],[],,SC-7,mitigates,6 +3167,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,6 +3168,,T1489,Service Stop,[],[],,SC-7,mitigates,6 +3169,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,6 +3170,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,6 +3171,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,6 +3172,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,6 +3173,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,6 +3174,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,6 +3175,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,6 +3176,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,6 +3177,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,6 +3178,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,6 +3179,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,6 +3180,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,6 +3181,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,6 +3182,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,6 +3183,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,6 +3184,,T1552.004,Private Keys,[],[],,SC-7,mitigates,6 +3185,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,6 +3186,,T1557,Man-in-the-Middle,[],[],,SC-7,mitigates,6 +3187,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,6 +3188,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,6 +3189,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,6 +3190,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,6 +3191,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,6 +3192,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,6 +3193,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,6 +3194,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,6 +3195,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,6 +3196,,T1565,Data Manipulation,[],[],,SC-7,mitigates,6 +3197,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,6 +3198,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,6 +3199,,T1566,Phishing,[],[],,SC-7,mitigates,6 +3200,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,6 +3201,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,6 +3202,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,6 +3203,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,6 +3204,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,6 +3205,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,6 +3206,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,6 +3207,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,6 +3208,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,6 +3209,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,6 +3210,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,6 +3211,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,6 +3212,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,6 +3213,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,6 +3214,,T1598,Phishing for Information,[],[],,SC-7,mitigates,6 +3215,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,6 +3216,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,6 +3217,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,6 +3218,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,6 +3219,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,6 +3220,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,6 +3221,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,6 +3222,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,6 +3223,,T1040,Network Sniffing,[],[],,SC-8,mitigates,6 +3224,,T1090,Proxy,[],[],,SC-8,mitigates,6 +3225,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,6 +3226,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,6 +3227,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,6 +3228,,T1557,Man-in-the-Middle,[],[],,SC-8,mitigates,6 +3229,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,6 +3230,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,6 +3231,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,6 +3232,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,6 +3233,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,6 +3234,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,6 +3235,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,6 +3236,,T1021.005,VNC,[],[],,SI-10,mitigates,6 +3237,,T1036,Masquerading,[],[],,SI-10,mitigates,6 +3238,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,6 +3239,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,6 +3240,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,6 +3241,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,6 +3242,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,6 +3243,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,6 +3244,,T1059.002,AppleScript,[],[],,SI-10,mitigates,6 +3245,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,6 +3246,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,6 +3247,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,6 +3248,,T1059.006,Python,[],[],,SI-10,mitigates,6 +3249,,T1059.007,JavaScript/JScript,[],[],,SI-10,mitigates,6 +3250,,T1071.004,DNS,[],[],,SI-10,mitigates,6 +3251,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,6 +3252,,T1090,Proxy,[],[],,SI-10,mitigates,6 +3253,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,6 +3254,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,6 +3255,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,6 +3256,,T1129,Shared Modules,[],[],,SI-10,mitigates,6 +3257,,T1176,Browser Extensions,[],[],,SI-10,mitigates,6 +3258,,T1187,Forced Authentication,[],[],,SI-10,mitigates,6 +3259,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,6 +3260,,T1197,BITS Jobs,[],[],,SI-10,mitigates,6 +3261,,T1204,User Execution,[],[],,SI-10,mitigates,6 +3262,,T1204.002,Malicious File,[],[],,SI-10,mitigates,6 +3263,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,6 +3264,,T1216.001,PubPrn,[],[],,SI-10,mitigates,6 +3265,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,6 +3266,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,6 +3267,,T1218.002,Control Panel,[],[],,SI-10,mitigates,6 +3268,,T1218.003,CMSTP,[],[],,SI-10,mitigates,6 +3269,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,6 +3270,,T1218.005,Mshta,[],[],,SI-10,mitigates,6 +3271,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,6 +3272,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,6 +3273,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,6 +3274,,T1218.011,Rundll32,[],[],,SI-10,mitigates,6 +3275,,T1218.012,Verclsid,[],[],,SI-10,mitigates,6 +3276,,T1219,Remote Access Software,[],[],,SI-10,mitigates,6 +3277,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,6 +3278,,T1221,Template Injection,[],[],,SI-10,mitigates,6 +3279,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,6 +3280,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,6 +3281,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,6 +3282,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,6 +3283,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,6 +3284,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,6 +3285,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,6 +3286,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,6 +3287,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,6 +3288,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,6 +3289,,T1546.002,Screensaver,[],[],,SI-10,mitigates,6 +3290,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,6 +3291,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,6 +3292,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,6 +3293,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,6 +3294,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,6 +3295,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,6 +3296,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,6 +3297,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,6 +3298,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,6 +3299,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,6 +3300,,T1557,Man-in-the-Middle,[],[],,SI-10,mitigates,6 +3301,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,6 +3302,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,6 +3303,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,6 +3304,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,6 +3305,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,6 +3306,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,6 +3307,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,6 +3308,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,6 +3309,,T1574.006,LD_PRELOAD,[],[],,SI-10,mitigates,6 +3310,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,6 +3311,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,6 +3312,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,6 +3313,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,6 +3314,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,6 +3315,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,6 +3316,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,6 +3317,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,6 +3318,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,6 +3319,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,6 +3320,,T1003.003,NTDS,[],[],,SI-12,mitigates,6 +3321,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,6 +3322,,T1040,Network Sniffing,[],[],,SI-12,mitigates,6 +3323,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,6 +3324,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,6 +3325,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,6 +3326,,T1114,Email Collection,[],[],,SI-12,mitigates,6 +3327,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,6 +3328,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,6 +3329,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,6 +3330,,T1119,Automated Collection,[],[],,SI-12,mitigates,6 +3331,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,6 +3332,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,6 +3333,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,6 +3334,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,6 +3335,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,6 +3336,,T1552.004,Private Keys,[],[],,SI-12,mitigates,6 +3337,,T1557,Man-in-the-Middle,[],[],,SI-12,mitigates,6 +3338,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,6 +3339,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,6 +3340,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,6 +3341,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,6 +3342,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,6 +3343,,T1565,Data Manipulation,[],[],,SI-12,mitigates,6 +3344,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,6 +3345,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,6 +3346,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,6 +3347,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,6 +3348,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,6 +3349,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,6 +3350,,T1021.005,VNC,[],[],,SI-15,mitigates,6 +3351,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,6 +3352,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,6 +3353,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,6 +3354,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,6 +3355,,T1071.004,DNS,[],[],,SI-15,mitigates,6 +3356,,T1090,Proxy,[],[],,SI-15,mitigates,6 +3357,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,6 +3358,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,6 +3359,,T1187,Forced Authentication,[],[],,SI-15,mitigates,6 +3360,,T1197,BITS Jobs,[],[],,SI-15,mitigates,6 +3361,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,6 +3362,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,6 +3363,,T1218.012,Verclsid,[],[],,SI-15,mitigates,6 +3364,,T1219,Remote Access Software,[],[],,SI-15,mitigates,6 +3365,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,6 +3366,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,6 +3367,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,6 +3368,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,6 +3369,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,6 +3370,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,6 +3371,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,6 +3372,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,6 +3373,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,6 +3374,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,6 +3375,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,6 +3376,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,6 +3377,,T1557,Man-in-the-Middle,[],[],,SI-15,mitigates,6 +3378,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,6 +3379,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,6 +3380,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,6 +3381,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,6 +3382,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,6 +3383,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,6 +3384,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,6 +3385,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,6 +3386,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,6 +3387,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,6 +3388,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,6 +3389,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,6 +3390,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-16,mitigates,6 +3391,,T1548.004,Elevated Execution with Prompt,[],[],,SI-16,mitigates,6 +3392,,T1565,Data Manipulation,[],[],,SI-16,mitigates,6 +3393,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,6 +3394,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,6 +3395,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,6 +3396,,T1027.002,Software Packing,[],[],,SI-2,mitigates,6 +3397,,T1055,Process Injection,[],[],,SI-2,mitigates,6 +3398,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,6 +3399,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,6 +3400,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,6 +3401,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,6 +3402,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,6 +3403,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,6 +3404,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,6 +3405,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,6 +3406,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,6 +3407,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,6 +3408,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,6 +3409,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,6 +3410,,T1059.001,PowerShell,[],[],,SI-2,mitigates,6 +3411,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,6 +3412,,T1059.006,Python,[],[],,SI-2,mitigates,6 +3413,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,6 +3414,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,6 +3415,,T1137,Office Application Startup,[],[],,SI-2,mitigates,6 +3416,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,6 +3417,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,6 +3418,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,6 +3419,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,6 +3420,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,6 +3421,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,6 +3422,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,6 +3423,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,6 +3424,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,6 +3425,,T1204,User Execution,[],[],,SI-2,mitigates,6 +3426,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,6 +3427,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,6 +3428,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,6 +3429,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,6 +3430,,T1221,Template Injection,[],[],,SI-2,mitigates,6 +3431,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,6 +3432,,T1525,Implant Container Image,[],[],,SI-2,mitigates,6 +3433,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,6 +3434,,T1542.001,System Firmware,[],[],,SI-2,mitigates,6 +3435,,T1542.003,Bootkit,[],[],,SI-2,mitigates,6 +3436,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,6 +3437,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,6 +3438,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,6 +3439,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,6 +3440,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,6 +3441,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,6 +3442,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,6 +3443,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,6 +3444,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,6 +3445,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,6 +3446,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,6 +3447,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,6 +3448,,T1566,Phishing,[],[],,SI-2,mitigates,6 +3449,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,6 +3450,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,6 +3451,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,6 +3452,,T1601,Modify System Image,[],[],,SI-2,mitigates,6 +3453,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,6 +3454,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,6 +3455,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,6 +3456,,T1001.001,Junk Data,[],[],,SI-3,mitigates,6 +3457,,T1001.002,Steganography,[],[],,SI-3,mitigates,6 +3458,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,6 +3459,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,6 +3460,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,6 +3461,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,6 +3462,,T1003.003,NTDS,[],[],,SI-3,mitigates,6 +3463,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,6 +3464,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,6 +3465,,T1003.006,DCSync,[],[],,SI-3,mitigates,6 +3466,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,6 +3467,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,6 +3468,,T1008,Fallback Channels,[],[],,SI-3,mitigates,6 +3469,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,6 +3470,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,6 +3471,,T1021.005,VNC,[],[],,SI-3,mitigates,6 +3472,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,6 +3473,,T1027.002,Software Packing,[],[],,SI-3,mitigates,6 +3474,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,6 +3475,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,6 +3476,,T1036,Masquerading,[],[],,SI-3,mitigates,6 +3477,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,6 +3478,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,6 +3479,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,6 +3480,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,6 +3481,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,6 +3482,,T1037.004,Rc.common,[],[],,SI-3,mitigates,6 +3483,,T1037.005,Startup Items,[],[],,SI-3,mitigates,6 +3484,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,6 +3485,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,6 +3486,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,6 +3487,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,6 +3488,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,6 +3489,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,6 +3490,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,6 +3491,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,6 +3492,,T1055,Process Injection,[],[],,SI-3,mitigates,6 +3493,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,6 +3494,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,6 +3495,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,6 +3496,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,6 +3497,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,6 +3498,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,6 +3499,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,6 +3500,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,6 +3501,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,6 +3502,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,6 +3503,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,6 +3504,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,6 +3505,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,6 +3506,,T1059.001,PowerShell,[],[],,SI-3,mitigates,6 +3507,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,6 +3508,,T1059.006,Python,[],[],,SI-3,mitigates,6 +3509,,T1059.007,JavaScript/JScript,[],[],,SI-3,mitigates,6 +3510,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,6 +3511,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,6 +3512,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,6 +3513,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,6 +3514,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,6 +3515,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,6 +3516,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,6 +3517,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,6 +3518,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,6 +3519,,T1071.004,DNS,[],[],,SI-3,mitigates,6 +3520,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,6 +3521,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,6 +3522,,T1090,Proxy,[],[],,SI-3,mitigates,6 +3523,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,6 +3524,,T1090.002,External Proxy,[],[],,SI-3,mitigates,6 +3525,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,6 +3526,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,6 +3527,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,6 +3528,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,6 +3529,,T1102,Web Service,[],[],,SI-3,mitigates,6 +3530,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,6 +3531,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,6 +3532,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,6 +3533,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,6 +3534,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,6 +3535,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,6 +3536,,T1132,Data Encoding,[],[],,SI-3,mitigates,6 +3537,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,6 +3538,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,6 +3539,,T1137,Office Application Startup,[],[],,SI-3,mitigates,6 +3540,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,6 +3541,,T1176,Browser Extensions,[],[],,SI-3,mitigates,6 +3542,,T1185,Man in the Browser,[],[],,SI-3,mitigates,6 +3543,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,6 +3544,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,6 +3545,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,6 +3546,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,6 +3547,,T1204,User Execution,[],[],,SI-3,mitigates,6 +3548,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,6 +3549,,T1204.002,Malicious File,[],[],,SI-3,mitigates,6 +3550,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,6 +3551,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,6 +3552,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,6 +3553,,T1218.002,Control Panel,[],[],,SI-3,mitigates,6 +3554,,T1219,Remote Access Software,[],[],,SI-3,mitigates,6 +3555,,T1221,Template Injection,[],[],,SI-3,mitigates,6 +3556,,T1485,Data Destruction,[],[],,SI-3,mitigates,6 +3557,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,6 +3558,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,6 +3559,,T1491,Defacement,[],[],,SI-3,mitigates,6 +3560,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,6 +3561,,T1491.002,External Defacement,[],[],,SI-3,mitigates,6 +3562,,T1525,Implant Container Image,[],[],,SI-3,mitigates,6 +3563,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,6 +3564,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,6 +3565,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,6 +3566,,T1546.002,Screensaver,[],[],,SI-3,mitigates,6 +3567,,T1546.004,.bash_profile and .bashrc,[],[],,SI-3,mitigates,6 +3568,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,6 +3569,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,6 +3570,,T1546.014,Emond,[],[],,SI-3,mitigates,6 +3571,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,6 +3572,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,6 +3573,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,6 +3574,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,6 +3575,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,6 +3576,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,6 +3577,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,6 +3578,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,6 +3579,,T1557,Man-in-the-Middle,[],[],,SI-3,mitigates,6 +3580,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,6 +3581,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,6 +3582,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,6 +3583,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,6 +3584,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,6 +3585,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,6 +3586,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,6 +3587,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,6 +3588,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,6 +3589,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,6 +3590,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,6 +3591,,T1561,Disk Wipe,[],[],,SI-3,mitigates,6 +3592,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,6 +3593,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,6 +3594,,T1562,Impair Defenses,[],[],,SI-3,mitigates,6 +3595,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,6 +3596,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,6 +3597,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,6 +3598,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,6 +3599,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,6 +3600,,T1566,Phishing,[],[],,SI-3,mitigates,6 +3601,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,6 +3602,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,6 +3603,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,6 +3604,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,6 +3605,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,6 +3606,,T1569,System Services,[],[],,SI-3,mitigates,6 +3607,,T1569.002,Service Execution,[],[],,SI-3,mitigates,6 +3608,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,6 +3609,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,6 +3610,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,6 +3611,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,6 +3612,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,6 +3613,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,6 +3614,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,6 +3615,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,6 +3616,,T1574.002,DLL Side-Loading,[],[],,SI-3,mitigates,6 +3617,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,6 +3618,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,6 +3619,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,6 +3620,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,6 +3621,,T1598,Phishing for Information,[],[],,SI-3,mitigates,6 +3622,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,6 +3623,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,6 +3624,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,6 +3625,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,6 +3626,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,6 +3627,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,6 +3628,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,6 +3629,,T1001.001,Junk Data,[],[],,SI-4,mitigates,6 +3630,,T1001.002,Steganography,[],[],,SI-4,mitigates,6 +3631,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,6 +3632,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,6 +3633,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,6 +3634,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,6 +3635,,T1003.003,NTDS,[],[],,SI-4,mitigates,6 +3636,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,6 +3637,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,6 +3638,,T1003.006,DCSync,[],[],,SI-4,mitigates,6 +3639,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,6 +3640,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,6 +3641,,T1008,Fallback Channels,[],[],,SI-4,mitigates,6 +3642,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,6 +3643,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,6 +3644,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,6 +3645,,T1021,Remote Services,[],[],,SI-4,mitigates,6 +3646,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,6 +3647,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,6 +3648,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,6 +3649,,T1021.004,SSH,[],[],,SI-4,mitigates,6 +3650,,T1021.005,VNC,[],[],,SI-4,mitigates,6 +3651,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,6 +3652,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,6 +3653,,T1027.002,Software Packing,[],[],,SI-4,mitigates,6 +3654,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,6 +3655,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,6 +3656,,T1036,Masquerading,[],[],,SI-4,mitigates,6 +3657,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,6 +3658,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,6 +3659,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,6 +3660,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,6 +3661,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,6 +3662,,T1037.004,Rc.common,[],[],,SI-4,mitigates,6 +3663,,T1037.005,Startup Items,[],[],,SI-4,mitigates,6 +3664,,T1040,Network Sniffing,[],[],,SI-4,mitigates,6 +3665,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,6 +3666,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,6 +3667,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,6 +3668,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,6 +3669,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,6 +3670,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,6 +3671,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,6 +3672,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,6 +3673,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,6 +3674,,T1053.001,At (Linux),[],[],,SI-4,mitigates,6 +3675,,T1053.002,At (Windows),[],[],,SI-4,mitigates,6 +3676,,T1053.003,Cron,[],[],,SI-4,mitigates,6 +3677,,T1053.004,Launchd,[],[],,SI-4,mitigates,6 +3678,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,6 +3679,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,6 +3680,,T1055,Process Injection,[],[],,SI-4,mitigates,6 +3681,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,6 +3682,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,6 +3683,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,6 +3684,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,6 +3685,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,6 +3686,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,6 +3687,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,6 +3688,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,6 +3689,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,6 +3690,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,6 +3691,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,6 +3692,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,6 +3693,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,6 +3694,,T1059.001,PowerShell,[],[],,SI-4,mitigates,6 +3695,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,6 +3696,,T1059.006,Python,[],[],,SI-4,mitigates,6 +3697,,T1059.007,JavaScript/JScript,[],[],,SI-4,mitigates,6 +3698,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,6 +3699,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,6 +3700,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,6 +3701,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,6 +3702,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,6 +3703,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,6 +3704,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,6 +3705,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,6 +3706,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,6 +3707,,T1071.004,DNS,[],[],,SI-4,mitigates,6 +3708,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,6 +3709,,T1078,Valid Accounts,[],[],,SI-4,mitigates,6 +3710,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,6 +3711,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,6 +3712,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,6 +3713,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,6 +3714,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,6 +3715,,T1087,Account Discovery,[],[],,SI-4,mitigates,6 +3716,,T1087.001,Local Account,[],[],,SI-4,mitigates,6 +3717,,T1087.002,Domain Account,[],[],,SI-4,mitigates,6 +3718,,T1090,Proxy,[],[],,SI-4,mitigates,6 +3719,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,6 +3720,,T1090.002,External Proxy,[],[],,SI-4,mitigates,6 +3721,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,6 +3722,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,6 +3723,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,6 +3724,,T1098,Account Manipulation,[],[],,SI-4,mitigates,6 +3725,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,6 +3726,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,6 +3727,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,6 +3728,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,6 +3729,,T1102,Web Service,[],[],,SI-4,mitigates,6 +3730,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,6 +3731,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,6 +3732,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,6 +3733,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,6 +3734,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,6 +3735,,T1110,Brute Force,[],[],,SI-4,mitigates,6 +3736,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,6 +3737,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,6 +3738,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,6 +3739,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,6 +3740,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,6 +3741,,T1114,Email Collection,[],[],,SI-4,mitigates,6 +3742,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,6 +3743,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,6 +3744,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,6 +3745,,T1119,Automated Collection,[],[],,SI-4,mitigates,6 +3746,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,6 +3747,,T1127.001,MSBuild,[],[],,SI-4,mitigates,6 +3748,,T1129,Shared Modules,[],[],,SI-4,mitigates,6 +3749,,T1132,Data Encoding,[],[],,SI-4,mitigates,6 +3750,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,6 +3751,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,6 +3752,,T1133,External Remote Services,[],[],,SI-4,mitigates,6 +3753,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,6 +3754,,T1136,Create Account,[],[],,SI-4,mitigates,6 +3755,,T1136.001,Local Account,[],[],,SI-4,mitigates,6 +3756,,T1136.002,Domain Account,[],[],,SI-4,mitigates,6 +3757,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,6 +3758,,T1137,Office Application Startup,[],[],,SI-4,mitigates,6 +3759,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,6 +3760,,T1176,Browser Extensions,[],[],,SI-4,mitigates,6 +3761,,T1185,Man in the Browser,[],[],,SI-4,mitigates,6 +3762,,T1187,Forced Authentication,[],[],,SI-4,mitigates,6 +3763,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,6 +3764,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,6 +3765,,T1197,BITS Jobs,[],[],,SI-4,mitigates,6 +3766,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,6 +3767,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,6 +3768,,T1204,User Execution,[],[],,SI-4,mitigates,6 +3769,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,6 +3770,,T1204.002,Malicious File,[],[],,SI-4,mitigates,6 +3771,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,6 +3772,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,6 +3773,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,6 +3774,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,6 +3775,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,6 +3776,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,6 +3777,,T1213.001,Confluence,[],[],,SI-4,mitigates,6 +3778,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,6 +3779,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,6 +3780,,T1216.001,PubPrn,[],[],,SI-4,mitigates,6 +3781,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,6 +3782,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,6 +3783,,T1218.002,Control Panel,[],[],,SI-4,mitigates,6 +3784,,T1218.003,CMSTP,[],[],,SI-4,mitigates,6 +3785,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,6 +3786,,T1218.005,Mshta,[],[],,SI-4,mitigates,6 +3787,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,6 +3788,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,6 +3789,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,6 +3790,,T1218.011,Rundll32,[],[],,SI-4,mitigates,6 +3791,,T1218.012,Verclsid,[],[],,SI-4,mitigates,6 +3792,,T1219,Remote Access Software,[],[],,SI-4,mitigates,6 +3793,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,6 +3794,,T1221,Template Injection,[],[],,SI-4,mitigates,6 +3795,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,6 +3796,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,6 +3797,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,6 +3798,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,6 +3799,,T1485,Data Destruction,[],[],,SI-4,mitigates,6 +3800,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,6 +3801,,T1489,Service Stop,[],[],,SI-4,mitigates,6 +3802,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,6 +3803,,T1491,Defacement,[],[],,SI-4,mitigates,6 +3804,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,6 +3805,,T1491.002,External Defacement,[],[],,SI-4,mitigates,6 +3806,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,6 +3807,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,6 +3808,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,6 +3809,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,6 +3810,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,6 +3811,,T1505,Server Software Component,[],[],,SI-4,mitigates,6 +3812,,T1505.001,SQL Stored Procedures,[],[],,SI-4,mitigates,6 +3813,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,6 +3814,,T1525,Implant Container Image,[],[],,SI-4,mitigates,6 +3815,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,6 +3816,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,6 +3817,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,6 +3818,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,6 +3819,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,6 +3820,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,6 +3821,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,6 +3822,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,6 +3823,,T1543.003,Windows Service,[],[],,SI-4,mitigates,6 +3824,,T1546.002,Screensaver,[],[],,SI-4,mitigates,6 +3825,,T1546.004,.bash_profile and .bashrc,[],[],,SI-4,mitigates,6 +3826,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,6 +3827,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,6 +3828,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,6 +3829,,T1546.014,Emond,[],[],,SI-4,mitigates,6 +3830,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,6 +3831,,T1547.003,Time Providers,[],[],,SI-4,mitigates,6 +3832,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,6 +3833,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,6 +3834,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,6 +3835,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,6 +3836,,T1547.011,Plist Modification,[],[],,SI-4,mitigates,6 +3837,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,6 +3838,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,6 +3839,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,6 +3840,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,6 +3841,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,6 +3842,,T1550,Use Alternate Authentication Material,[],[],,SI-4,mitigates,6 +3843,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,6 +3844,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,6 +3845,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,6 +3846,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,6 +3847,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,6 +3848,,T1552.003,Bash History,[],[],,SI-4,mitigates,6 +3849,,T1552.004,Private Keys,[],[],,SI-4,mitigates,6 +3850,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,6 +3851,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,6 +3852,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,6 +3853,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,6 +3854,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,6 +3855,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,6 +3856,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,6 +3857,,T1555.001,Keychain,[],[],,SI-4,mitigates,6 +3858,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,6 +3859,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,6 +3860,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,6 +3861,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,6 +3862,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,6 +3863,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,6 +3864,,T1557,Man-in-the-Middle,[],[],,SI-4,mitigates,6 +3865,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,6 +3866,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,6 +3867,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,6 +3868,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,6 +3869,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,6 +3870,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,6 +3871,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,6 +3872,,T1559.001,Component Object Model,[],[],,SI-4,mitigates,6 +3873,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,6 +3874,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,6 +3875,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,6 +3876,,T1561,Disk Wipe,[],[],,SI-4,mitigates,6 +3877,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,6 +3878,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,6 +3879,,T1562,Impair Defenses,[],[],,SI-4,mitigates,6 +3880,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,6 +3881,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,6 +3882,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,6 +3883,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,6 +3884,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,6 +3885,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,6 +3886,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,6 +3887,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,6 +3888,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,6 +3889,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,6 +3890,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,6 +3891,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,6 +3892,,T1565,Data Manipulation,[],[],,SI-4,mitigates,6 +3893,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,6 +3894,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,6 +3895,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,6 +3896,,T1566,Phishing,[],[],,SI-4,mitigates,6 +3897,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,6 +3898,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,6 +3899,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,6 +3900,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,6 +3901,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,6 +3902,,T1569,System Services,[],[],,SI-4,mitigates,6 +3903,,T1569.002,Service Execution,[],[],,SI-4,mitigates,6 +3904,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,6 +3905,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,6 +3906,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,6 +3907,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,6 +3908,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,6 +3909,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,6 +3910,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,6 +3911,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,6 +3912,,T1574.002,DLL Side-Loading,[],[],,SI-4,mitigates,6 +3913,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,6 +3914,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,6 +3915,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,6 +3916,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,6 +3917,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,6 +3918,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,6 +3919,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,6 +3920,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,6 +3921,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,6 +3922,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,6 +3923,,T1598,Phishing for Information,[],[],,SI-4,mitigates,6 +3924,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,6 +3925,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,6 +3926,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,6 +3927,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,6 +3928,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,6 +3929,,T1601,Modify System Image,[],[],,SI-4,mitigates,6 +3930,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,6 +3931,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,6 +3932,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,6 +3933,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,6 +3934,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,6 +3935,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,6 +3936,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,6 +3937,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,6 +3938,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,6 +3939,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,6 +3940,,T1003.003,NTDS,[],[],,SI-7,mitigates,6 +3941,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,6 +3942,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,6 +3943,,T1027.002,Software Packing,[],[],,SI-7,mitigates,6 +3944,,T1036,Masquerading,[],[],,SI-7,mitigates,6 +3945,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,6 +3946,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,6 +3947,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,6 +3948,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,6 +3949,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,6 +3950,,T1037.004,Rc.common,[],[],,SI-7,mitigates,6 +3951,,T1037.005,Startup Items,[],[],,SI-7,mitigates,6 +3952,,T1040,Network Sniffing,[],[],,SI-7,mitigates,6 +3953,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,6 +3954,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,6 +3955,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,6 +3956,,T1059.001,PowerShell,[],[],,SI-7,mitigates,6 +3957,,T1059.002,AppleScript,[],[],,SI-7,mitigates,6 +3958,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,6 +3959,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,6 +3960,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,6 +3961,,T1059.006,Python,[],[],,SI-7,mitigates,6 +3962,,T1059.007,JavaScript/JScript,[],[],,SI-7,mitigates,6 +3963,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,6 +3964,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,6 +3965,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,6 +3966,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,6 +3967,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,6 +3968,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,6 +3969,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,6 +3970,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,6 +3971,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,6 +3972,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,6 +3973,,T1114,Email Collection,[],[],,SI-7,mitigates,6 +3974,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,6 +3975,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,6 +3976,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,6 +3977,,T1119,Automated Collection,[],[],,SI-7,mitigates,6 +3978,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,6 +3979,,T1129,Shared Modules,[],[],,SI-7,mitigates,6 +3980,,T1133,External Remote Services,[],[],,SI-7,mitigates,6 +3981,,T1136,Create Account,[],[],,SI-7,mitigates,6 +3982,,T1136.001,Local Account,[],[],,SI-7,mitigates,6 +3983,,T1136.002,Domain Account,[],[],,SI-7,mitigates,6 +3984,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,6 +3985,,T1176,Browser Extensions,[],[],,SI-7,mitigates,6 +3986,,T1185,Man in the Browser,[],[],,SI-7,mitigates,6 +3987,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,6 +3988,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,6 +3989,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,6 +3990,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,6 +3991,,T1204,User Execution,[],[],,SI-7,mitigates,6 +3992,,T1204.002,Malicious File,[],[],,SI-7,mitigates,6 +3993,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,6 +3994,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,6 +3995,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,6 +3996,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,6 +3997,,T1213.001,Confluence,[],[],,SI-7,mitigates,6 +3998,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,6 +3999,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,6 +4000,,T1216.001,PubPrn,[],[],,SI-7,mitigates,6 +4001,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,6 +4002,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,6 +4003,,T1218.002,Control Panel,[],[],,SI-7,mitigates,6 +4004,,T1218.003,CMSTP,[],[],,SI-7,mitigates,6 +4005,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,6 +4006,,T1218.005,Mshta,[],[],,SI-7,mitigates,6 +4007,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,6 +4008,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,6 +4009,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,6 +4010,,T1218.011,Rundll32,[],[],,SI-7,mitigates,6 +4011,,T1218.012,Verclsid,[],[],,SI-7,mitigates,6 +4012,,T1219,Remote Access Software,[],[],,SI-7,mitigates,6 +4013,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,6 +4014,,T1221,Template Injection,[],[],,SI-7,mitigates,6 +4015,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,6 +4016,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,6 +4017,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,6 +4018,,T1485,Data Destruction,[],[],,SI-7,mitigates,6 +4019,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,6 +4020,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,6 +4021,,T1491,Defacement,[],[],,SI-7,mitigates,6 +4022,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,6 +4023,,T1491.002,External Defacement,[],[],,SI-7,mitigates,6 +4024,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,6 +4025,,T1505,Server Software Component,[],[],,SI-7,mitigates,6 +4026,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,6 +4027,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,6 +4028,,T1525,Implant Container Image,[],[],,SI-7,mitigates,6 +4029,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,6 +4030,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,6 +4031,,T1542.001,System Firmware,[],[],,SI-7,mitigates,6 +4032,,T1542.003,Bootkit,[],[],,SI-7,mitigates,6 +4033,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,6 +4034,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,6 +4035,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,6 +4036,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,6 +4037,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,6 +4038,,T1546.002,Screensaver,[],[],,SI-7,mitigates,6 +4039,,T1546.004,.bash_profile and .bashrc,[],[],,SI-7,mitigates,6 +4040,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,6 +4041,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,6 +4042,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,6 +4043,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,6 +4044,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,6 +4045,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,6 +4046,,T1547.003,Time Providers,[],[],,SI-7,mitigates,6 +4047,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,6 +4048,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,6 +4049,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,6 +4050,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,6 +4051,,T1547.011,Plist Modification,[],[],,SI-7,mitigates,6 +4052,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,6 +4053,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,6 +4054,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,6 +4055,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,6 +4056,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,6 +4057,,T1552.004,Private Keys,[],[],,SI-7,mitigates,6 +4058,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,6 +4059,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,6 +4060,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,6 +4061,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,6 +4062,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,6 +4063,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,6 +4064,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,6 +4065,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,6 +4066,,T1557,Man-in-the-Middle,[],[],,SI-7,mitigates,6 +4067,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,6 +4068,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,6 +4069,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,6 +4070,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,6 +4071,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,6 +4072,,T1559,Inter-Process Communication,[],[],,SI-7,mitigates,6 +4073,,T1559.001,Component Object Model,[],[],,SI-7,mitigates,6 +4074,,T1561,Disk Wipe,[],[],,SI-7,mitigates,6 +4075,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,6 +4076,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,6 +4077,,T1562,Impair Defenses,[],[],,SI-7,mitigates,6 +4078,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,6 +4079,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,6 +4080,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,6 +4081,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,6 +4082,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,6 +4083,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,6 +4084,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,6 +4085,,T1565,Data Manipulation,[],[],,SI-7,mitigates,6 +4086,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,6 +4087,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,6 +4088,,T1569,System Services,[],[],,SI-7,mitigates,6 +4089,,T1569.002,Service Execution,[],[],,SI-7,mitigates,6 +4090,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,6 +4091,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,6 +4092,,T1574.002,DLL Side-Loading,[],[],,SI-7,mitigates,6 +4093,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,6 +4094,,T1574.006,LD_PRELOAD,[],[],,SI-7,mitigates,6 +4095,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,6 +4096,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,6 +4097,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,6 +4098,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,6 +4099,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,6 +4100,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,6 +4101,,T1601,Modify System Image,[],[],,SI-7,mitigates,6 +4102,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,6 +4103,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,6 +4104,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,6 +4105,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,6 +4106,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,6 +4107,,T1204,User Execution,[],[],,SI-8,mitigates,6 +4108,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,6 +4109,,T1204.002,Malicious File,[],[],,SI-8,mitigates,6 +4110,,T1221,Template Injection,[],[],,SI-8,mitigates,6 +4111,,T1566,Phishing,[],[],,SI-8,mitigates,6 +4112,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,6 +4113,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,6 +4114,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,6 +4115,,T1598,Phishing for Information,[],[],,SI-8,mitigates,6 +4116,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,6 +4117,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,6 +4118,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,6 diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata.csv new file mode 100644 index 00000000..2f7c5f1a --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,8.2,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,6 diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata_object.csv new file mode 100644 index 00000000..2f7c5f1a --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,8.2,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,6 diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_navigator_layer.json index 63f40ceb..2df950ff 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r4/parsed_nist800-53-r4-8.2_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "8.2"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to Concurrent Session Control, Remote Access, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification Or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions For Change"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information System Monitoring"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to Session Termination, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Key Establishment And Management, Public Key Infrastructure Certificates, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Backup, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Backup, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security Attributes, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Identification And Authentication (Non-Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.011", "score": 10, "comment": "Related to Security Attributes, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1550.001", "score": 13, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Software Usage Restrictions, User-Installed Software, Baseline Configuration, Configuration Settings, Protection Of Information At Rest, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security Attributes, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification And Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to Remote Access, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Cryptographic Key Establishment And Management, Session Authenticity, Information System Monitoring"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.008", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1068", "score": 23, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1078", "score": 23, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information Security Architecture, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Security Engineering Principles, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.007", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.002", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1547.004", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.009", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1547.012", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1550", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information System Monitoring"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1552.002", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Information System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1556", "score": 15, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Transmission Confidentiality And Integrity, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Security Testing And Evaluation, Developer Security Architecture And Design, Acquisition Process, Security Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Media Use, Port And I/O Device Access"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1048", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.002", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.003", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information In Shared Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to Access Enforcement, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Cryptographic Key Establishment And Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Boundary Protection"}, {"techniqueID": "T1205", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Cryptographic Module Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.003", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Information System Backup, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Memory Protection, Information System Monitoring"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Unsupported System Components, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Information System Component Inventory, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1482", "score": 10, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Information Security Architecture, Vulnerability Scanning, Trustworthiness, Developer Security Architecture And Design, Security Engineering Principles, Boundary Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1566", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1598", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to Least Privilege, User-Installed Software, Configuration Change Control, Access Restrictions For Change, Least Functionality, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Vulnerability Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1553", "score": 9, "comment": "Related to Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions For Change"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions For Change, Information System Component Inventory, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Supply Chain Protection, Component Authenticity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Information System Monitoring"}, {"techniqueID": "T1036.001", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.002", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to Baseline Configuration, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Scanning, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1059.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.004", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to Least Functionality"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.006", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality And Integrity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality And Integrity"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1137.003", "score": 1, "comment": "Related to Flaw Remediation"}, {"techniqueID": "T1137.004", "score": 1, "comment": "Related to Flaw Remediation"}, {"techniqueID": "T1137.005", "score": 1, "comment": "Related to Flaw Remediation"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "8.2"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to AC-10, AC-17, CM-2, CM-6, CM-8, RA-5, SI-2, SI-3, SI-4"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.011", "score": 10, "comment": "Related to AC-16, AC-3, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CM-10, CM-11, CM-2, CM-6, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-8, IA-2, IA-8, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8"}, {"techniqueID": "T1068", "score": 23, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078", "score": 23, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, PL-8, RA-5, SA-10, SA-11, SA-12, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.007", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SI-2, SI-7"}, {"techniqueID": "T1505", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-4, SI-7"}, {"techniqueID": "T1505.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-4, SI-7"}, {"techniqueID": "T1505.002", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-4, SI-7"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1547.004", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1547.012", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1550", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.002", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1556", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5, SC-18, SC-3, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.002", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.003", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to AC-3, CM-2, CM-6, CM-7, CM-8, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-7"}, {"techniqueID": "T1205", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to AC-3, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565.003", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-7, SI-16, SI-4"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to AC-4, CA-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1482", "score": 10, "comment": "Related to AC-4, CA-8, CM-6, CM-7, PL-8, RA-5, SA-13, SA-17, SA-8, SC-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1566", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.002", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to AC-6, CM-11, CM-3, CM-5, CM-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1553", "score": 9, "comment": "Related to AC-6, CM-10, CM-2, CM-6, CM-7, IA-9, SI-10, SI-4, SI-7"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SA-12, SA-19, SI-7"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1036.001", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1059.002", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, IA-9, SA-12, SI-10, SI-7"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, SC-18, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SA-12, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to CM-2, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1059.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1059.004", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to CM-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.006", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1137.003", "score": 1, "comment": "Related to SI-2"}, {"techniqueID": "T1137.004", "score": 1, "comment": "Related to SI-2"}, {"techniqueID": "T1137.005", "score": 1, "comment": "Related to SI-2"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings.yaml index abb82646..62559a05 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: LD_PRELOAD - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security and Privacy Architectures + capability-id: PL-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security and Privacy Architectures + capability-id: PL-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: LD_PRELOAD - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: Rc.common - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript/JScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: .bash_profile and .bashrc - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: LD_PRELOAD - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_attack_objects.csv new file mode 100644 index 00000000..acab244b --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_attack_objects.csv @@ -0,0 +1,4192 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,7 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,7 +2,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,7 +3,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,7 +4,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,7 +5,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,7 +6,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,7 +7,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,7 +8,,T1137.002,Office Test,[],[],,AC-14,mitigates,7 +9,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,7 +10,,T1003.003,NTDS,[],[],,AC-16,mitigates,7 +11,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,7 +12,,T1040,Network Sniffing,[],[],,AC-16,mitigates,7 +13,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,7 +14,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,7 +15,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,7 +16,,T1114,Email Collection,[],[],,AC-16,mitigates,7 +17,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,7 +18,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,7 +19,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,7 +20,,T1119,Automated Collection,[],[],,AC-16,mitigates,7 +21,,T1204,User Execution,[],[],,AC-16,mitigates,7 +22,,T1204.001,Malicious Link,[],[],,AC-16,mitigates,7 +23,,T1204.002,Malicious File,[],[],,AC-16,mitigates,7 +24,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,7 +25,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,7 +26,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,7 +27,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,7 +28,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,7 +29,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,7 +30,,T1547.011,Plist Modification,[],[],,AC-16,mitigates,7 +31,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,7 +32,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,7 +33,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,7 +34,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,7 +35,,T1552.004,Private Keys,[],[],,AC-16,mitigates,7 +36,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,7 +37,,T1557,Man-in-the-Middle,[],[],,AC-16,mitigates,7 +38,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,7 +39,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,7 +40,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,7 +41,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,7 +42,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,7 +43,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,7 +44,,T1565,Data Manipulation,[],[],,AC-16,mitigates,7 +45,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,7 +46,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,7 +47,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,7 +48,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,7 +49,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,7 +50,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,7 +51,,T1021,Remote Services,[],[],,AC-17,mitigates,7 +52,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,7 +53,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,7 +54,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,7 +55,,T1021.004,SSH,[],[],,AC-17,mitigates,7 +56,,T1021.005,VNC,[],[],,AC-17,mitigates,7 +57,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,7 +58,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,7 +59,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,7 +60,,T1040,Network Sniffing,[],[],,AC-17,mitigates,7 +61,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,7 +62,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,7 +63,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,7 +64,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,7 +65,,T1114,Email Collection,[],[],,AC-17,mitigates,7 +66,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,7 +67,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,7 +68,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,7 +69,,T1119,Automated Collection,[],[],,AC-17,mitigates,7 +70,,T1133,External Remote Services,[],[],,AC-17,mitigates,7 +71,,T1137,Office Application Startup,[],[],,AC-17,mitigates,7 +72,,T1137.002,Office Test,[],[],,AC-17,mitigates,7 +73,,T1204,User Execution,[],[],,AC-17,mitigates,7 +74,,T1204.001,Malicious Link,[],[],,AC-17,mitigates,7 +75,,T1204.002,Malicious File,[],[],,AC-17,mitigates,7 +76,,T1219,Remote Access Software,[],[],,AC-17,mitigates,7 +77,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,7 +78,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,7 +79,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,7 +80,,T1543.003,Windows Service,[],[],,AC-17,mitigates,7 +81,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,7 +82,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,7 +83,,T1552.004,Private Keys,[],[],,AC-17,mitigates,7 +84,,T1557,Man-in-the-Middle,[],[],,AC-17,mitigates,7 +85,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,7 +86,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,7 +87,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,7 +88,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,7 +89,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,7 +90,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,7 +91,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,7 +92,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,7 +93,,T1565,Data Manipulation,[],[],,AC-17,mitigates,7 +94,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,7 +95,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,7 +96,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,7 +97,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,7 +98,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,7 +99,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,7 +100,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,7 +101,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,7 +102,,T1040,Network Sniffing,[],[],,AC-18,mitigates,7 +103,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,7 +104,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,7 +105,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,7 +106,,T1119,Automated Collection,[],[],,AC-18,mitigates,7 +107,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,7 +108,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,7 +109,,T1552.004,Private Keys,[],[],,AC-18,mitigates,7 +110,,T1557,Man-in-the-Middle,[],[],,AC-18,mitigates,7 +111,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,7 +112,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,7 +113,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,7 +114,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,7 +115,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,7 +116,,T1565,Data Manipulation,[],[],,AC-18,mitigates,7 +117,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,7 +118,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,7 +119,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,7 +120,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,7 +121,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,7 +122,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,7 +123,,T1040,Network Sniffing,[],[],,AC-19,mitigates,7 +124,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,7 +125,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,7 +126,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,7 +127,,T1114,Email Collection,[],[],,AC-19,mitigates,7 +128,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,7 +129,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,7 +130,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,7 +131,,T1119,Automated Collection,[],[],,AC-19,mitigates,7 +132,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,7 +133,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,7 +134,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,7 +135,,T1552.004,Private Keys,[],[],,AC-19,mitigates,7 +136,,T1557,Man-in-the-Middle,[],[],,AC-19,mitigates,7 +137,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,7 +138,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,7 +139,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,7 +140,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,7 +141,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,7 +142,,T1565,Data Manipulation,[],[],,AC-19,mitigates,7 +143,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,7 +144,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,7 +145,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,7 +146,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,7 +147,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,7 +148,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,7 +149,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,7 +150,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,7 +151,,T1003.003,NTDS,[],[],,AC-2,mitigates,7 +152,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,7 +153,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,7 +154,,T1003.006,DCSync,[],[],,AC-2,mitigates,7 +155,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,7 +156,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,7 +157,,T1021,Remote Services,[],[],,AC-2,mitigates,7 +158,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,7 +159,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,7 +160,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,7 +161,,T1021.004,SSH,[],[],,AC-2,mitigates,7 +162,,T1021.005,VNC,[],[],,AC-2,mitigates,7 +163,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,7 +164,,T1036,Masquerading,[],[],,AC-2,mitigates,7 +165,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,7 +166,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,7 +167,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,7 +168,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,7 +169,,T1053.001,At (Linux),[],[],,AC-2,mitigates,7 +170,,T1053.002,At (Windows),[],[],,AC-2,mitigates,7 +171,,T1053.003,Cron,[],[],,AC-2,mitigates,7 +172,,T1053.004,Launchd,[],[],,AC-2,mitigates,7 +173,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,7 +174,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,7 +175,,T1055,Process Injection,[],[],,AC-2,mitigates,7 +176,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,7 +177,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,7 +178,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,7 +179,,T1059.001,PowerShell,[],[],,AC-2,mitigates,7 +180,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,7 +181,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,7 +182,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,7 +183,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,7 +184,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,7 +185,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,7 +186,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,7 +187,,T1078,Valid Accounts,[],[],,AC-2,mitigates,7 +188,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,7 +189,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,7 +190,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,7 +191,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,7 +192,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,7 +193,,T1098,Account Manipulation,[],[],,AC-2,mitigates,7 +194,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,7 +195,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,7 +196,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,7 +197,,T1110,Brute Force,[],[],,AC-2,mitigates,7 +198,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,7 +199,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,7 +200,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,7 +201,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,7 +202,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,7 +203,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,7 +204,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,7 +205,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,7 +206,,T1136,Create Account,[],[],,AC-2,mitigates,7 +207,,T1136.001,Local Account,[],[],,AC-2,mitigates,7 +208,,T1136.002,Domain Account,[],[],,AC-2,mitigates,7 +209,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,7 +210,,T1185,Man in the Browser,[],[],,AC-2,mitigates,7 +211,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,7 +212,,T1197,BITS Jobs,[],[],,AC-2,mitigates,7 +213,,T1204,User Execution,[],[],,AC-2,mitigates,7 +214,,T1204.001,Malicious Link,[],[],,AC-2,mitigates,7 +215,,T1204.002,Malicious File,[],[],,AC-2,mitigates,7 +216,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,7 +217,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,7 +218,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,7 +219,,T1213.001,Confluence,[],[],,AC-2,mitigates,7 +220,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,7 +221,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,7 +222,,T1218.007,Msiexec,[],[],,AC-2,mitigates,7 +223,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,7 +224,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,7 +225,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,7 +226,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,7 +227,,T1489,Service Stop,[],[],,AC-2,mitigates,7 +228,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,7 +229,,T1505,Server Software Component,[],[],,AC-2,mitigates,7 +230,,T1505.001,SQL Stored Procedures,[],[],,AC-2,mitigates,7 +231,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,7 +232,,T1525,Implant Container Image,[],[],,AC-2,mitigates,7 +233,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,7 +234,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,7 +235,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,7 +236,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,7 +237,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,7 +238,,T1542.001,System Firmware,[],[],,AC-2,mitigates,7 +239,,T1542.003,Bootkit,[],[],,AC-2,mitigates,7 +240,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,7 +241,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,7 +242,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,7 +243,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,7 +244,,T1543.003,Windows Service,[],[],,AC-2,mitigates,7 +245,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,7 +246,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,7 +247,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,7 +248,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,7 +249,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,7 +250,,T1547.012,Print Processors,[],[],,AC-2,mitigates,7 +251,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,7 +252,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,7 +253,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,7 +254,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,7 +255,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,7 +256,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,7 +257,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,7 +258,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,7 +259,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,7 +260,,T1552.004,Private Keys,[],[],,AC-2,mitigates,7 +261,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,7 +262,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,7 +263,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,7 +264,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,7 +265,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,7 +266,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,7 +267,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,7 +268,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,7 +269,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,7 +270,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,7 +271,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,7 +272,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,7 +273,,T1562,Impair Defenses,[],[],,AC-2,mitigates,7 +274,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,7 +275,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,7 +276,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,7 +277,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,7 +278,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,7 +279,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,7 +280,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,7 +281,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,7 +282,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,7 +283,,T1569,System Services,[],[],,AC-2,mitigates,7 +284,,T1569.001,Launchctl,[],[],,AC-2,mitigates,7 +285,,T1569.002,Service Execution,[],[],,AC-2,mitigates,7 +286,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,7 +287,,T1574.002,DLL Side-Loading,[],[],,AC-2,mitigates,7 +288,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,7 +289,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,7 +290,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,7 +291,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,7 +292,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,7 +293,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,7 +294,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,7 +295,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,7 +296,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,7 +297,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,7 +298,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,7 +299,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,7 +300,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,7 +301,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,7 +302,,T1601,Modify System Image,[],[],,AC-2,mitigates,7 +303,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,7 +304,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,7 +305,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,7 +306,,T1021,Remote Services,[],[],,AC-20,mitigates,7 +307,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,7 +308,,T1021.004,SSH,[],[],,AC-20,mitigates,7 +309,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,7 +310,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,7 +311,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,7 +312,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,7 +313,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,7 +314,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,7 +315,,T1110,Brute Force,[],[],,AC-20,mitigates,7 +316,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,7 +317,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,7 +318,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,7 +319,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,7 +320,,T1114,Email Collection,[],[],,AC-20,mitigates,7 +321,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,7 +322,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,7 +323,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,7 +324,,T1119,Automated Collection,[],[],,AC-20,mitigates,7 +325,,T1133,External Remote Services,[],[],,AC-20,mitigates,7 +326,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,7 +327,,T1136,Create Account,[],[],,AC-20,mitigates,7 +328,,T1136.001,Local Account,[],[],,AC-20,mitigates,7 +329,,T1136.002,Domain Account,[],[],,AC-20,mitigates,7 +330,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,7 +331,,T1200,Hardware Additions,[],[],,AC-20,mitigates,7 +332,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,7 +333,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,7 +334,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,7 +335,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,7 +336,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,7 +337,,T1552.004,Private Keys,[],[],,AC-20,mitigates,7 +338,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,7 +339,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,7 +340,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,7 +341,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,7 +342,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,7 +343,,T1557,Man-in-the-Middle,[],[],,AC-20,mitigates,7 +344,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,7 +345,,T1565,Data Manipulation,[],[],,AC-20,mitigates,7 +346,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,7 +347,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,7 +348,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,7 +349,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,7 +350,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,7 +351,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,7 +352,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,7 +353,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,7 +354,,T1204,User Execution,[],[],,AC-21,mitigates,7 +355,,T1204.001,Malicious Link,[],[],,AC-21,mitigates,7 +356,,T1204.002,Malicious File,[],[],,AC-21,mitigates,7 +357,,T1133,External Remote Services,[],[],,AC-23,mitigates,7 +358,,T1204,User Execution,[],[],,AC-23,mitigates,7 +359,,T1204.001,Malicious Link,[],[],,AC-23,mitigates,7 +360,,T1204.002,Malicious File,[],[],,AC-23,mitigates,7 +361,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,7 +362,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,7 +363,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,7 +364,,T1003.003,NTDS,[],[],,AC-3,mitigates,7 +365,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,7 +366,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,7 +367,,T1003.006,DCSync,[],[],,AC-3,mitigates,7 +368,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,7 +369,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,7 +370,,T1021,Remote Services,[],[],,AC-3,mitigates,7 +371,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,7 +372,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,7 +373,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,7 +374,,T1021.004,SSH,[],[],,AC-3,mitigates,7 +375,,T1021.005,VNC,[],[],,AC-3,mitigates,7 +376,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,7 +377,,T1036,Masquerading,[],[],,AC-3,mitigates,7 +378,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,7 +379,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,7 +380,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,7 +381,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,7 +382,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,7 +383,,T1037.004,Rc.common,[],[],,AC-3,mitigates,7 +384,,T1037.005,Startup Items,[],[],,AC-3,mitigates,7 +385,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,7 +386,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,7 +387,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,7 +388,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,7 +389,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,7 +390,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,7 +391,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,7 +392,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,7 +393,,T1053.001,At (Linux),[],[],,AC-3,mitigates,7 +394,,T1053.002,At (Windows),[],[],,AC-3,mitigates,7 +395,,T1053.003,Cron,[],[],,AC-3,mitigates,7 +396,,T1053.004,Launchd,[],[],,AC-3,mitigates,7 +397,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,7 +398,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,7 +399,,T1055,Process Injection,[],[],,AC-3,mitigates,7 +400,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,7 +401,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,7 +402,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,7 +403,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,7 +404,,T1059.001,PowerShell,[],[],,AC-3,mitigates,7 +405,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,7 +406,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,7 +407,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,7 +408,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,7 +409,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,7 +410,,T1071.004,DNS,[],[],,AC-3,mitigates,7 +411,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,7 +412,,T1078,Valid Accounts,[],[],,AC-3,mitigates,7 +413,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,7 +414,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,7 +415,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,7 +416,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,7 +417,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,7 +418,,T1090,Proxy,[],[],,AC-3,mitigates,7 +419,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,7 +420,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,7 +421,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,7 +422,,T1098,Account Manipulation,[],[],,AC-3,mitigates,7 +423,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,7 +424,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,7 +425,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,7 +426,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,7 +427,,T1110,Brute Force,[],[],,AC-3,mitigates,7 +428,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,7 +429,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,7 +430,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,7 +431,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,7 +432,,T1114,Email Collection,[],[],,AC-3,mitigates,7 +433,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,7 +434,,T1133,External Remote Services,[],[],,AC-3,mitigates,7 +435,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,7 +436,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,7 +437,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,7 +438,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,7 +439,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,7 +440,,T1136,Create Account,[],[],,AC-3,mitigates,7 +441,,T1136.001,Local Account,[],[],,AC-3,mitigates,7 +442,,T1136.002,Domain Account,[],[],,AC-3,mitigates,7 +443,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,7 +444,,T1185,Man in the Browser,[],[],,AC-3,mitigates,7 +445,,T1187,Forced Authentication,[],[],,AC-3,mitigates,7 +446,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,7 +447,,T1197,BITS Jobs,[],[],,AC-3,mitigates,7 +448,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,7 +449,,T1200,Hardware Additions,[],[],,AC-3,mitigates,7 +450,,T1204,User Execution,[],[],,AC-3,mitigates,7 +451,,T1204.001,Malicious Link,[],[],,AC-3,mitigates,7 +452,,T1204.002,Malicious File,[],[],,AC-3,mitigates,7 +453,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,7 +454,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,7 +455,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,7 +456,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,7 +457,,T1213.001,Confluence,[],[],,AC-3,mitigates,7 +458,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,7 +459,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,7 +460,,T1218.002,Control Panel,[],[],,AC-3,mitigates,7 +461,,T1218.007,Msiexec,[],[],,AC-3,mitigates,7 +462,,T1218.012,Verclsid,[],[],,AC-3,mitigates,7 +463,,T1219,Remote Access Software,[],[],,AC-3,mitigates,7 +464,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,7 +465,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,7 +466,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,7 +467,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,7 +468,,T1485,Data Destruction,[],[],,AC-3,mitigates,7 +469,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,7 +470,,T1489,Service Stop,[],[],,AC-3,mitigates,7 +471,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,7 +472,,T1491,Defacement,[],[],,AC-3,mitigates,7 +473,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,7 +474,,T1491.002,External Defacement,[],[],,AC-3,mitigates,7 +475,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,7 +476,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,7 +477,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,7 +478,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,7 +479,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,7 +480,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,7 +481,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,7 +482,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,7 +483,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,7 +484,,T1505,Server Software Component,[],[],,AC-3,mitigates,7 +485,,T1505.001,SQL Stored Procedures,[],[],,AC-3,mitigates,7 +486,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,7 +487,,T1525,Implant Container Image,[],[],,AC-3,mitigates,7 +488,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,7 +489,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,7 +490,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,7 +491,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,7 +492,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,7 +493,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,7 +494,,T1542.001,System Firmware,[],[],,AC-3,mitigates,7 +495,,T1542.003,Bootkit,[],[],,AC-3,mitigates,7 +496,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,7 +497,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,7 +498,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,7 +499,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,7 +500,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,7 +501,,T1543.003,Windows Service,[],[],,AC-3,mitigates,7 +502,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,7 +503,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,7 +504,,T1546.004,.bash_profile and .bashrc,[],[],,AC-3,mitigates,7 +505,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,7 +506,,T1547.003,Time Providers,[],[],,AC-3,mitigates,7 +507,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,7 +508,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,7 +509,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,7 +510,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,7 +511,,T1547.011,Plist Modification,[],[],,AC-3,mitigates,7 +512,,T1547.012,Print Processors,[],[],,AC-3,mitigates,7 +513,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,7 +514,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,7 +515,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,7 +516,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,7 +517,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,7 +518,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,7 +519,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,7 +520,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,7 +521,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,7 +522,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,7 +523,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,7 +524,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,7 +525,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,7 +526,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,7 +527,,T1557,Man-in-the-Middle,[],[],,AC-3,mitigates,7 +528,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,7 +529,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,7 +530,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,7 +531,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,7 +532,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,7 +533,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,7 +534,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,7 +535,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,7 +536,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,7 +537,,T1561,Disk Wipe,[],[],,AC-3,mitigates,7 +538,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,7 +539,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,7 +540,,T1562,Impair Defenses,[],[],,AC-3,mitigates,7 +541,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,7 +542,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,7 +543,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,7 +544,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,7 +545,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,7 +546,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,7 +547,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,7 +548,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,7 +549,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,7 +550,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,7 +551,,T1565,Data Manipulation,[],[],,AC-3,mitigates,7 +552,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,7 +553,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,7 +554,,T1569,System Services,[],[],,AC-3,mitigates,7 +555,,T1569.001,Launchctl,[],[],,AC-3,mitigates,7 +556,,T1569.002,Service Execution,[],[],,AC-3,mitigates,7 +557,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,7 +558,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,7 +559,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,7 +560,,T1574.002,DLL Side-Loading,[],[],,AC-3,mitigates,7 +561,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,7 +562,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,7 +563,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,7 +564,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,7 +565,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,7 +566,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,7 +567,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,7 +568,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,7 +569,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,7 +570,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,7 +571,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,7 +572,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,7 +573,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,7 +574,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,7 +575,,T1601,Modify System Image,[],[],,AC-3,mitigates,7 +576,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,7 +577,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,7 +578,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,7 +579,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,7 +580,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,7 +581,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,7 +582,,T1001.001,Junk Data,[],[],,AC-4,mitigates,7 +583,,T1001.002,Steganography,[],[],,AC-4,mitigates,7 +584,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,7 +585,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,7 +586,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,7 +587,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,7 +588,,T1003.006,DCSync,[],[],,AC-4,mitigates,7 +589,,T1008,Fallback Channels,[],[],,AC-4,mitigates,7 +590,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,7 +591,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,7 +592,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,7 +593,,T1021.005,VNC,[],[],,AC-4,mitigates,7 +594,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,7 +595,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,7 +596,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,7 +597,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,7 +598,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,7 +599,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,7 +600,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,7 +601,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,7 +602,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,7 +603,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,7 +604,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,7 +605,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,7 +606,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,7 +607,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,7 +608,,T1071.004,DNS,[],[],,AC-4,mitigates,7 +609,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,7 +610,,T1090,Proxy,[],[],,AC-4,mitigates,7 +611,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,7 +612,,T1090.002,External Proxy,[],[],,AC-4,mitigates,7 +613,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,7 +614,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,7 +615,,T1098,Account Manipulation,[],[],,AC-4,mitigates,7 +616,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,7 +617,,T1102,Web Service,[],[],,AC-4,mitigates,7 +618,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,7 +619,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,7 +620,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,7 +621,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,7 +622,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,7 +623,,T1114,Email Collection,[],[],,AC-4,mitigates,7 +624,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,7 +625,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,7 +626,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,7 +627,,T1132,Data Encoding,[],[],,AC-4,mitigates,7 +628,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,7 +629,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,7 +630,,T1133,External Remote Services,[],[],,AC-4,mitigates,7 +631,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,7 +632,,T1136,Create Account,[],[],,AC-4,mitigates,7 +633,,T1136.002,Domain Account,[],[],,AC-4,mitigates,7 +634,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,7 +635,,T1187,Forced Authentication,[],[],,AC-4,mitigates,7 +636,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,7 +637,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,7 +638,,T1197,BITS Jobs,[],[],,AC-4,mitigates,7 +639,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,7 +640,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,7 +641,,T1204,User Execution,[],[],,AC-4,mitigates,7 +642,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,7 +643,,T1204.002,Malicious File,[],[],,AC-4,mitigates,7 +644,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,7 +645,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,7 +646,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,7 +647,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,7 +648,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,7 +649,,T1218.012,Verclsid,[],[],,AC-4,mitigates,7 +650,,T1219,Remote Access Software,[],[],,AC-4,mitigates,7 +651,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,7 +652,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,7 +653,,T1489,Service Stop,[],[],,AC-4,mitigates,7 +654,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,7 +655,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,7 +656,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,7 +657,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,7 +658,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,7 +659,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,7 +660,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,7 +661,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,7 +662,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,7 +663,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,7 +664,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,7 +665,,T1547.003,Time Providers,[],[],,AC-4,mitigates,7 +666,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,7 +667,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,7 +668,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,7 +669,,T1557,Man-in-the-Middle,[],[],,AC-4,mitigates,7 +670,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,7 +671,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,7 +672,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,7 +673,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,7 +674,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,7 +675,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,7 +676,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,7 +677,,T1565,Data Manipulation,[],[],,AC-4,mitigates,7 +678,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,7 +679,,T1566,Phishing,[],[],,AC-4,mitigates,7 +680,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,7 +681,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,7 +682,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,7 +683,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,7 +684,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,7 +685,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,7 +686,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,7 +687,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,7 +688,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,7 +689,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,7 +690,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,7 +691,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,7 +692,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,7 +693,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,7 +694,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,7 +695,,T1574.002,DLL Side-Loading,[],[],,AC-4,mitigates,7 +696,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,7 +697,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,7 +698,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,7 +699,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,7 +700,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,7 +701,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,7 +702,,T1598,Phishing for Information,[],[],,AC-4,mitigates,7 +703,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,7 +704,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,7 +705,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,7 +706,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,7 +707,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,7 +708,,T1601,Modify System Image,[],[],,AC-4,mitigates,7 +709,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,7 +710,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,7 +711,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,7 +712,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,7 +713,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,7 +714,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,7 +715,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,7 +716,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,7 +717,,T1003.003,NTDS,[],[],,AC-5,mitigates,7 +718,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,7 +719,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,7 +720,,T1003.006,DCSync,[],[],,AC-5,mitigates,7 +721,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,7 +722,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,7 +723,,T1021,Remote Services,[],[],,AC-5,mitigates,7 +724,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,7 +725,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,7 +726,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,7 +727,,T1021.004,SSH,[],[],,AC-5,mitigates,7 +728,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,7 +729,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,7 +730,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,7 +731,,T1053.001,At (Linux),[],[],,AC-5,mitigates,7 +732,,T1053.002,At (Windows),[],[],,AC-5,mitigates,7 +733,,T1053.003,Cron,[],[],,AC-5,mitigates,7 +734,,T1053.004,Launchd,[],[],,AC-5,mitigates,7 +735,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,7 +736,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,7 +737,,T1055,Process Injection,[],[],,AC-5,mitigates,7 +738,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,7 +739,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,7 +740,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,7 +741,,T1059.001,PowerShell,[],[],,AC-5,mitigates,7 +742,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,7 +743,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,7 +744,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,7 +745,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,7 +746,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,7 +747,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,7 +748,,T1078,Valid Accounts,[],[],,AC-5,mitigates,7 +749,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,7 +750,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,7 +751,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,7 +752,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,7 +753,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,7 +754,,T1098,Account Manipulation,[],[],,AC-5,mitigates,7 +755,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,7 +756,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,7 +757,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,7 +758,,T1110,Brute Force,[],[],,AC-5,mitigates,7 +759,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,7 +760,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,7 +761,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,7 +762,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,7 +763,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,7 +764,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,7 +765,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,7 +766,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,7 +767,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,7 +768,,T1136,Create Account,[],[],,AC-5,mitigates,7 +769,,T1136.001,Local Account,[],[],,AC-5,mitigates,7 +770,,T1136.002,Domain Account,[],[],,AC-5,mitigates,7 +771,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,7 +772,,T1185,Man in the Browser,[],[],,AC-5,mitigates,7 +773,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,7 +774,,T1197,BITS Jobs,[],[],,AC-5,mitigates,7 +775,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,7 +776,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,7 +777,,T1213.001,Confluence,[],[],,AC-5,mitigates,7 +778,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,7 +779,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,7 +780,,T1218.007,Msiexec,[],[],,AC-5,mitigates,7 +781,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,7 +782,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,7 +783,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,7 +784,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,7 +785,,T1489,Service Stop,[],[],,AC-5,mitigates,7 +786,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,7 +787,,T1505,Server Software Component,[],[],,AC-5,mitigates,7 +788,,T1505.001,SQL Stored Procedures,[],[],,AC-5,mitigates,7 +789,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,7 +790,,T1525,Implant Container Image,[],[],,AC-5,mitigates,7 +791,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,7 +792,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,7 +793,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,7 +794,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,7 +795,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,7 +796,,T1542.001,System Firmware,[],[],,AC-5,mitigates,7 +797,,T1542.003,Bootkit,[],[],,AC-5,mitigates,7 +798,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,7 +799,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,7 +800,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,7 +801,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,7 +802,,T1543.003,Windows Service,[],[],,AC-5,mitigates,7 +803,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,7 +804,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,7 +805,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,7 +806,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,7 +807,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,7 +808,,T1547.012,Print Processors,[],[],,AC-5,mitigates,7 +809,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,7 +810,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,7 +811,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,7 +812,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,7 +813,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,7 +814,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,7 +815,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,7 +816,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,7 +817,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,7 +818,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,7 +819,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,7 +820,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,7 +821,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,7 +822,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,7 +823,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,7 +824,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,7 +825,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,7 +826,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,7 +827,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,7 +828,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,7 +829,,T1562,Impair Defenses,[],[],,AC-5,mitigates,7 +830,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,7 +831,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,7 +832,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,7 +833,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,7 +834,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,7 +835,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,7 +836,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,7 +837,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,7 +838,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,7 +839,,T1569,System Services,[],[],,AC-5,mitigates,7 +840,,T1569.001,Launchctl,[],[],,AC-5,mitigates,7 +841,,T1569.002,Service Execution,[],[],,AC-5,mitigates,7 +842,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,7 +843,,T1574.002,DLL Side-Loading,[],[],,AC-5,mitigates,7 +844,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,7 +845,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,7 +846,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,7 +847,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,7 +848,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,7 +849,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,7 +850,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,7 +851,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,7 +852,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,7 +853,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,7 +854,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,7 +855,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,7 +856,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,7 +857,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,7 +858,,T1601,Modify System Image,[],[],,AC-5,mitigates,7 +859,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,7 +860,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,7 +861,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,7 +862,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,7 +863,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,7 +864,,T1003.003,NTDS,[],[],,AC-6,mitigates,7 +865,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,7 +866,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,7 +867,,T1003.006,DCSync,[],[],,AC-6,mitigates,7 +868,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,7 +869,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,7 +870,,T1021,Remote Services,[],[],,AC-6,mitigates,7 +871,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,7 +872,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,7 +873,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,7 +874,,T1021.004,SSH,[],[],,AC-6,mitigates,7 +875,,T1021.005,VNC,[],[],,AC-6,mitigates,7 +876,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,7 +877,,T1036,Masquerading,[],[],,AC-6,mitigates,7 +878,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,7 +879,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,7 +880,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,7 +881,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,7 +882,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,7 +883,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,7 +884,,T1053.001,At (Linux),[],[],,AC-6,mitigates,7 +885,,T1053.002,At (Windows),[],[],,AC-6,mitigates,7 +886,,T1053.003,Cron,[],[],,AC-6,mitigates,7 +887,,T1053.004,Launchd,[],[],,AC-6,mitigates,7 +888,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,7 +889,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,7 +890,,T1055,Process Injection,[],[],,AC-6,mitigates,7 +891,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,7 +892,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,7 +893,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,7 +894,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,7 +895,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,7 +896,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,7 +897,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,7 +898,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,7 +899,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,7 +900,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,7 +901,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,7 +902,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,7 +903,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,7 +904,,T1059.001,PowerShell,[],[],,AC-6,mitigates,7 +905,,T1059.006,Python,[],[],,AC-6,mitigates,7 +906,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,7 +907,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,7 +908,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,7 +909,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,7 +910,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,7 +911,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,7 +912,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,7 +913,,T1078,Valid Accounts,[],[],,AC-6,mitigates,7 +914,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,7 +915,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,7 +916,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,7 +917,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,7 +918,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,7 +919,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,7 +920,,T1098,Account Manipulation,[],[],,AC-6,mitigates,7 +921,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,7 +922,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,7 +923,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,7 +924,,T1110,Brute Force,[],[],,AC-6,mitigates,7 +925,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,7 +926,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,7 +927,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,7 +928,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,7 +929,,T1112,Modify Registry,[],[],,AC-6,mitigates,7 +930,,T1133,External Remote Services,[],[],,AC-6,mitigates,7 +931,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,7 +932,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,7 +933,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,7 +934,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,7 +935,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,7 +936,,T1136,Create Account,[],[],,AC-6,mitigates,7 +937,,T1136.001,Local Account,[],[],,AC-6,mitigates,7 +938,,T1136.002,Domain Account,[],[],,AC-6,mitigates,7 +939,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,7 +940,,T1137.002,Office Test,[],[],,AC-6,mitigates,7 +941,,T1176,Browser Extensions,[],[],,AC-6,mitigates,7 +942,,T1185,Man in the Browser,[],[],,AC-6,mitigates,7 +943,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,7 +944,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,7 +945,,T1197,BITS Jobs,[],[],,AC-6,mitigates,7 +946,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,7 +947,,T1200,Hardware Additions,[],[],,AC-6,mitigates,7 +948,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,7 +949,,T1204,User Execution,[],[],,AC-6,mitigates,7 +950,,T1204.001,Malicious Link,[],[],,AC-6,mitigates,7 +951,,T1204.002,Malicious File,[],[],,AC-6,mitigates,7 +952,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,7 +953,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,7 +954,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,7 +955,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,7 +956,,T1213.001,Confluence,[],[],,AC-6,mitigates,7 +957,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,7 +958,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,7 +959,,T1218.007,Msiexec,[],[],,AC-6,mitigates,7 +960,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,7 +961,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,7 +962,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,7 +963,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,7 +964,,T1485,Data Destruction,[],[],,AC-6,mitigates,7 +965,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,7 +966,,T1489,Service Stop,[],[],,AC-6,mitigates,7 +967,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,7 +968,,T1491,Defacement,[],[],,AC-6,mitigates,7 +969,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,7 +970,,T1491.002,External Defacement,[],[],,AC-6,mitigates,7 +971,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,7 +972,,T1505,Server Software Component,[],[],,AC-6,mitigates,7 +973,,T1505.001,SQL Stored Procedures,[],[],,AC-6,mitigates,7 +974,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,7 +975,,T1525,Implant Container Image,[],[],,AC-6,mitigates,7 +976,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,7 +977,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,7 +978,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,7 +979,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,7 +980,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,7 +981,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,7 +982,,T1542.001,System Firmware,[],[],,AC-6,mitigates,7 +983,,T1542.003,Bootkit,[],[],,AC-6,mitigates,7 +984,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,7 +985,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,7 +986,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,7 +987,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,7 +988,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,7 +989,,T1543.003,Windows Service,[],[],,AC-6,mitigates,7 +990,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,7 +991,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,7 +992,,T1546.004,.bash_profile and .bashrc,[],[],,AC-6,mitigates,7 +993,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,7 +994,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,7 +995,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,7 +996,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,7 +997,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,7 +998,,T1547.012,Print Processors,[],[],,AC-6,mitigates,7 +999,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,7 +1000,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,7 +1001,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,7 +1002,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,7 +1003,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,7 +1004,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,7 +1005,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,7 +1006,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,7 +1007,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,7 +1008,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,7 +1009,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,7 +1010,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,7 +1011,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,7 +1012,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,7 +1013,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,7 +1014,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,7 +1015,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,7 +1016,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,7 +1017,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,7 +1018,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,7 +1019,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,7 +1020,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,7 +1021,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,7 +1022,,T1561,Disk Wipe,[],[],,AC-6,mitigates,7 +1023,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,7 +1024,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,7 +1025,,T1562,Impair Defenses,[],[],,AC-6,mitigates,7 +1026,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,7 +1027,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,7 +1028,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,7 +1029,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,7 +1030,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,7 +1031,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,7 +1032,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,7 +1033,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,7 +1034,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,7 +1035,,T1569,System Services,[],[],,AC-6,mitigates,7 +1036,,T1569.001,Launchctl,[],[],,AC-6,mitigates,7 +1037,,T1569.002,Service Execution,[],[],,AC-6,mitigates,7 +1038,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,7 +1039,,T1574.002,DLL Side-Loading,[],[],,AC-6,mitigates,7 +1040,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,7 +1041,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,7 +1042,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,7 +1043,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,7 +1044,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,7 +1045,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,7 +1046,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,7 +1047,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,7 +1048,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,7 +1049,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,7 +1050,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,7 +1051,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,7 +1052,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,7 +1053,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,7 +1054,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,7 +1055,,T1601,Modify System Image,[],[],,AC-6,mitigates,7 +1056,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,7 +1057,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,7 +1058,,T1021,Remote Services,[],[],,AC-7,mitigates,7 +1059,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,7 +1060,,T1021.004,SSH,[],[],,AC-7,mitigates,7 +1061,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,7 +1062,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,7 +1063,,T1110,Brute Force,[],[],,AC-7,mitigates,7 +1064,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,7 +1065,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,7 +1066,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,7 +1067,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,7 +1068,,T1133,External Remote Services,[],[],,AC-7,mitigates,7 +1069,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,7 +1070,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,7 +1071,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,7 +1072,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,7 +1073,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,7 +1074,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,7 +1075,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,7 +1076,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,7 +1077,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,7 +1078,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,7 +1079,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,7 +1080,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,7 +1081,,T1001.001,Junk Data,[],[],,CA-7,mitigates,7 +1082,,T1001.002,Steganography,[],[],,CA-7,mitigates,7 +1083,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,7 +1084,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,7 +1085,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,7 +1086,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,7 +1087,,T1003.003,NTDS,[],[],,CA-7,mitigates,7 +1088,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,7 +1089,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,7 +1090,,T1003.006,DCSync,[],[],,CA-7,mitigates,7 +1091,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,7 +1092,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,7 +1093,,T1008,Fallback Channels,[],[],,CA-7,mitigates,7 +1094,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,7 +1095,,T1021.005,VNC,[],[],,CA-7,mitigates,7 +1096,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,7 +1097,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,7 +1098,,T1036,Masquerading,[],[],,CA-7,mitigates,7 +1099,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,7 +1100,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,7 +1101,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,7 +1102,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,7 +1103,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,7 +1104,,T1037.004,Rc.common,[],[],,CA-7,mitigates,7 +1105,,T1037.005,Startup Items,[],[],,CA-7,mitigates,7 +1106,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,7 +1107,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,7 +1108,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,7 +1109,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,7 +1110,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,7 +1111,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,7 +1112,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,7 +1113,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,7 +1114,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,7 +1115,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,7 +1116,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,7 +1117,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,7 +1118,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,7 +1119,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,7 +1120,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,7 +1121,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,7 +1122,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,7 +1123,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,7 +1124,,T1071.004,DNS,[],[],,CA-7,mitigates,7 +1125,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,7 +1126,,T1078,Valid Accounts,[],[],,CA-7,mitigates,7 +1127,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,7 +1128,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,7 +1129,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,7 +1130,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,7 +1131,,T1090,Proxy,[],[],,CA-7,mitigates,7 +1132,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,7 +1133,,T1090.002,External Proxy,[],[],,CA-7,mitigates,7 +1134,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,7 +1135,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,7 +1136,,T1102,Web Service,[],[],,CA-7,mitigates,7 +1137,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,7 +1138,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,7 +1139,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,7 +1140,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,7 +1141,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,7 +1142,,T1110,Brute Force,[],[],,CA-7,mitigates,7 +1143,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,7 +1144,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,7 +1145,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,7 +1146,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,7 +1147,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,7 +1148,,T1132,Data Encoding,[],[],,CA-7,mitigates,7 +1149,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,7 +1150,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,7 +1151,,T1176,Browser Extensions,[],[],,CA-7,mitigates,7 +1152,,T1185,Man in the Browser,[],[],,CA-7,mitigates,7 +1153,,T1187,Forced Authentication,[],[],,CA-7,mitigates,7 +1154,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,7 +1155,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,7 +1156,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,7 +1157,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,7 +1158,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,7 +1159,,T1197,BITS Jobs,[],[],,CA-7,mitigates,7 +1160,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,7 +1161,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,7 +1162,,T1204,User Execution,[],[],,CA-7,mitigates,7 +1163,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,7 +1164,,T1204.002,Malicious File,[],[],,CA-7,mitigates,7 +1165,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,7 +1166,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,7 +1167,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,7 +1168,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,7 +1169,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,7 +1170,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,7 +1171,,T1218.002,Control Panel,[],[],,CA-7,mitigates,7 +1172,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,7 +1173,,T1218.011,Rundll32,[],[],,CA-7,mitigates,7 +1174,,T1218.012,Verclsid,[],[],,CA-7,mitigates,7 +1175,,T1219,Remote Access Software,[],[],,CA-7,mitigates,7 +1176,,T1221,Template Injection,[],[],,CA-7,mitigates,7 +1177,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,7 +1178,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,7 +1179,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,7 +1180,,T1489,Service Stop,[],[],,CA-7,mitigates,7 +1181,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,7 +1182,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,7 +1183,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,7 +1184,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,7 +1185,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,7 +1186,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,7 +1187,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,7 +1188,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,7 +1189,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,7 +1190,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,7 +1191,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,7 +1192,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,7 +1193,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,7 +1194,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,7 +1195,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,7 +1196,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,7 +1197,,T1546.004,.bash_profile and .bashrc,[],[],,CA-7,mitigates,7 +1198,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,7 +1199,,T1547.003,Time Providers,[],[],,CA-7,mitigates,7 +1200,,T1547.011,Plist Modification,[],[],,CA-7,mitigates,7 +1201,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,7 +1202,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,7 +1203,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,7 +1204,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,7 +1205,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,7 +1206,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,7 +1207,,T1552.004,Private Keys,[],[],,CA-7,mitigates,7 +1208,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,7 +1209,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,7 +1210,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,7 +1211,,T1555.001,Keychain,[],[],,CA-7,mitigates,7 +1212,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,7 +1213,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,7 +1214,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,7 +1215,,T1557,Man-in-the-Middle,[],[],,CA-7,mitigates,7 +1216,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,7 +1217,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,7 +1218,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,7 +1219,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,7 +1220,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,7 +1221,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,7 +1222,,T1562,Impair Defenses,[],[],,CA-7,mitigates,7 +1223,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,7 +1224,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,7 +1225,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,7 +1226,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,7 +1227,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,7 +1228,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,7 +1229,,T1565,Data Manipulation,[],[],,CA-7,mitigates,7 +1230,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,7 +1231,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,7 +1232,,T1566,Phishing,[],[],,CA-7,mitigates,7 +1233,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,7 +1234,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,7 +1235,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,7 +1236,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,7 +1237,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,7 +1238,,T1569,System Services,[],[],,CA-7,mitigates,7 +1239,,T1569.002,Service Execution,[],[],,CA-7,mitigates,7 +1240,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,7 +1241,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,7 +1242,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,7 +1243,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,7 +1244,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,7 +1245,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,7 +1246,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,7 +1247,,T1574.002,DLL Side-Loading,[],[],,CA-7,mitigates,7 +1248,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,7 +1249,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,7 +1250,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,7 +1251,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,7 +1252,,T1598,Phishing for Information,[],[],,CA-7,mitigates,7 +1253,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,7 +1254,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,7 +1255,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,7 +1256,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,7 +1257,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,7 +1258,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,7 +1259,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,7 +1260,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,7 +1261,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,7 +1262,,T1021.005,VNC,[],[],,CA-8,mitigates,7 +1263,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,7 +1264,,T1053.001,At (Linux),[],[],,CA-8,mitigates,7 +1265,,T1053.002,At (Windows),[],[],,CA-8,mitigates,7 +1266,,T1053.003,Cron,[],[],,CA-8,mitigates,7 +1267,,T1053.004,Launchd,[],[],,CA-8,mitigates,7 +1268,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,7 +1269,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,7 +1270,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,7 +1271,,T1078,Valid Accounts,[],[],,CA-8,mitigates,7 +1272,,T1176,Browser Extensions,[],[],,CA-8,mitigates,7 +1273,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,7 +1274,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,7 +1275,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,7 +1276,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,7 +1277,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,7 +1278,,T1213.001,Confluence,[],[],,CA-8,mitigates,7 +1279,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,7 +1280,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,7 +1281,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,7 +1282,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,7 +1283,,T1505,Server Software Component,[],[],,CA-8,mitigates,7 +1284,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,7 +1285,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,7 +1286,,T1525,Implant Container Image,[],[],,CA-8,mitigates,7 +1287,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,7 +1288,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,7 +1289,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,7 +1290,,T1542.001,System Firmware,[],[],,CA-8,mitigates,7 +1291,,T1542.003,Bootkit,[],[],,CA-8,mitigates,7 +1292,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,7 +1293,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,7 +1294,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,7 +1295,,T1543.003,Windows Service,[],[],,CA-8,mitigates,7 +1296,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,7 +1297,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,7 +1298,,T1550,Use Alternate Authentication Material,[],[],,CA-8,mitigates,7 +1299,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,7 +1300,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,7 +1301,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,7 +1302,,T1552.004,Private Keys,[],[],,CA-8,mitigates,7 +1303,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,7 +1304,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,7 +1305,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,7 +1306,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,7 +1307,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,7 +1308,,T1562,Impair Defenses,[],[],,CA-8,mitigates,7 +1309,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,7 +1310,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,7 +1311,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,7 +1312,,T1574.002,DLL Side-Loading,[],[],,CA-8,mitigates,7 +1313,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,7 +1314,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,7 +1315,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,7 +1316,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,7 +1317,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,7 +1318,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,7 +1319,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,7 +1320,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,7 +1321,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,7 +1322,,T1601,Modify System Image,[],[],,CA-8,mitigates,7 +1323,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,7 +1324,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,7 +1325,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,7 +1326,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,7 +1327,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,7 +1328,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,7 +1329,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,7 +1330,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,7 +1331,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,7 +1332,,T1021.005,VNC,[],[],,CM-11,mitigates,7 +1333,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,7 +1334,,T1059.006,Python,[],[],,CM-11,mitigates,7 +1335,,T1176,Browser Extensions,[],[],,CM-11,mitigates,7 +1336,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,7 +1337,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,7 +1338,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,7 +1339,,T1505,Server Software Component,[],[],,CM-11,mitigates,7 +1340,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,7 +1341,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,7 +1342,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,7 +1343,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,7 +1344,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,7 +1345,,T1543.003,Windows Service,[],[],,CM-11,mitigates,7 +1346,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,7 +1347,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,7 +1348,,T1569,System Services,[],[],,CM-11,mitigates,7 +1349,,T1569.001,Launchctl,[],[],,CM-11,mitigates,7 +1350,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,7 +1351,,T1001.001,Junk Data,[],[],,CM-2,mitigates,7 +1352,,T1001.002,Steganography,[],[],,CM-2,mitigates,7 +1353,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,7 +1354,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,7 +1355,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,7 +1356,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,7 +1357,,T1003.003,NTDS,[],[],,CM-2,mitigates,7 +1358,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,7 +1359,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,7 +1360,,T1003.006,DCSync,[],[],,CM-2,mitigates,7 +1361,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,7 +1362,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,7 +1363,,T1008,Fallback Channels,[],[],,CM-2,mitigates,7 +1364,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,7 +1365,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,7 +1366,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,7 +1367,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,7 +1368,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,7 +1369,,T1021.004,SSH,[],[],,CM-2,mitigates,7 +1370,,T1021.005,VNC,[],[],,CM-2,mitigates,7 +1371,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,7 +1372,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,7 +1373,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,7 +1374,,T1036,Masquerading,[],[],,CM-2,mitigates,7 +1375,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,7 +1376,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,7 +1377,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,7 +1378,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,7 +1379,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,7 +1380,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,7 +1381,,T1037.004,Rc.common,[],[],,CM-2,mitigates,7 +1382,,T1037.005,Startup Items,[],[],,CM-2,mitigates,7 +1383,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,7 +1384,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,7 +1385,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,7 +1386,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,7 +1387,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,7 +1388,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,7 +1389,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,7 +1390,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,7 +1391,,T1053.002,At (Windows),[],[],,CM-2,mitigates,7 +1392,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,7 +1393,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,7 +1394,,T1059.001,PowerShell,[],[],,CM-2,mitigates,7 +1395,,T1059.002,AppleScript,[],[],,CM-2,mitigates,7 +1396,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,7 +1397,,T1059.007,JavaScript/JScript,[],[],,CM-2,mitigates,7 +1398,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,7 +1399,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,7 +1400,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,7 +1401,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,7 +1402,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,7 +1403,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,7 +1404,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,7 +1405,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,7 +1406,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,7 +1407,,T1071.004,DNS,[],[],,CM-2,mitigates,7 +1408,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,7 +1409,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,7 +1410,,T1090,Proxy,[],[],,CM-2,mitigates,7 +1411,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,7 +1412,,T1090.002,External Proxy,[],[],,CM-2,mitigates,7 +1413,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,7 +1414,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,7 +1415,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,7 +1416,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,7 +1417,,T1102,Web Service,[],[],,CM-2,mitigates,7 +1418,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,7 +1419,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,7 +1420,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,7 +1421,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,7 +1422,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,7 +1423,,T1110,Brute Force,[],[],,CM-2,mitigates,7 +1424,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,7 +1425,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,7 +1426,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,7 +1427,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,7 +1428,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,7 +1429,,T1114,Email Collection,[],[],,CM-2,mitigates,7 +1430,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,7 +1431,,T1119,Automated Collection,[],[],,CM-2,mitigates,7 +1432,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,7 +1433,,T1127.001,MSBuild,[],[],,CM-2,mitigates,7 +1434,,T1129,Shared Modules,[],[],,CM-2,mitigates,7 +1435,,T1132,Data Encoding,[],[],,CM-2,mitigates,7 +1436,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,7 +1437,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,7 +1438,,T1133,External Remote Services,[],[],,CM-2,mitigates,7 +1439,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,7 +1440,,T1137,Office Application Startup,[],[],,CM-2,mitigates,7 +1441,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,7 +1442,,T1137.002,Office Test,[],[],,CM-2,mitigates,7 +1443,,T1137.003,Outlook Forms,[],[],,CM-2,mitigates,7 +1444,,T1137.004,Outlook Home Page,[],[],,CM-2,mitigates,7 +1445,,T1137.005,Outlook Rules,[],[],,CM-2,mitigates,7 +1446,,T1176,Browser Extensions,[],[],,CM-2,mitigates,7 +1447,,T1185,Man in the Browser,[],[],,CM-2,mitigates,7 +1448,,T1187,Forced Authentication,[],[],,CM-2,mitigates,7 +1449,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,7 +1450,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,7 +1451,,T1204,User Execution,[],[],,CM-2,mitigates,7 +1452,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,7 +1453,,T1204.002,Malicious File,[],[],,CM-2,mitigates,7 +1454,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,7 +1455,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,7 +1456,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,7 +1457,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,7 +1458,,T1216.001,PubPrn,[],[],,CM-2,mitigates,7 +1459,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,7 +1460,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,7 +1461,,T1218.002,Control Panel,[],[],,CM-2,mitigates,7 +1462,,T1218.003,CMSTP,[],[],,CM-2,mitigates,7 +1463,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,7 +1464,,T1218.005,Mshta,[],[],,CM-2,mitigates,7 +1465,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,7 +1466,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,7 +1467,,T1218.012,Verclsid,[],[],,CM-2,mitigates,7 +1468,,T1219,Remote Access Software,[],[],,CM-2,mitigates,7 +1469,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,7 +1470,,T1221,Template Injection,[],[],,CM-2,mitigates,7 +1471,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,7 +1472,,T1485,Data Destruction,[],[],,CM-2,mitigates,7 +1473,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,7 +1474,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,7 +1475,,T1491,Defacement,[],[],,CM-2,mitigates,7 +1476,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,7 +1477,,T1491.002,External Defacement,[],[],,CM-2,mitigates,7 +1478,,T1505,Server Software Component,[],[],,CM-2,mitigates,7 +1479,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,7 +1480,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,7 +1481,,T1525,Implant Container Image,[],[],,CM-2,mitigates,7 +1482,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,7 +1483,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,7 +1484,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,7 +1485,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,7 +1486,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,7 +1487,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,7 +1488,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,7 +1489,,T1543.003,Windows Service,[],[],,CM-2,mitigates,7 +1490,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,7 +1491,,T1546.002,Screensaver,[],[],,CM-2,mitigates,7 +1492,,T1546.004,.bash_profile and .bashrc,[],[],,CM-2,mitigates,7 +1493,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,7 +1494,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,7 +1495,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,7 +1496,,T1546.014,Emond,[],[],,CM-2,mitigates,7 +1497,,T1547.003,Time Providers,[],[],,CM-2,mitigates,7 +1498,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,7 +1499,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,7 +1500,,T1547.011,Plist Modification,[],[],,CM-2,mitigates,7 +1501,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,7 +1502,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,7 +1503,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,7 +1504,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,7 +1505,,T1550,Use Alternate Authentication Material,[],[],,CM-2,mitigates,7 +1506,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,7 +1507,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,7 +1508,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,7 +1509,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,7 +1510,,T1552.004,Private Keys,[],[],,CM-2,mitigates,7 +1511,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,7 +1512,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,7 +1513,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,7 +1514,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,7 +1515,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,7 +1516,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,7 +1517,,T1557,Man-in-the-Middle,[],[],,CM-2,mitigates,7 +1518,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,7 +1519,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,7 +1520,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,7 +1521,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,7 +1522,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,7 +1523,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,7 +1524,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,7 +1525,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,7 +1526,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,7 +1527,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,7 +1528,,T1561,Disk Wipe,[],[],,CM-2,mitigates,7 +1529,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,7 +1530,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,7 +1531,,T1562,Impair Defenses,[],[],,CM-2,mitigates,7 +1532,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,7 +1533,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,7 +1534,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,7 +1535,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,7 +1536,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,7 +1537,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,7 +1538,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,7 +1539,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,7 +1540,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,7 +1541,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,7 +1542,,T1565,Data Manipulation,[],[],,CM-2,mitigates,7 +1543,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,7 +1544,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,7 +1545,,T1569,System Services,[],[],,CM-2,mitigates,7 +1546,,T1569.002,Service Execution,[],[],,CM-2,mitigates,7 +1547,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,7 +1548,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,7 +1549,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,7 +1550,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,7 +1551,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,7 +1552,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,7 +1553,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,7 +1554,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,7 +1555,,T1574.002,DLL Side-Loading,[],[],,CM-2,mitigates,7 +1556,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,7 +1557,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,7 +1558,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,7 +1559,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,7 +1560,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,7 +1561,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,7 +1562,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,7 +1563,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,7 +1564,,T1601,Modify System Image,[],[],,CM-2,mitigates,7 +1565,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,7 +1566,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,7 +1567,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,7 +1568,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,7 +1569,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,7 +1570,,T1021.005,VNC,[],[],,CM-3,mitigates,7 +1571,,T1059.006,Python,[],[],,CM-3,mitigates,7 +1572,,T1176,Browser Extensions,[],[],,CM-3,mitigates,7 +1573,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,7 +1574,,T1204,User Execution,[],[],,CM-3,mitigates,7 +1575,,T1204.001,Malicious Link,[],[],,CM-3,mitigates,7 +1576,,T1204.002,Malicious File,[],[],,CM-3,mitigates,7 +1577,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,7 +1578,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,7 +1579,,T1542.001,System Firmware,[],[],,CM-3,mitigates,7 +1580,,T1542.003,Bootkit,[],[],,CM-3,mitigates,7 +1581,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,7 +1582,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,7 +1583,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,7 +1584,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,7 +1585,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,7 +1586,,T1547.011,Plist Modification,[],[],,CM-3,mitigates,7 +1587,,T1601,Modify System Image,[],[],,CM-3,mitigates,7 +1588,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,7 +1589,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,7 +1590,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,7 +1591,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,7 +1592,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,7 +1593,,T1003.003,NTDS,[],[],,CM-5,mitigates,7 +1594,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,7 +1595,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,7 +1596,,T1003.006,DCSync,[],[],,CM-5,mitigates,7 +1597,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,7 +1598,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,7 +1599,,T1021,Remote Services,[],[],,CM-5,mitigates,7 +1600,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,7 +1601,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,7 +1602,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,7 +1603,,T1021.004,SSH,[],[],,CM-5,mitigates,7 +1604,,T1021.005,VNC,[],[],,CM-5,mitigates,7 +1605,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,7 +1606,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,7 +1607,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,7 +1608,,T1053.001,At (Linux),[],[],,CM-5,mitigates,7 +1609,,T1053.002,At (Windows),[],[],,CM-5,mitigates,7 +1610,,T1053.003,Cron,[],[],,CM-5,mitigates,7 +1611,,T1053.004,Launchd,[],[],,CM-5,mitigates,7 +1612,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,7 +1613,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,7 +1614,,T1055,Process Injection,[],[],,CM-5,mitigates,7 +1615,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,7 +1616,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,7 +1617,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,7 +1618,,T1059.001,PowerShell,[],[],,CM-5,mitigates,7 +1619,,T1059.006,Python,[],[],,CM-5,mitigates,7 +1620,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,7 +1621,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,7 +1622,,T1078,Valid Accounts,[],[],,CM-5,mitigates,7 +1623,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,7 +1624,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,7 +1625,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,7 +1626,,T1098,Account Manipulation,[],[],,CM-5,mitigates,7 +1627,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,7 +1628,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,7 +1629,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,7 +1630,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,7 +1631,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,7 +1632,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,7 +1633,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,7 +1634,,T1136,Create Account,[],[],,CM-5,mitigates,7 +1635,,T1136.001,Local Account,[],[],,CM-5,mitigates,7 +1636,,T1136.002,Domain Account,[],[],,CM-5,mitigates,7 +1637,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,7 +1638,,T1137.002,Office Test,[],[],,CM-5,mitigates,7 +1639,,T1176,Browser Extensions,[],[],,CM-5,mitigates,7 +1640,,T1185,Man in the Browser,[],[],,CM-5,mitigates,7 +1641,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,7 +1642,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,7 +1643,,T1197,BITS Jobs,[],[],,CM-5,mitigates,7 +1644,,T1204,User Execution,[],[],,CM-5,mitigates,7 +1645,,T1204.001,Malicious Link,[],[],,CM-5,mitigates,7 +1646,,T1204.002,Malicious File,[],[],,CM-5,mitigates,7 +1647,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,7 +1648,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,7 +1649,,T1213.001,Confluence,[],[],,CM-5,mitigates,7 +1650,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,7 +1651,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,7 +1652,,T1218.007,Msiexec,[],[],,CM-5,mitigates,7 +1653,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,7 +1654,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,7 +1655,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,7 +1656,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,7 +1657,,T1489,Service Stop,[],[],,CM-5,mitigates,7 +1658,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,7 +1659,,T1505,Server Software Component,[],[],,CM-5,mitigates,7 +1660,,T1505.001,SQL Stored Procedures,[],[],,CM-5,mitigates,7 +1661,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,7 +1662,,T1525,Implant Container Image,[],[],,CM-5,mitigates,7 +1663,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,7 +1664,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,7 +1665,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,7 +1666,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,7 +1667,,T1542.001,System Firmware,[],[],,CM-5,mitigates,7 +1668,,T1542.003,Bootkit,[],[],,CM-5,mitigates,7 +1669,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,7 +1670,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,7 +1671,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,7 +1672,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,7 +1673,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,7 +1674,,T1543.003,Windows Service,[],[],,CM-5,mitigates,7 +1675,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,7 +1676,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,7 +1677,,T1547.003,Time Providers,[],[],,CM-5,mitigates,7 +1678,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,7 +1679,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,7 +1680,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,7 +1681,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,7 +1682,,T1547.011,Plist Modification,[],[],,CM-5,mitigates,7 +1683,,T1547.012,Print Processors,[],[],,CM-5,mitigates,7 +1684,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,7 +1685,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,7 +1686,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,7 +1687,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,7 +1688,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,7 +1689,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,7 +1690,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,7 +1691,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,7 +1692,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,7 +1693,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,7 +1694,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,7 +1695,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,7 +1696,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,7 +1697,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,7 +1698,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,7 +1699,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,7 +1700,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,7 +1701,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,7 +1702,,T1562,Impair Defenses,[],[],,CM-5,mitigates,7 +1703,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,7 +1704,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,7 +1705,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,7 +1706,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,7 +1707,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,7 +1708,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,7 +1709,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,7 +1710,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,7 +1711,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,7 +1712,,T1569,System Services,[],[],,CM-5,mitigates,7 +1713,,T1569.001,Launchctl,[],[],,CM-5,mitigates,7 +1714,,T1569.002,Service Execution,[],[],,CM-5,mitigates,7 +1715,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,7 +1716,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,7 +1717,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,7 +1718,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,7 +1719,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,7 +1720,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,7 +1721,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,7 +1722,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,7 +1723,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,7 +1724,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,7 +1725,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,7 +1726,,T1601,Modify System Image,[],[],,CM-5,mitigates,7 +1727,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,7 +1728,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,7 +1729,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,7 +1730,,T1001.001,Junk Data,[],[],,CM-6,mitigates,7 +1731,,T1001.002,Steganography,[],[],,CM-6,mitigates,7 +1732,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,7 +1733,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,7 +1734,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,7 +1735,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,7 +1736,,T1003.003,NTDS,[],[],,CM-6,mitigates,7 +1737,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,7 +1738,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,7 +1739,,T1003.006,DCSync,[],[],,CM-6,mitigates,7 +1740,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,7 +1741,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,7 +1742,,T1008,Fallback Channels,[],[],,CM-6,mitigates,7 +1743,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,7 +1744,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,7 +1745,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,7 +1746,,T1021,Remote Services,[],[],,CM-6,mitigates,7 +1747,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,7 +1748,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,7 +1749,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,7 +1750,,T1021.004,SSH,[],[],,CM-6,mitigates,7 +1751,,T1021.005,VNC,[],[],,CM-6,mitigates,7 +1752,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,7 +1753,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,7 +1754,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,7 +1755,,T1036,Masquerading,[],[],,CM-6,mitigates,7 +1756,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,7 +1757,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,7 +1758,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,7 +1759,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,7 +1760,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,7 +1761,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,7 +1762,,T1037.004,Rc.common,[],[],,CM-6,mitigates,7 +1763,,T1037.005,Startup Items,[],[],,CM-6,mitigates,7 +1764,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,7 +1765,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,7 +1766,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,7 +1767,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,7 +1768,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,7 +1769,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,7 +1770,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,7 +1771,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,7 +1772,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,7 +1773,,T1053.002,At (Windows),[],[],,CM-6,mitigates,7 +1774,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,7 +1775,,T1053.006,Systemd Timers,[],[],,CM-6,mitigates,7 +1776,,T1055,Process Injection,[],[],,CM-6,mitigates,7 +1777,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,7 +1778,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,7 +1779,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,7 +1780,,T1059.001,PowerShell,[],[],,CM-6,mitigates,7 +1781,,T1059.002,AppleScript,[],[],,CM-6,mitigates,7 +1782,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,7 +1783,,T1059.007,JavaScript/JScript,[],[],,CM-6,mitigates,7 +1784,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,7 +1785,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,7 +1786,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,7 +1787,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,7 +1788,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,7 +1789,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,7 +1790,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,7 +1791,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,7 +1792,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,7 +1793,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,7 +1794,,T1071.004,DNS,[],[],,CM-6,mitigates,7 +1795,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,7 +1796,,T1078,Valid Accounts,[],[],,CM-6,mitigates,7 +1797,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,7 +1798,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,7 +1799,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,7 +1800,,T1087,Account Discovery,[],[],,CM-6,mitigates,7 +1801,,T1087.001,Local Account,[],[],,CM-6,mitigates,7 +1802,,T1087.002,Domain Account,[],[],,CM-6,mitigates,7 +1803,,T1090,Proxy,[],[],,CM-6,mitigates,7 +1804,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,7 +1805,,T1090.002,External Proxy,[],[],,CM-6,mitigates,7 +1806,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,7 +1807,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,7 +1808,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,7 +1809,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,7 +1810,,T1098,Account Manipulation,[],[],,CM-6,mitigates,7 +1811,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,7 +1812,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,7 +1813,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,7 +1814,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,7 +1815,,T1102,Web Service,[],[],,CM-6,mitigates,7 +1816,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,7 +1817,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,7 +1818,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,7 +1819,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,7 +1820,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,7 +1821,,T1110,Brute Force,[],[],,CM-6,mitigates,7 +1822,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,7 +1823,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,7 +1824,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,7 +1825,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,7 +1826,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,7 +1827,,T1114,Email Collection,[],[],,CM-6,mitigates,7 +1828,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,7 +1829,,T1119,Automated Collection,[],[],,CM-6,mitigates,7 +1830,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,7 +1831,,T1127.001,MSBuild,[],[],,CM-6,mitigates,7 +1832,,T1132,Data Encoding,[],[],,CM-6,mitigates,7 +1833,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,7 +1834,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,7 +1835,,T1133,External Remote Services,[],[],,CM-6,mitigates,7 +1836,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,7 +1837,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,7 +1838,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,7 +1839,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,7 +1840,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,7 +1841,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,7 +1842,,T1136,Create Account,[],[],,CM-6,mitigates,7 +1843,,T1136.001,Local Account,[],[],,CM-6,mitigates,7 +1844,,T1136.002,Domain Account,[],[],,CM-6,mitigates,7 +1845,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,7 +1846,,T1137,Office Application Startup,[],[],,CM-6,mitigates,7 +1847,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,7 +1848,,T1176,Browser Extensions,[],[],,CM-6,mitigates,7 +1849,,T1187,Forced Authentication,[],[],,CM-6,mitigates,7 +1850,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,7 +1851,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,7 +1852,,T1197,BITS Jobs,[],[],,CM-6,mitigates,7 +1853,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,7 +1854,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,7 +1855,,T1204,User Execution,[],[],,CM-6,mitigates,7 +1856,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,7 +1857,,T1204.002,Malicious File,[],[],,CM-6,mitigates,7 +1858,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,7 +1859,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,7 +1860,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,7 +1861,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,7 +1862,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,7 +1863,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,7 +1864,,T1213.001,Confluence,[],[],,CM-6,mitigates,7 +1865,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,7 +1866,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,7 +1867,,T1216.001,PubPrn,[],[],,CM-6,mitigates,7 +1868,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,7 +1869,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,7 +1870,,T1218.002,Control Panel,[],[],,CM-6,mitigates,7 +1871,,T1218.003,CMSTP,[],[],,CM-6,mitigates,7 +1872,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,7 +1873,,T1218.005,Mshta,[],[],,CM-6,mitigates,7 +1874,,T1218.007,Msiexec,[],[],,CM-6,mitigates,7 +1875,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,7 +1876,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,7 +1877,,T1218.012,Verclsid,[],[],,CM-6,mitigates,7 +1878,,T1219,Remote Access Software,[],[],,CM-6,mitigates,7 +1879,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,7 +1880,,T1221,Template Injection,[],[],,CM-6,mitigates,7 +1881,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,7 +1882,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,7 +1883,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,7 +1884,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,7 +1885,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,7 +1886,,T1489,Service Stop,[],[],,CM-6,mitigates,7 +1887,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,7 +1888,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,7 +1889,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,7 +1890,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,7 +1891,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,7 +1892,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,7 +1893,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,7 +1894,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,7 +1895,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,7 +1896,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,7 +1897,,T1505,Server Software Component,[],[],,CM-6,mitigates,7 +1898,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,7 +1899,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,7 +1900,,T1525,Implant Container Image,[],[],,CM-6,mitigates,7 +1901,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,7 +1902,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,7 +1903,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,7 +1904,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,7 +1905,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,7 +1906,,T1542.001,System Firmware,[],[],,CM-6,mitigates,7 +1907,,T1542.003,Bootkit,[],[],,CM-6,mitigates,7 +1908,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,7 +1909,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,7 +1910,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,7 +1911,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,7 +1912,,T1543.003,Windows Service,[],[],,CM-6,mitigates,7 +1913,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,7 +1914,,T1546.002,Screensaver,[],[],,CM-6,mitigates,7 +1915,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,7 +1916,,T1546.004,.bash_profile and .bashrc,[],[],,CM-6,mitigates,7 +1917,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,7 +1918,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,7 +1919,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,7 +1920,,T1546.014,Emond,[],[],,CM-6,mitigates,7 +1921,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,7 +1922,,T1547.003,Time Providers,[],[],,CM-6,mitigates,7 +1923,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,7 +1924,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,7 +1925,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,7 +1926,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,7 +1927,,T1547.011,Plist Modification,[],[],,CM-6,mitigates,7 +1928,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,7 +1929,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,7 +1930,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,7 +1931,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,7 +1932,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,7 +1933,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,7 +1934,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,7 +1935,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,7 +1936,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,7 +1937,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,7 +1938,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,7 +1939,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,7 +1940,,T1552.003,Bash History,[],[],,CM-6,mitigates,7 +1941,,T1552.004,Private Keys,[],[],,CM-6,mitigates,7 +1942,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,7 +1943,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,7 +1944,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,7 +1945,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,7 +1946,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,7 +1947,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,7 +1948,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,7 +1949,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,7 +1950,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,7 +1951,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,7 +1952,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,7 +1953,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,7 +1954,,T1557,Man-in-the-Middle,[],[],,CM-6,mitigates,7 +1955,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,7 +1956,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,7 +1957,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,7 +1958,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,7 +1959,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,7 +1960,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,7 +1961,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,7 +1962,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,7 +1963,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,7 +1964,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,7 +1965,,T1562,Impair Defenses,[],[],,CM-6,mitigates,7 +1966,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,7 +1967,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,7 +1968,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,7 +1969,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,7 +1970,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,7 +1971,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,7 +1972,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,7 +1973,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,7 +1974,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,7 +1975,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,7 +1976,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,7 +1977,,T1565,Data Manipulation,[],[],,CM-6,mitigates,7 +1978,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,7 +1979,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,7 +1980,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,7 +1981,,T1569,System Services,[],[],,CM-6,mitigates,7 +1982,,T1569.002,Service Execution,[],[],,CM-6,mitigates,7 +1983,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,7 +1984,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,7 +1985,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,7 +1986,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,7 +1987,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,7 +1988,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,7 +1989,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,7 +1990,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,7 +1991,,T1574.002,DLL Side-Loading,[],[],,CM-6,mitigates,7 +1992,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,7 +1993,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,7 +1994,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,7 +1995,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,7 +1996,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,7 +1997,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,7 +1998,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,7 +1999,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,7 +2000,,T1601,Modify System Image,[],[],,CM-6,mitigates,7 +2001,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,7 +2002,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,7 +2003,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,7 +2004,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,7 +2005,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,7 +2006,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,7 +2007,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,7 +2008,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,7 +2009,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,7 +2010,,T1008,Fallback Channels,[],[],,CM-7,mitigates,7 +2011,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,7 +2012,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,7 +2013,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,7 +2014,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,7 +2015,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,7 +2016,,T1021.005,VNC,[],[],,CM-7,mitigates,7 +2017,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,7 +2018,,T1036,Masquerading,[],[],,CM-7,mitigates,7 +2019,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,7 +2020,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,7 +2021,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,7 +2022,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,7 +2023,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,7 +2024,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,7 +2025,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,7 +2026,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,7 +2027,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,7 +2028,,T1053.002,At (Windows),[],[],,CM-7,mitigates,7 +2029,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,7 +2030,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,7 +2031,,T1059.002,AppleScript,[],[],,CM-7,mitigates,7 +2032,,T1059.003,Windows Command Shell,[],[],,CM-7,mitigates,7 +2033,,T1059.004,Unix Shell,[],[],,CM-7,mitigates,7 +2034,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,7 +2035,,T1059.006,Python,[],[],,CM-7,mitigates,7 +2036,,T1059.007,JavaScript/JScript,[],[],,CM-7,mitigates,7 +2037,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,7 +2038,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,7 +2039,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,7 +2040,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,7 +2041,,T1071.004,DNS,[],[],,CM-7,mitigates,7 +2042,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,7 +2043,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,7 +2044,,T1087,Account Discovery,[],[],,CM-7,mitigates,7 +2045,,T1087.001,Local Account,[],[],,CM-7,mitigates,7 +2046,,T1087.002,Domain Account,[],[],,CM-7,mitigates,7 +2047,,T1090,Proxy,[],[],,CM-7,mitigates,7 +2048,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,7 +2049,,T1090.002,External Proxy,[],[],,CM-7,mitigates,7 +2050,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,7 +2051,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,7 +2052,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,7 +2053,,T1098,Account Manipulation,[],[],,CM-7,mitigates,7 +2054,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,7 +2055,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,7 +2056,,T1102,Web Service,[],[],,CM-7,mitigates,7 +2057,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,7 +2058,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,7 +2059,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,7 +2060,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,7 +2061,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,7 +2062,,T1106,Native API,[],[],,CM-7,mitigates,7 +2063,,T1112,Modify Registry,[],[],,CM-7,mitigates,7 +2064,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,7 +2065,,T1129,Shared Modules,[],[],,CM-7,mitigates,7 +2066,,T1133,External Remote Services,[],[],,CM-7,mitigates,7 +2067,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,7 +2068,,T1136,Create Account,[],[],,CM-7,mitigates,7 +2069,,T1136.002,Domain Account,[],[],,CM-7,mitigates,7 +2070,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,7 +2071,,T1176,Browser Extensions,[],[],,CM-7,mitigates,7 +2072,,T1187,Forced Authentication,[],[],,CM-7,mitigates,7 +2073,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,7 +2074,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,7 +2075,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,7 +2076,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,7 +2077,,T1197,BITS Jobs,[],[],,CM-7,mitigates,7 +2078,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,7 +2079,,T1204,User Execution,[],[],,CM-7,mitigates,7 +2080,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,7 +2081,,T1204.002,Malicious File,[],[],,CM-7,mitigates,7 +2082,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,7 +2083,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,7 +2084,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,7 +2085,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,7 +2086,,T1213.001,Confluence,[],[],,CM-7,mitigates,7 +2087,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,7 +2088,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,7 +2089,,T1216.001,PubPrn,[],[],,CM-7,mitigates,7 +2090,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,7 +2091,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,7 +2092,,T1218.002,Control Panel,[],[],,CM-7,mitigates,7 +2093,,T1218.003,CMSTP,[],[],,CM-7,mitigates,7 +2094,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,7 +2095,,T1218.005,Mshta,[],[],,CM-7,mitigates,7 +2096,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,7 +2097,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,7 +2098,,T1218.012,Verclsid,[],[],,CM-7,mitigates,7 +2099,,T1219,Remote Access Software,[],[],,CM-7,mitigates,7 +2100,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,7 +2101,,T1221,Template Injection,[],[],,CM-7,mitigates,7 +2102,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,7 +2103,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,7 +2104,,T1489,Service Stop,[],[],,CM-7,mitigates,7 +2105,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,7 +2106,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,7 +2107,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,7 +2108,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,7 +2109,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,7 +2110,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,7 +2111,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,7 +2112,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,7 +2113,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,7 +2114,,T1525,Implant Container Image,[],[],,CM-7,mitigates,7 +2115,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,7 +2116,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,7 +2117,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,7 +2118,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,7 +2119,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,7 +2120,,T1543.003,Windows Service,[],[],,CM-7,mitigates,7 +2121,,T1546.002,Screensaver,[],[],,CM-7,mitigates,7 +2122,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,7 +2123,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,7 +2124,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,7 +2125,,T1546.010,AppInit DLLs,[],[],,CM-7,mitigates,7 +2126,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,7 +2127,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,7 +2128,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,7 +2129,,T1547.011,Plist Modification,[],[],,CM-7,mitigates,7 +2130,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,7 +2131,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,7 +2132,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,7 +2133,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,7 +2134,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,7 +2135,,T1552.003,Bash History,[],[],,CM-7,mitigates,7 +2136,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,7 +2137,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,7 +2138,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,7 +2139,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,7 +2140,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,7 +2141,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,7 +2142,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,7 +2143,,T1557,Man-in-the-Middle,[],[],,CM-7,mitigates,7 +2144,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,7 +2145,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,7 +2146,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,7 +2147,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,7 +2148,,T1562,Impair Defenses,[],[],,CM-7,mitigates,7 +2149,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,7 +2150,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,7 +2151,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,7 +2152,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,7 +2153,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,7 +2154,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,7 +2155,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,7 +2156,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,7 +2157,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,7 +2158,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,7 +2159,,T1565,Data Manipulation,[],[],,CM-7,mitigates,7 +2160,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,7 +2161,,T1569,System Services,[],[],,CM-7,mitigates,7 +2162,,T1569.002,Service Execution,[],[],,CM-7,mitigates,7 +2163,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,7 +2164,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,7 +2165,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,7 +2166,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,7 +2167,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,7 +2168,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,7 +2169,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,7 +2170,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,7 +2171,,T1574.006,LD_PRELOAD,[],[],,CM-7,mitigates,7 +2172,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,7 +2173,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,7 +2174,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,7 +2175,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,7 +2176,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,7 +2177,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,7 +2178,,T1601,Modify System Image,[],[],,CM-7,mitigates,7 +2179,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,7 +2180,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,7 +2181,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,7 +2182,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,7 +2183,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,7 +2184,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,7 +2185,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,7 +2186,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,7 +2187,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,7 +2188,,T1021.004,SSH,[],[],,CM-8,mitigates,7 +2189,,T1021.005,VNC,[],[],,CM-8,mitigates,7 +2190,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,7 +2191,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,7 +2192,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,7 +2193,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,7 +2194,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,7 +2195,,T1053.002,At (Windows),[],[],,CM-8,mitigates,7 +2196,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,7 +2197,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,7 +2198,,T1059.001,PowerShell,[],[],,CM-8,mitigates,7 +2199,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,7 +2200,,T1059.007,JavaScript/JScript,[],[],,CM-8,mitigates,7 +2201,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,7 +2202,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,7 +2203,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,7 +2204,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,7 +2205,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,7 +2206,,T1119,Automated Collection,[],[],,CM-8,mitigates,7 +2207,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,7 +2208,,T1127.001,MSBuild,[],[],,CM-8,mitigates,7 +2209,,T1133,External Remote Services,[],[],,CM-8,mitigates,7 +2210,,T1137,Office Application Startup,[],[],,CM-8,mitigates,7 +2211,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,7 +2212,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,7 +2213,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,7 +2214,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,7 +2215,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,7 +2216,,T1204,User Execution,[],[],,CM-8,mitigates,7 +2217,,T1204.001,Malicious Link,[],[],,CM-8,mitigates,7 +2218,,T1204.002,Malicious File,[],[],,CM-8,mitigates,7 +2219,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,7 +2220,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,7 +2221,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,7 +2222,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,7 +2223,,T1218.003,CMSTP,[],[],,CM-8,mitigates,7 +2224,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,7 +2225,,T1218.005,Mshta,[],[],,CM-8,mitigates,7 +2226,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,7 +2227,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,7 +2228,,T1218.012,Verclsid,[],[],,CM-8,mitigates,7 +2229,,T1221,Template Injection,[],[],,CM-8,mitigates,7 +2230,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,7 +2231,,T1505,Server Software Component,[],[],,CM-8,mitigates,7 +2232,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,7 +2233,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,7 +2234,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,7 +2235,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,7 +2236,,T1542.001,System Firmware,[],[],,CM-8,mitigates,7 +2237,,T1542.003,Bootkit,[],[],,CM-8,mitigates,7 +2238,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,7 +2239,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,7 +2240,,T1546.002,Screensaver,[],[],,CM-8,mitigates,7 +2241,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,7 +2242,,T1546.014,Emond,[],[],,CM-8,mitigates,7 +2243,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,7 +2244,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,7 +2245,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,7 +2246,,T1557,Man-in-the-Middle,[],[],,CM-8,mitigates,7 +2247,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,7 +2248,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,7 +2249,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,7 +2250,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,7 +2251,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,7 +2252,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,7 +2253,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,7 +2254,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,7 +2255,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,7 +2256,,T1565,Data Manipulation,[],[],,CM-8,mitigates,7 +2257,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,7 +2258,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,7 +2259,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,7 +2260,,T1574.002,DLL Side-Loading,[],[],,CM-8,mitigates,7 +2261,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,7 +2262,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,7 +2263,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,7 +2264,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,7 +2265,,T1601,Modify System Image,[],[],,CM-8,mitigates,7 +2266,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,7 +2267,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,7 +2268,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,7 +2269,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,7 +2270,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,7 +2271,,T1485,Data Destruction,[],[],,CP-10,mitigates,7 +2272,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,7 +2273,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,7 +2274,,T1491,Defacement,[],[],,CP-10,mitigates,7 +2275,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,7 +2276,,T1491.002,External Defacement,[],[],,CP-10,mitigates,7 +2277,,T1561,Disk Wipe,[],[],,CP-10,mitigates,7 +2278,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,7 +2279,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,7 +2280,,T1565,Data Manipulation,[],[],,CP-10,mitigates,7 +2281,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,7 +2282,,T1485,Data Destruction,[],[],,CP-2,mitigates,7 +2283,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,7 +2284,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,7 +2285,,T1491,Defacement,[],[],,CP-2,mitigates,7 +2286,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,7 +2287,,T1491.002,External Defacement,[],[],,CP-2,mitigates,7 +2288,,T1561,Disk Wipe,[],[],,CP-2,mitigates,7 +2289,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,7 +2290,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,7 +2291,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,7 +2292,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,7 +2293,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,7 +2294,,T1119,Automated Collection,[],[],,CP-6,mitigates,7 +2295,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,7 +2296,,T1565,Data Manipulation,[],[],,CP-6,mitigates,7 +2297,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,7 +2298,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,7 +2299,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,7 +2300,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,7 +2301,,T1119,Automated Collection,[],[],,CP-7,mitigates,7 +2302,,T1485,Data Destruction,[],[],,CP-7,mitigates,7 +2303,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,7 +2304,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,7 +2305,,T1491,Defacement,[],[],,CP-7,mitigates,7 +2306,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,7 +2307,,T1491.002,External Defacement,[],[],,CP-7,mitigates,7 +2308,,T1561,Disk Wipe,[],[],,CP-7,mitigates,7 +2309,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,7 +2310,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,7 +2311,,T1565,Data Manipulation,[],[],,CP-7,mitigates,7 +2312,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,7 +2313,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,7 +2314,,T1003.003,NTDS,[],[],,CP-9,mitigates,7 +2315,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,7 +2316,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,7 +2317,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,7 +2318,,T1119,Automated Collection,[],[],,CP-9,mitigates,7 +2319,,T1485,Data Destruction,[],[],,CP-9,mitigates,7 +2320,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,7 +2321,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,7 +2322,,T1491,Defacement,[],[],,CP-9,mitigates,7 +2323,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,7 +2324,,T1491.002,External Defacement,[],[],,CP-9,mitigates,7 +2325,,T1561,Disk Wipe,[],[],,CP-9,mitigates,7 +2326,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,7 +2327,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,7 +2328,,T1565,Data Manipulation,[],[],,CP-9,mitigates,7 +2329,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,7 +2330,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,7 +2331,,T1110,Brute Force,[],[],,IA-11,mitigates,7 +2332,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,7 +2333,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,7 +2334,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,7 +2335,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,7 +2336,,T1078,Valid Accounts,[],[],,IA-12,mitigates,7 +2337,,T1078.002,Domain Accounts,[],[],,IA-12,mitigates,7 +2338,,T1078.003,Local Accounts,[],[],,IA-12,mitigates,7 +2339,,T1078.004,Cloud Accounts,[],[],,IA-12,mitigates,7 +2340,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,7 +2341,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,7 +2342,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,7 +2343,,T1003.003,NTDS,[],[],,IA-2,mitigates,7 +2344,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,7 +2345,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,7 +2346,,T1003.006,DCSync,[],[],,IA-2,mitigates,7 +2347,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,7 +2348,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,7 +2349,,T1021,Remote Services,[],[],,IA-2,mitigates,7 +2350,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,7 +2351,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,7 +2352,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,7 +2353,,T1021.004,SSH,[],[],,IA-2,mitigates,7 +2354,,T1021.005,VNC,[],[],,IA-2,mitigates,7 +2355,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,7 +2356,,T1040,Network Sniffing,[],[],,IA-2,mitigates,7 +2357,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,7 +2358,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,7 +2359,,T1053.001,At (Linux),[],[],,IA-2,mitigates,7 +2360,,T1053.002,At (Windows),[],[],,IA-2,mitigates,7 +2361,,T1053.003,Cron,[],[],,IA-2,mitigates,7 +2362,,T1053.004,Launchd,[],[],,IA-2,mitigates,7 +2363,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,7 +2364,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,7 +2365,,T1055,Process Injection,[],[],,IA-2,mitigates,7 +2366,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,7 +2367,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,7 +2368,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,7 +2369,,T1059.001,PowerShell,[],[],,IA-2,mitigates,7 +2370,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,7 +2371,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,7 +2372,,T1078,Valid Accounts,[],[],,IA-2,mitigates,7 +2373,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,7 +2374,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,7 +2375,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,7 +2376,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,7 +2377,,T1098,Account Manipulation,[],[],,IA-2,mitigates,7 +2378,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,7 +2379,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,7 +2380,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,7 +2381,,T1110,Brute Force,[],[],,IA-2,mitigates,7 +2382,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,7 +2383,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,7 +2384,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,7 +2385,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,7 +2386,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,7 +2387,,T1114,Email Collection,[],[],,IA-2,mitigates,7 +2388,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,7 +2389,,T1133,External Remote Services,[],[],,IA-2,mitigates,7 +2390,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,7 +2391,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,7 +2392,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,7 +2393,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,7 +2394,,T1136,Create Account,[],[],,IA-2,mitigates,7 +2395,,T1136.001,Local Account,[],[],,IA-2,mitigates,7 +2396,,T1136.002,Domain Account,[],[],,IA-2,mitigates,7 +2397,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,7 +2398,,T1185,Man in the Browser,[],[],,IA-2,mitigates,7 +2399,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,7 +2400,,T1197,BITS Jobs,[],[],,IA-2,mitigates,7 +2401,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,7 +2402,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,7 +2403,,T1213.001,Confluence,[],[],,IA-2,mitigates,7 +2404,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,7 +2405,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,7 +2406,,T1218.007,Msiexec,[],[],,IA-2,mitigates,7 +2407,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,7 +2408,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,7 +2409,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,7 +2410,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,7 +2411,,T1489,Service Stop,[],[],,IA-2,mitigates,7 +2412,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,7 +2413,,T1505,Server Software Component,[],[],,IA-2,mitigates,7 +2414,,T1505.001,SQL Stored Procedures,[],[],,IA-2,mitigates,7 +2415,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,7 +2416,,T1525,Implant Container Image,[],[],,IA-2,mitigates,7 +2417,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,7 +2418,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,7 +2419,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,7 +2420,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,7 +2421,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,7 +2422,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,7 +2423,,T1542.001,System Firmware,[],[],,IA-2,mitigates,7 +2424,,T1542.003,Bootkit,[],[],,IA-2,mitigates,7 +2425,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,7 +2426,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,7 +2427,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,7 +2428,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,7 +2429,,T1543.003,Windows Service,[],[],,IA-2,mitigates,7 +2430,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,7 +2431,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,7 +2432,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,7 +2433,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,7 +2434,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,7 +2435,,T1547.012,Print Processors,[],[],,IA-2,mitigates,7 +2436,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,7 +2437,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,7 +2438,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,7 +2439,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,7 +2440,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,7 +2441,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,7 +2442,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,7 +2443,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,7 +2444,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,7 +2445,,T1552.004,Private Keys,[],[],,IA-2,mitigates,7 +2446,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,7 +2447,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,7 +2448,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,7 +2449,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,7 +2450,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,7 +2451,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,7 +2452,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,7 +2453,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,7 +2454,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,7 +2455,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,7 +2456,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,7 +2457,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,7 +2458,,T1562,Impair Defenses,[],[],,IA-2,mitigates,7 +2459,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,7 +2460,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,7 +2461,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,7 +2462,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,7 +2463,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,7 +2464,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,7 +2465,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,7 +2466,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,7 +2467,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,7 +2468,,T1569,System Services,[],[],,IA-2,mitigates,7 +2469,,T1569.001,Launchctl,[],[],,IA-2,mitigates,7 +2470,,T1569.002,Service Execution,[],[],,IA-2,mitigates,7 +2471,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,7 +2472,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,7 +2473,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,7 +2474,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,7 +2475,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,7 +2476,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,7 +2477,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,7 +2478,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,7 +2479,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,7 +2480,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,7 +2481,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,7 +2482,,T1601,Modify System Image,[],[],,IA-2,mitigates,7 +2483,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,7 +2484,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,7 +2485,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,7 +2486,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,7 +2487,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,7 +2488,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,7 +2489,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,7 +2490,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,7 +2491,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,7 +2492,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,7 +2493,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,7 +2494,,T1003.006,DCSync,[],[],,IA-4,mitigates,7 +2495,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,7 +2496,,T1021.005,VNC,[],[],,IA-4,mitigates,7 +2497,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,7 +2498,,T1053.002,At (Windows),[],[],,IA-4,mitigates,7 +2499,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,7 +2500,,T1110,Brute Force,[],[],,IA-4,mitigates,7 +2501,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,7 +2502,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,7 +2503,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,7 +2504,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,7 +2505,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,7 +2506,,T1213.001,Confluence,[],[],,IA-4,mitigates,7 +2507,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,7 +2508,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,7 +2509,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,7 +2510,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,7 +2511,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,7 +2512,,T1543.003,Windows Service,[],[],,IA-4,mitigates,7 +2513,,T1550,Use Alternate Authentication Material,[],[],,IA-4,mitigates,7 +2514,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,7 +2515,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,7 +2516,,T1562,Impair Defenses,[],[],,IA-4,mitigates,7 +2517,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,7 +2518,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,7 +2519,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,7 +2520,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,7 +2521,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,7 +2522,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,7 +2523,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,7 +2524,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,7 +2525,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,7 +2526,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,7 +2527,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,7 +2528,,T1003.003,NTDS,[],[],,IA-5,mitigates,7 +2529,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,7 +2530,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,7 +2531,,T1003.006,DCSync,[],[],,IA-5,mitigates,7 +2532,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,7 +2533,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,7 +2534,,T1021,Remote Services,[],[],,IA-5,mitigates,7 +2535,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,7 +2536,,T1021.004,SSH,[],[],,IA-5,mitigates,7 +2537,,T1040,Network Sniffing,[],[],,IA-5,mitigates,7 +2538,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,7 +2539,,T1078,Valid Accounts,[],[],,IA-5,mitigates,7 +2540,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,7 +2541,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,7 +2542,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,7 +2543,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,7 +2544,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,7 +2545,,T1110,Brute Force,[],[],,IA-5,mitigates,7 +2546,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,7 +2547,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,7 +2548,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,7 +2549,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,7 +2550,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,7 +2551,,T1114,Email Collection,[],[],,IA-5,mitigates,7 +2552,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,7 +2553,,T1133,External Remote Services,[],[],,IA-5,mitigates,7 +2554,,T1136,Create Account,[],[],,IA-5,mitigates,7 +2555,,T1136.001,Local Account,[],[],,IA-5,mitigates,7 +2556,,T1136.002,Domain Account,[],[],,IA-5,mitigates,7 +2557,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,7 +2558,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,7 +2559,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,7 +2560,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,7 +2561,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,7 +2562,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,7 +2563,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,7 +2564,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,7 +2565,,T1552.004,Private Keys,[],[],,IA-5,mitigates,7 +2566,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,7 +2567,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,7 +2568,,T1555.001,Keychain,[],[],,IA-5,mitigates,7 +2569,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,7 +2570,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,7 +2571,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,7 +2572,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,7 +2573,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,7 +2574,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,7 +2575,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,7 +2576,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,7 +2577,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,7 +2578,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,7 +2579,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,7 +2580,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,7 +2581,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,7 +2582,,T1601,Modify System Image,[],[],,IA-5,mitigates,7 +2583,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,7 +2584,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,7 +2585,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,7 +2586,,T1021.005,VNC,[],[],,IA-6,mitigates,7 +2587,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,7 +2588,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,7 +2589,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,7 +2590,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,7 +2591,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,7 +2592,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,7 +2593,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,7 +2594,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,7 +2595,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,7 +2596,,T1542.001,System Firmware,[],[],,IA-7,mitigates,7 +2597,,T1542.003,Bootkit,[],[],,IA-7,mitigates,7 +2598,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,7 +2599,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,7 +2600,,T1601,Modify System Image,[],[],,IA-7,mitigates,7 +2601,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,7 +2602,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,7 +2603,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,7 +2604,,T1059.001,PowerShell,[],[],,IA-8,mitigates,7 +2605,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,7 +2606,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,7 +2607,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,7 +2608,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,7 +2609,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,7 +2610,,T1213.001,Confluence,[],[],,IA-8,mitigates,7 +2611,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,7 +2612,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,7 +2613,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,7 +2614,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,7 +2615,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,7 +2616,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,7 +2617,,T1542.001,System Firmware,[],[],,IA-8,mitigates,7 +2618,,T1542.003,Bootkit,[],[],,IA-8,mitigates,7 +2619,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,7 +2620,,T1036,Masquerading,[],[],,IA-9,mitigates,7 +2621,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,7 +2622,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,7 +2623,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,7 +2624,,T1059.001,PowerShell,[],[],,IA-9,mitigates,7 +2625,,T1059.002,AppleScript,[],[],,IA-9,mitigates,7 +2626,,T1505,Server Software Component,[],[],,IA-9,mitigates,7 +2627,,T1505.001,SQL Stored Procedures,[],[],,IA-9,mitigates,7 +2628,,T1505.002,Transport Agent,[],[],,IA-9,mitigates,7 +2629,,T1525,Implant Container Image,[],[],,IA-9,mitigates,7 +2630,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,7 +2631,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,7 +2632,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,7 +2633,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,7 +2634,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,7 +2635,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,7 +2636,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,7 +2637,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,7 +2638,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,7 +2639,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,7 +2640,,T1200,Hardware Additions,[],[],,MP-7,mitigates,7 +2641,,T1078,Valid Accounts,[],[],,PL-8,mitigates,7 +2642,,T1482,Domain Trust Discovery,[],[],,PL-8,mitigates,7 +2643,,T1068,Exploitation for Privilege Escalation,[],[],,RA-10,mitigates,7 +2644,,T1190,Exploit Public-Facing Application,[],[],,RA-10,mitigates,7 +2645,,T1195,Supply Chain Compromise,[],[],,RA-10,mitigates,7 +2646,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-10,mitigates,7 +2647,,T1195.002,Compromise Software Supply Chain,[],[],,RA-10,mitigates,7 +2648,,T1210,Exploitation of Remote Services,[],[],,RA-10,mitigates,7 +2649,,T1211,Exploitation for Defense Evasion,[],[],,RA-10,mitigates,7 +2650,,T1212,Exploitation for Credential Access,[],[],,RA-10,mitigates,7 +2651,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,7 +2652,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,7 +2653,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,7 +2654,,T1021.004,SSH,[],[],,RA-5,mitigates,7 +2655,,T1021.005,VNC,[],[],,RA-5,mitigates,7 +2656,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,7 +2657,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,7 +2658,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,7 +2659,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,7 +2660,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,7 +2661,,T1053.001,At (Linux),[],[],,RA-5,mitigates,7 +2662,,T1053.002,At (Windows),[],[],,RA-5,mitigates,7 +2663,,T1053.003,Cron,[],[],,RA-5,mitigates,7 +2664,,T1053.004,Launchd,[],[],,RA-5,mitigates,7 +2665,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,7 +2666,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,7 +2667,,T1059.001,PowerShell,[],[],,RA-5,mitigates,7 +2668,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,7 +2669,,T1059.007,JavaScript/JScript,[],[],,RA-5,mitigates,7 +2670,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,7 +2671,,T1078,Valid Accounts,[],[],,RA-5,mitigates,7 +2672,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,7 +2673,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,7 +2674,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,7 +2675,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,7 +2676,,T1127.001,MSBuild,[],[],,RA-5,mitigates,7 +2677,,T1133,External Remote Services,[],[],,RA-5,mitigates,7 +2678,,T1137,Office Application Startup,[],[],,RA-5,mitigates,7 +2679,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,7 +2680,,T1176,Browser Extensions,[],[],,RA-5,mitigates,7 +2681,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,7 +2682,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,7 +2683,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,7 +2684,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,7 +2685,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,7 +2686,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,7 +2687,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,7 +2688,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,7 +2689,,T1213.001,Confluence,[],[],,RA-5,mitigates,7 +2690,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,7 +2691,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,7 +2692,,T1218.003,CMSTP,[],[],,RA-5,mitigates,7 +2693,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,7 +2694,,T1218.005,Mshta,[],[],,RA-5,mitigates,7 +2695,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,7 +2696,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,7 +2697,,T1218.012,Verclsid,[],[],,RA-5,mitigates,7 +2698,,T1221,Template Injection,[],[],,RA-5,mitigates,7 +2699,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,7 +2700,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,7 +2701,,T1505,Server Software Component,[],[],,RA-5,mitigates,7 +2702,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,7 +2703,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,7 +2704,,T1525,Implant Container Image,[],[],,RA-5,mitigates,7 +2705,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,7 +2706,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,7 +2707,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,7 +2708,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,7 +2709,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,7 +2710,,T1543.003,Windows Service,[],[],,RA-5,mitigates,7 +2711,,T1546.002,Screensaver,[],[],,RA-5,mitigates,7 +2712,,T1546.014,Emond,[],[],,RA-5,mitigates,7 +2713,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,7 +2714,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,7 +2715,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,7 +2716,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,7 +2717,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,7 +2718,,T1550,Use Alternate Authentication Material,[],[],,RA-5,mitigates,7 +2719,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,7 +2720,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,7 +2721,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,7 +2722,,T1552.004,Private Keys,[],[],,RA-5,mitigates,7 +2723,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,7 +2724,,T1557,Man-in-the-Middle,[],[],,RA-5,mitigates,7 +2725,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,7 +2726,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,7 +2727,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,7 +2728,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,7 +2729,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,7 +2730,,T1562,Impair Defenses,[],[],,RA-5,mitigates,7 +2731,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,7 +2732,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,7 +2733,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,7 +2734,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,7 +2735,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,7 +2736,,T1574.002,DLL Side-Loading,[],[],,RA-5,mitigates,7 +2737,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,7 +2738,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,7 +2739,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,7 +2740,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,7 +2741,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,7 +2742,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,7 +2743,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,7 +2744,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,7 +2745,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,7 +2746,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,7 +2747,,T1195.003,Compromise Hardware Supply Chain,[],[],,RA-9,mitigates,7 +2748,,T1495,Firmware Corruption,[],[],,RA-9,mitigates,7 +2749,,T1542,Pre-OS Boot,[],[],,RA-9,mitigates,7 +2750,,T1542.001,System Firmware,[],[],,RA-9,mitigates,7 +2751,,T1542.003,Bootkit,[],[],,RA-9,mitigates,7 +2752,,T1542.004,ROMMONkit,[],[],,RA-9,mitigates,7 +2753,,T1542.005,TFTP Boot,[],[],,RA-9,mitigates,7 +2754,,T1601,Modify System Image,[],[],,RA-9,mitigates,7 +2755,,T1601.001,Patch System Image,[],[],,RA-9,mitigates,7 +2756,,T1601.002,Downgrade System Image,[],[],,RA-9,mitigates,7 +2757,,T1078,Valid Accounts,[],[],,SA-10,mitigates,7 +2758,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,7 +2759,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,7 +2760,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,7 +2761,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,7 +2762,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,7 +2763,,T1505,Server Software Component,[],[],,SA-10,mitigates,7 +2764,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,7 +2765,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,7 +2766,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,7 +2767,,T1542.001,System Firmware,[],[],,SA-10,mitigates,7 +2768,,T1542.003,Bootkit,[],[],,SA-10,mitigates,7 +2769,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,7 +2770,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,7 +2771,,T1601,Modify System Image,[],[],,SA-10,mitigates,7 +2772,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,7 +2773,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,7 +2774,,T1078,Valid Accounts,[],[],,SA-11,mitigates,7 +2775,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,7 +2776,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,7 +2777,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,7 +2778,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,7 +2779,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,7 +2780,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,7 +2781,,T1505,Server Software Component,[],[],,SA-11,mitigates,7 +2782,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,7 +2783,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,7 +2784,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,7 +2785,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,7 +2786,,T1542.001,System Firmware,[],[],,SA-11,mitigates,7 +2787,,T1542.003,Bootkit,[],[],,SA-11,mitigates,7 +2788,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,7 +2789,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,7 +2790,,T1550,Use Alternate Authentication Material,[],[],,SA-11,mitigates,7 +2791,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,7 +2792,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,7 +2793,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,7 +2794,,T1552.004,Private Keys,[],[],,SA-11,mitigates,7 +2795,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,7 +2796,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,7 +2797,,T1601,Modify System Image,[],[],,SA-11,mitigates,7 +2798,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,7 +2799,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,7 +2800,,T1078,Valid Accounts,[],[],,SA-12,mitigates,7 +2801,,T1078,Valid Accounts,[],[],,SA-15,mitigates,7 +2802,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,7 +2803,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,7 +2804,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,7 +2805,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,7 +2806,,T1550,Use Alternate Authentication Material,[],[],,SA-15,mitigates,7 +2807,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,7 +2808,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,7 +2809,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,7 +2810,,T1552.004,Private Keys,[],[],,SA-15,mitigates,7 +2811,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,7 +2812,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,7 +2813,,T1078,Valid Accounts,[],[],,SA-16,mitigates,7 +2814,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,7 +2815,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,7 +2816,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,7 +2817,,T1078,Valid Accounts,[],[],,SA-17,mitigates,7 +2818,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,7 +2819,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,7 +2820,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,7 +2821,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,7 +2822,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,7 +2823,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,7 +2824,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,7 +2825,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,7 +2826,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,7 +2827,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,7 +2828,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,7 +2829,,T1078,Valid Accounts,[],[],,SA-3,mitigates,7 +2830,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,7 +2831,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,7 +2832,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,7 +2833,,T1078,Valid Accounts,[],[],,SA-4,mitigates,7 +2834,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,7 +2835,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,7 +2836,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,7 +2837,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,7 +2838,,T1078,Valid Accounts,[],[],,SA-8,mitigates,7 +2839,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,7 +2840,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,7 +2841,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,7 +2842,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,7 +2843,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,7 +2844,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,7 +2845,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,7 +2846,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,7 +2847,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,7 +2848,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,7 +2849,,T1071.004,DNS,[],[],,SC-10,mitigates,7 +2850,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,7 +2851,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,7 +2852,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,7 +2853,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,7 +2854,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,7 +2855,,T1552.004,Private Keys,[],[],,SC-12,mitigates,7 +2856,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,7 +2857,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,7 +2858,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,7 +2859,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,7 +2860,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,7 +2861,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,7 +2862,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,7 +2863,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,7 +2864,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,7 +2865,,T1055,Process Injection,[],[],,SC-18,mitigates,7 +2866,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,7 +2867,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,7 +2868,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,7 +2869,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,7 +2870,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,7 +2871,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,7 +2872,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,7 +2873,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,7 +2874,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,7 +2875,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,7 +2876,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,7 +2877,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,7 +2878,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,7 +2879,,T1059.007,JavaScript/JScript,[],[],,SC-18,mitigates,7 +2880,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,7 +2881,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,7 +2882,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,7 +2883,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,7 +2884,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,7 +2885,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,7 +2886,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,7 +2887,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,7 +2888,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,7 +2889,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,7 +2890,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,7 +2891,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,7 +2892,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,7 +2893,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,7 +2894,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,7 +2895,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,7 +2896,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,7 +2897,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,7 +2898,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,7 +2899,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,7 +2900,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,7 +2901,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,7 +2902,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,7 +2903,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,7 +2904,,T1071.004,DNS,[],[],,SC-20,mitigates,7 +2905,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,7 +2906,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,7 +2907,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,7 +2908,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,7 +2909,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,7 +2910,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,7 +2911,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,7 +2912,,T1071.004,DNS,[],[],,SC-21,mitigates,7 +2913,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,7 +2914,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,7 +2915,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,7 +2916,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,7 +2917,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,7 +2918,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,7 +2919,,T1071.004,DNS,[],[],,SC-22,mitigates,7 +2920,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,7 +2921,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,7 +2922,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,7 +2923,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,7 +2924,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,7 +2925,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,7 +2926,,T1071.004,DNS,[],[],,SC-23,mitigates,7 +2927,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,7 +2928,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,7 +2929,,T1557,Man-in-the-Middle,[],[],,SC-23,mitigates,7 +2930,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,7 +2931,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,7 +2932,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,7 +2933,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,7 +2934,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,7 +2935,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,7 +2936,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,7 +2937,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,7 +2938,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,7 +2939,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,7 +2940,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,7 +2941,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,7 +2942,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,7 +2943,,T1003.003,NTDS,[],[],,SC-28,mitigates,7 +2944,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,7 +2945,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,7 +2946,,T1003.006,DCSync,[],[],,SC-28,mitigates,7 +2947,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,7 +2948,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,7 +2949,,T1078,Valid Accounts,[],[],,SC-28,mitigates,7 +2950,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,7 +2951,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,7 +2952,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,7 +2953,,T1204,User Execution,[],[],,SC-28,mitigates,7 +2954,,T1204.001,Malicious Link,[],[],,SC-28,mitigates,7 +2955,,T1204.002,Malicious File,[],[],,SC-28,mitigates,7 +2956,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,7 +2957,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,7 +2958,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,7 +2959,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,7 +2960,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,7 +2961,,T1552.003,Bash History,[],[],,SC-28,mitigates,7 +2962,,T1552.004,Private Keys,[],[],,SC-28,mitigates,7 +2963,,T1565,Data Manipulation,[],[],,SC-28,mitigates,7 +2964,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,7 +2965,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,7 +2966,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,7 +2967,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,7 +2968,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,7 +2969,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,7 +2970,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,7 +2971,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,7 +2972,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,7 +2973,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,7 +2974,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,7 +2975,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,7 +2976,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,7 +2977,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,7 +2978,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,7 +2979,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,7 +2980,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,7 +2981,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,7 +2982,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,7 +2983,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,7 +2984,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,7 +2985,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,7 +2986,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,7 +2987,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,7 +2988,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,7 +2989,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,7 +2990,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,7 +2991,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,7 +2992,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,7 +2993,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,7 +2994,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,7 +2995,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,7 +2996,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,7 +2997,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,7 +2998,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,7 +2999,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,7 +3000,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,7 +3001,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,7 +3002,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,7 +3003,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,7 +3004,,T1071.004,DNS,[],[],,SC-31,mitigates,7 +3005,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,7 +3006,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,7 +3007,,T1542.001,System Firmware,[],[],,SC-34,mitigates,7 +3008,,T1542.003,Bootkit,[],[],,SC-34,mitigates,7 +3009,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,7 +3010,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,7 +3011,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,7 +3012,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,7 +3013,,T1601,Modify System Image,[],[],,SC-34,mitigates,7 +3014,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,7 +3015,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,7 +3016,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,7 +3017,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,7 +3018,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,7 +3019,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,7 +3020,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,7 +3021,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,7 +3022,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,7 +3023,,T1119,Automated Collection,[],[],,SC-36,mitigates,7 +3024,,T1565,Data Manipulation,[],[],,SC-36,mitigates,7 +3025,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,7 +3026,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,7 +3027,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,7 +3028,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,7 +3029,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,7 +3030,,T1071.004,DNS,[],[],,SC-37,mitigates,7 +3031,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,7 +3032,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,7 +3033,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,7 +3034,,T1003.003,NTDS,[],[],,SC-39,mitigates,7 +3035,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,7 +3036,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,7 +3037,,T1003.006,DCSync,[],[],,SC-39,mitigates,7 +3038,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,7 +3039,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,7 +3040,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,7 +3041,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,7 +3042,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,7 +3043,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,7 +3044,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,7 +3045,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,7 +3046,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,7 +3047,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,7 +3048,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,7 +3049,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,7 +3050,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,7 +3051,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,7 +3052,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,7 +3053,,T1040,Network Sniffing,[],[],,SC-4,mitigates,7 +3054,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,7 +3055,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,7 +3056,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,7 +3057,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,7 +3058,,T1119,Automated Collection,[],[],,SC-4,mitigates,7 +3059,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,7 +3060,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,7 +3061,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,7 +3062,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,7 +3063,,T1552.004,Private Keys,[],[],,SC-4,mitigates,7 +3064,,T1557,Man-in-the-Middle,[],[],,SC-4,mitigates,7 +3065,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,7 +3066,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,7 +3067,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,7 +3068,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,7 +3069,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,7 +3070,,T1565,Data Manipulation,[],[],,SC-4,mitigates,7 +3071,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,7 +3072,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,7 +3073,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,7 +3074,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,7 +3075,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,7 +3076,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,7 +3077,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,7 +3078,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,7 +3079,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,7 +3080,,T1200,Hardware Additions,[],[],,SC-41,mitigates,7 +3081,,T1204,User Execution,[],[],,SC-44,mitigates,7 +3082,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,7 +3083,,T1204.002,Malicious File,[],[],,SC-44,mitigates,7 +3084,,T1221,Template Injection,[],[],,SC-44,mitigates,7 +3085,,T1566,Phishing,[],[],,SC-44,mitigates,7 +3086,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,7 +3087,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,7 +3088,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,7 +3089,,T1598,Phishing for Information,[],[],,SC-44,mitigates,7 +3090,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,7 +3091,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,7 +3092,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,7 +3093,,T1021.001,Remote Desktop Protocol,[],[],,SC-46,mitigates,7 +3094,,T1021.003,Distributed Component Object Model,[],[],,SC-46,mitigates,7 +3095,,T1021.006,Windows Remote Management,[],[],,SC-46,mitigates,7 +3096,,T1046,Network Service Scanning,[],[],,SC-46,mitigates,7 +3097,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-46,mitigates,7 +3098,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,7 +3099,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,7 +3100,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-46,mitigates,7 +3101,,T1072,Software Deployment Tools,[],[],,SC-46,mitigates,7 +3102,,T1098,Account Manipulation,[],[],,SC-46,mitigates,7 +3103,,T1098.001,Additional Cloud Credentials,[],[],,SC-46,mitigates,7 +3104,,T1133,External Remote Services,[],[],,SC-46,mitigates,7 +3105,,T1136,Create Account,[],[],,SC-46,mitigates,7 +3106,,T1136.002,Domain Account,[],[],,SC-46,mitigates,7 +3107,,T1136.003,Cloud Account,[],[],,SC-46,mitigates,7 +3108,,T1190,Exploit Public-Facing Application,[],[],,SC-46,mitigates,7 +3109,,T1199,Trusted Relationship,[],[],,SC-46,mitigates,7 +3110,,T1210,Exploitation of Remote Services,[],[],,SC-46,mitigates,7 +3111,,T1482,Domain Trust Discovery,[],[],,SC-46,mitigates,7 +3112,,T1489,Service Stop,[],[],,SC-46,mitigates,7 +3113,,T1557,Man-in-the-Middle,[],[],,SC-46,mitigates,7 +3114,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-46,mitigates,7 +3115,,T1563,Remote Service Session Hijacking,[],[],,SC-46,mitigates,7 +3116,,T1563.002,RDP Hijacking,[],[],,SC-46,mitigates,7 +3117,,T1565,Data Manipulation,[],[],,SC-46,mitigates,7 +3118,,T1565.003,Runtime Data Manipulation,[],[],,SC-46,mitigates,7 +3119,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,7 +3120,,T1001.001,Junk Data,[],[],,SC-7,mitigates,7 +3121,,T1001.002,Steganography,[],[],,SC-7,mitigates,7 +3122,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,7 +3123,,T1008,Fallback Channels,[],[],,SC-7,mitigates,7 +3124,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,7 +3125,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,7 +3126,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,7 +3127,,T1021.005,VNC,[],[],,SC-7,mitigates,7 +3128,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,7 +3129,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,7 +3130,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,7 +3131,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,7 +3132,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,7 +3133,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,7 +3134,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,7 +3135,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,7 +3136,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,7 +3137,,T1055,Process Injection,[],[],,SC-7,mitigates,7 +3138,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,7 +3139,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,7 +3140,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,7 +3141,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,7 +3142,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,7 +3143,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,7 +3144,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,7 +3145,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,7 +3146,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,7 +3147,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,7 +3148,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,7 +3149,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,7 +3150,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,7 +3151,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,7 +3152,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,7 +3153,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,7 +3154,,T1071.004,DNS,[],[],,SC-7,mitigates,7 +3155,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,7 +3156,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,7 +3157,,T1090,Proxy,[],[],,SC-7,mitigates,7 +3158,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,7 +3159,,T1090.002,External Proxy,[],[],,SC-7,mitigates,7 +3160,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,7 +3161,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,7 +3162,,T1098,Account Manipulation,[],[],,SC-7,mitigates,7 +3163,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,7 +3164,,T1102,Web Service,[],[],,SC-7,mitigates,7 +3165,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,7 +3166,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,7 +3167,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,7 +3168,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,7 +3169,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,7 +3170,,T1114,Email Collection,[],[],,SC-7,mitigates,7 +3171,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,7 +3172,,T1132,Data Encoding,[],[],,SC-7,mitigates,7 +3173,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,7 +3174,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,7 +3175,,T1133,External Remote Services,[],[],,SC-7,mitigates,7 +3176,,T1136,Create Account,[],[],,SC-7,mitigates,7 +3177,,T1136.002,Domain Account,[],[],,SC-7,mitigates,7 +3178,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,7 +3179,,T1176,Browser Extensions,[],[],,SC-7,mitigates,7 +3180,,T1187,Forced Authentication,[],[],,SC-7,mitigates,7 +3181,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,7 +3182,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,7 +3183,,T1197,BITS Jobs,[],[],,SC-7,mitigates,7 +3184,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,7 +3185,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,7 +3186,,T1204,User Execution,[],[],,SC-7,mitigates,7 +3187,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,7 +3188,,T1204.002,Malicious File,[],[],,SC-7,mitigates,7 +3189,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,7 +3190,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,7 +3191,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,7 +3192,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,7 +3193,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,7 +3194,,T1218.012,Verclsid,[],[],,SC-7,mitigates,7 +3195,,T1219,Remote Access Software,[],[],,SC-7,mitigates,7 +3196,,T1221,Template Injection,[],[],,SC-7,mitigates,7 +3197,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,7 +3198,,T1489,Service Stop,[],[],,SC-7,mitigates,7 +3199,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,7 +3200,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,7 +3201,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,7 +3202,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,7 +3203,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,7 +3204,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,7 +3205,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,7 +3206,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,7 +3207,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,7 +3208,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,7 +3209,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,7 +3210,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,7 +3211,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,7 +3212,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,7 +3213,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,7 +3214,,T1552.004,Private Keys,[],[],,SC-7,mitigates,7 +3215,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,7 +3216,,T1557,Man-in-the-Middle,[],[],,SC-7,mitigates,7 +3217,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,7 +3218,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,7 +3219,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,7 +3220,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,7 +3221,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,7 +3222,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,7 +3223,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,7 +3224,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,7 +3225,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,7 +3226,,T1565,Data Manipulation,[],[],,SC-7,mitigates,7 +3227,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,7 +3228,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,7 +3229,,T1566,Phishing,[],[],,SC-7,mitigates,7 +3230,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,7 +3231,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,7 +3232,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,7 +3233,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,7 +3234,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,7 +3235,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,7 +3236,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,7 +3237,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,7 +3238,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,7 +3239,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,7 +3240,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,7 +3241,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,7 +3242,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,7 +3243,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,7 +3244,,T1598,Phishing for Information,[],[],,SC-7,mitigates,7 +3245,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,7 +3246,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,7 +3247,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,7 +3248,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,7 +3249,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,7 +3250,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,7 +3251,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,7 +3252,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,7 +3253,,T1040,Network Sniffing,[],[],,SC-8,mitigates,7 +3254,,T1090,Proxy,[],[],,SC-8,mitigates,7 +3255,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,7 +3256,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,7 +3257,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,7 +3258,,T1557,Man-in-the-Middle,[],[],,SC-8,mitigates,7 +3259,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,7 +3260,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,7 +3261,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,7 +3262,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,7 +3263,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,7 +3264,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,7 +3265,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,7 +3266,,T1021.005,VNC,[],[],,SI-10,mitigates,7 +3267,,T1036,Masquerading,[],[],,SI-10,mitigates,7 +3268,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,7 +3269,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,7 +3270,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,7 +3271,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,7 +3272,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,7 +3273,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,7 +3274,,T1059.002,AppleScript,[],[],,SI-10,mitigates,7 +3275,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,7 +3276,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,7 +3277,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,7 +3278,,T1059.006,Python,[],[],,SI-10,mitigates,7 +3279,,T1059.007,JavaScript/JScript,[],[],,SI-10,mitigates,7 +3280,,T1059.008,Network Device CLI,[],[],,SI-10,mitigates,7 +3281,,T1071.004,DNS,[],[],,SI-10,mitigates,7 +3282,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,7 +3283,,T1090,Proxy,[],[],,SI-10,mitigates,7 +3284,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,7 +3285,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,7 +3286,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,7 +3287,,T1129,Shared Modules,[],[],,SI-10,mitigates,7 +3288,,T1176,Browser Extensions,[],[],,SI-10,mitigates,7 +3289,,T1187,Forced Authentication,[],[],,SI-10,mitigates,7 +3290,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,7 +3291,,T1197,BITS Jobs,[],[],,SI-10,mitigates,7 +3292,,T1204,User Execution,[],[],,SI-10,mitigates,7 +3293,,T1204.002,Malicious File,[],[],,SI-10,mitigates,7 +3294,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,7 +3295,,T1216.001,PubPrn,[],[],,SI-10,mitigates,7 +3296,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,7 +3297,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,7 +3298,,T1218.002,Control Panel,[],[],,SI-10,mitigates,7 +3299,,T1218.003,CMSTP,[],[],,SI-10,mitigates,7 +3300,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,7 +3301,,T1218.005,Mshta,[],[],,SI-10,mitigates,7 +3302,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,7 +3303,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,7 +3304,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,7 +3305,,T1218.011,Rundll32,[],[],,SI-10,mitigates,7 +3306,,T1218.012,Verclsid,[],[],,SI-10,mitigates,7 +3307,,T1219,Remote Access Software,[],[],,SI-10,mitigates,7 +3308,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,7 +3309,,T1221,Template Injection,[],[],,SI-10,mitigates,7 +3310,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,7 +3311,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,7 +3312,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,7 +3313,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,7 +3314,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,7 +3315,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,7 +3316,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,7 +3317,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,7 +3318,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,7 +3319,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,7 +3320,,T1546.002,Screensaver,[],[],,SI-10,mitigates,7 +3321,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,7 +3322,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,7 +3323,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,7 +3324,,T1546.010,AppInit DLLs,[],[],,SI-10,mitigates,7 +3325,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,7 +3326,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,7 +3327,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,7 +3328,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,7 +3329,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,7 +3330,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,7 +3331,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,7 +3332,,T1557,Man-in-the-Middle,[],[],,SI-10,mitigates,7 +3333,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,7 +3334,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,7 +3335,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,7 +3336,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,7 +3337,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,7 +3338,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,7 +3339,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,7 +3340,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,7 +3341,,T1574.006,LD_PRELOAD,[],[],,SI-10,mitigates,7 +3342,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,7 +3343,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,7 +3344,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,7 +3345,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,7 +3346,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,7 +3347,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,7 +3348,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,7 +3349,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,7 +3350,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,7 +3351,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,7 +3352,,T1003.003,NTDS,[],[],,SI-12,mitigates,7 +3353,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,7 +3354,,T1040,Network Sniffing,[],[],,SI-12,mitigates,7 +3355,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,7 +3356,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,7 +3357,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,7 +3358,,T1114,Email Collection,[],[],,SI-12,mitigates,7 +3359,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,7 +3360,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,7 +3361,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,7 +3362,,T1119,Automated Collection,[],[],,SI-12,mitigates,7 +3363,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,7 +3364,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,7 +3365,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,7 +3366,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,7 +3367,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,7 +3368,,T1552.004,Private Keys,[],[],,SI-12,mitigates,7 +3369,,T1557,Man-in-the-Middle,[],[],,SI-12,mitigates,7 +3370,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,7 +3371,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,7 +3372,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,7 +3373,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,7 +3374,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,7 +3375,,T1565,Data Manipulation,[],[],,SI-12,mitigates,7 +3376,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,7 +3377,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,7 +3378,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,7 +3379,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,7 +3380,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,7 +3381,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,7 +3382,,T1021.005,VNC,[],[],,SI-15,mitigates,7 +3383,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,7 +3384,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,7 +3385,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,7 +3386,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,7 +3387,,T1071.004,DNS,[],[],,SI-15,mitigates,7 +3388,,T1090,Proxy,[],[],,SI-15,mitigates,7 +3389,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,7 +3390,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,7 +3391,,T1187,Forced Authentication,[],[],,SI-15,mitigates,7 +3392,,T1197,BITS Jobs,[],[],,SI-15,mitigates,7 +3393,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,7 +3394,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,7 +3395,,T1218.012,Verclsid,[],[],,SI-15,mitigates,7 +3396,,T1219,Remote Access Software,[],[],,SI-15,mitigates,7 +3397,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,7 +3398,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,7 +3399,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,7 +3400,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,7 +3401,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,7 +3402,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,7 +3403,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,7 +3404,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,7 +3405,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,7 +3406,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,7 +3407,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,7 +3408,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,7 +3409,,T1557,Man-in-the-Middle,[],[],,SI-15,mitigates,7 +3410,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,7 +3411,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,7 +3412,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,7 +3413,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,7 +3414,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,7 +3415,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,7 +3416,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,7 +3417,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,7 +3418,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,7 +3419,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,7 +3420,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,7 +3421,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,7 +3422,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-16,mitigates,7 +3423,,T1548.004,Elevated Execution with Prompt,[],[],,SI-16,mitigates,7 +3424,,T1565,Data Manipulation,[],[],,SI-16,mitigates,7 +3425,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,7 +3426,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,7 +3427,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,7 +3428,,T1027.002,Software Packing,[],[],,SI-2,mitigates,7 +3429,,T1055,Process Injection,[],[],,SI-2,mitigates,7 +3430,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,7 +3431,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,7 +3432,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,7 +3433,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,7 +3434,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,7 +3435,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,7 +3436,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,7 +3437,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,7 +3438,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,7 +3439,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,7 +3440,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,7 +3441,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,7 +3442,,T1059.001,PowerShell,[],[],,SI-2,mitigates,7 +3443,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,7 +3444,,T1059.006,Python,[],[],,SI-2,mitigates,7 +3445,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,7 +3446,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,7 +3447,,T1137,Office Application Startup,[],[],,SI-2,mitigates,7 +3448,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,7 +3449,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,7 +3450,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,7 +3451,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,7 +3452,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,7 +3453,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,7 +3454,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,7 +3455,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,7 +3456,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,7 +3457,,T1204,User Execution,[],[],,SI-2,mitigates,7 +3458,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,7 +3459,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,7 +3460,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,7 +3461,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,7 +3462,,T1221,Template Injection,[],[],,SI-2,mitigates,7 +3463,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,7 +3464,,T1525,Implant Container Image,[],[],,SI-2,mitigates,7 +3465,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,7 +3466,,T1542.001,System Firmware,[],[],,SI-2,mitigates,7 +3467,,T1542.003,Bootkit,[],[],,SI-2,mitigates,7 +3468,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,7 +3469,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,7 +3470,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,7 +3471,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,7 +3472,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,7 +3473,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,7 +3474,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,7 +3475,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,7 +3476,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,7 +3477,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,7 +3478,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,7 +3479,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,7 +3480,,T1566,Phishing,[],[],,SI-2,mitigates,7 +3481,,T1566.001,Spearphishing Attachment,[],[],,SI-2,mitigates,7 +3482,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,7 +3483,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,7 +3484,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,7 +3485,,T1601,Modify System Image,[],[],,SI-2,mitigates,7 +3486,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,7 +3487,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,7 +3488,,T1070,Indicator Removal on Host,[],[],,SI-23,mitigates,7 +3489,,T1070.001,Clear Windows Event Logs,[],[],,SI-23,mitigates,7 +3490,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-23,mitigates,7 +3491,,T1072,Software Deployment Tools,[],[],,SI-23,mitigates,7 +3492,,T1119,Automated Collection,[],[],,SI-23,mitigates,7 +3493,,T1565,Data Manipulation,[],[],,SI-23,mitigates,7 +3494,,T1565.001,Stored Data Manipulation,[],[],,SI-23,mitigates,7 +3495,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,7 +3496,,T1001.001,Junk Data,[],[],,SI-3,mitigates,7 +3497,,T1001.002,Steganography,[],[],,SI-3,mitigates,7 +3498,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,7 +3499,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,7 +3500,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,7 +3501,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,7 +3502,,T1003.003,NTDS,[],[],,SI-3,mitigates,7 +3503,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,7 +3504,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,7 +3505,,T1003.006,DCSync,[],[],,SI-3,mitigates,7 +3506,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,7 +3507,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,7 +3508,,T1008,Fallback Channels,[],[],,SI-3,mitigates,7 +3509,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,7 +3510,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,7 +3511,,T1021.005,VNC,[],[],,SI-3,mitigates,7 +3512,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,7 +3513,,T1027.002,Software Packing,[],[],,SI-3,mitigates,7 +3514,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,7 +3515,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,7 +3516,,T1036,Masquerading,[],[],,SI-3,mitigates,7 +3517,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,7 +3518,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,7 +3519,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,7 +3520,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,7 +3521,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,7 +3522,,T1037.004,Rc.common,[],[],,SI-3,mitigates,7 +3523,,T1037.005,Startup Items,[],[],,SI-3,mitigates,7 +3524,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,7 +3525,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,7 +3526,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,7 +3527,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,7 +3528,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,7 +3529,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,7 +3530,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,7 +3531,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,7 +3532,,T1055,Process Injection,[],[],,SI-3,mitigates,7 +3533,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,7 +3534,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,7 +3535,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,7 +3536,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,7 +3537,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,7 +3538,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,7 +3539,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,7 +3540,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,7 +3541,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,7 +3542,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,7 +3543,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,7 +3544,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,7 +3545,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,7 +3546,,T1059.001,PowerShell,[],[],,SI-3,mitigates,7 +3547,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,7 +3548,,T1059.006,Python,[],[],,SI-3,mitigates,7 +3549,,T1059.007,JavaScript/JScript,[],[],,SI-3,mitigates,7 +3550,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,7 +3551,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,7 +3552,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,7 +3553,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,7 +3554,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,7 +3555,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,7 +3556,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,7 +3557,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,7 +3558,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,7 +3559,,T1071.004,DNS,[],[],,SI-3,mitigates,7 +3560,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,7 +3561,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,7 +3562,,T1090,Proxy,[],[],,SI-3,mitigates,7 +3563,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,7 +3564,,T1090.002,External Proxy,[],[],,SI-3,mitigates,7 +3565,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,7 +3566,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,7 +3567,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,7 +3568,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,7 +3569,,T1102,Web Service,[],[],,SI-3,mitigates,7 +3570,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,7 +3571,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,7 +3572,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,7 +3573,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,7 +3574,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,7 +3575,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,7 +3576,,T1132,Data Encoding,[],[],,SI-3,mitigates,7 +3577,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,7 +3578,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,7 +3579,,T1137,Office Application Startup,[],[],,SI-3,mitigates,7 +3580,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,7 +3581,,T1176,Browser Extensions,[],[],,SI-3,mitigates,7 +3582,,T1185,Man in the Browser,[],[],,SI-3,mitigates,7 +3583,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,7 +3584,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,7 +3585,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,7 +3586,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,7 +3587,,T1204,User Execution,[],[],,SI-3,mitigates,7 +3588,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,7 +3589,,T1204.002,Malicious File,[],[],,SI-3,mitigates,7 +3590,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,7 +3591,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,7 +3592,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,7 +3593,,T1218.002,Control Panel,[],[],,SI-3,mitigates,7 +3594,,T1219,Remote Access Software,[],[],,SI-3,mitigates,7 +3595,,T1221,Template Injection,[],[],,SI-3,mitigates,7 +3596,,T1485,Data Destruction,[],[],,SI-3,mitigates,7 +3597,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,7 +3598,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,7 +3599,,T1491,Defacement,[],[],,SI-3,mitigates,7 +3600,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,7 +3601,,T1491.002,External Defacement,[],[],,SI-3,mitigates,7 +3602,,T1525,Implant Container Image,[],[],,SI-3,mitigates,7 +3603,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,7 +3604,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,7 +3605,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,7 +3606,,T1546.002,Screensaver,[],[],,SI-3,mitigates,7 +3607,,T1546.004,.bash_profile and .bashrc,[],[],,SI-3,mitigates,7 +3608,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,7 +3609,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,7 +3610,,T1546.014,Emond,[],[],,SI-3,mitigates,7 +3611,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,7 +3612,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,7 +3613,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,7 +3614,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,7 +3615,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,7 +3616,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,7 +3617,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,7 +3618,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,7 +3619,,T1557,Man-in-the-Middle,[],[],,SI-3,mitigates,7 +3620,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,7 +3621,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,7 +3622,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,7 +3623,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,7 +3624,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,7 +3625,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,7 +3626,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,7 +3627,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,7 +3628,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,7 +3629,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,7 +3630,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,7 +3631,,T1561,Disk Wipe,[],[],,SI-3,mitigates,7 +3632,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,7 +3633,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,7 +3634,,T1562,Impair Defenses,[],[],,SI-3,mitigates,7 +3635,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,7 +3636,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,7 +3637,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,7 +3638,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,7 +3639,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,7 +3640,,T1566,Phishing,[],[],,SI-3,mitigates,7 +3641,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,7 +3642,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,7 +3643,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,7 +3644,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,7 +3645,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,7 +3646,,T1569,System Services,[],[],,SI-3,mitigates,7 +3647,,T1569.002,Service Execution,[],[],,SI-3,mitigates,7 +3648,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,7 +3649,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,7 +3650,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,7 +3651,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,7 +3652,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,7 +3653,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,7 +3654,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,7 +3655,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,7 +3656,,T1574.002,DLL Side-Loading,[],[],,SI-3,mitigates,7 +3657,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,7 +3658,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,7 +3659,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,7 +3660,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,7 +3661,,T1598,Phishing for Information,[],[],,SI-3,mitigates,7 +3662,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,7 +3663,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,7 +3664,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,7 +3665,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,7 +3666,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,7 +3667,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,7 +3668,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,7 +3669,,T1001.001,Junk Data,[],[],,SI-4,mitigates,7 +3670,,T1001.002,Steganography,[],[],,SI-4,mitigates,7 +3671,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,7 +3672,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,7 +3673,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,7 +3674,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,7 +3675,,T1003.003,NTDS,[],[],,SI-4,mitigates,7 +3676,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,7 +3677,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,7 +3678,,T1003.006,DCSync,[],[],,SI-4,mitigates,7 +3679,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,7 +3680,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,7 +3681,,T1008,Fallback Channels,[],[],,SI-4,mitigates,7 +3682,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,7 +3683,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,7 +3684,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,7 +3685,,T1021,Remote Services,[],[],,SI-4,mitigates,7 +3686,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,7 +3687,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,7 +3688,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,7 +3689,,T1021.004,SSH,[],[],,SI-4,mitigates,7 +3690,,T1021.005,VNC,[],[],,SI-4,mitigates,7 +3691,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,7 +3692,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,7 +3693,,T1027.002,Software Packing,[],[],,SI-4,mitigates,7 +3694,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,7 +3695,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,7 +3696,,T1036,Masquerading,[],[],,SI-4,mitigates,7 +3697,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,7 +3698,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,7 +3699,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,7 +3700,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,7 +3701,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,7 +3702,,T1037.004,Rc.common,[],[],,SI-4,mitigates,7 +3703,,T1037.005,Startup Items,[],[],,SI-4,mitigates,7 +3704,,T1040,Network Sniffing,[],[],,SI-4,mitigates,7 +3705,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,7 +3706,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,7 +3707,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,7 +3708,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,7 +3709,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,7 +3710,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,7 +3711,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,7 +3712,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,7 +3713,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,7 +3714,,T1053.001,At (Linux),[],[],,SI-4,mitigates,7 +3715,,T1053.002,At (Windows),[],[],,SI-4,mitigates,7 +3716,,T1053.003,Cron,[],[],,SI-4,mitigates,7 +3717,,T1053.004,Launchd,[],[],,SI-4,mitigates,7 +3718,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,7 +3719,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,7 +3720,,T1055,Process Injection,[],[],,SI-4,mitigates,7 +3721,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,7 +3722,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,7 +3723,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,7 +3724,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,7 +3725,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,7 +3726,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,7 +3727,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,7 +3728,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,7 +3729,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,7 +3730,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,7 +3731,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,7 +3732,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,7 +3733,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,7 +3734,,T1059.001,PowerShell,[],[],,SI-4,mitigates,7 +3735,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,7 +3736,,T1059.006,Python,[],[],,SI-4,mitigates,7 +3737,,T1059.007,JavaScript/JScript,[],[],,SI-4,mitigates,7 +3738,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,7 +3739,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,7 +3740,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,7 +3741,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,7 +3742,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,7 +3743,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,7 +3744,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,7 +3745,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,7 +3746,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,7 +3747,,T1071.004,DNS,[],[],,SI-4,mitigates,7 +3748,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,7 +3749,,T1078,Valid Accounts,[],[],,SI-4,mitigates,7 +3750,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,7 +3751,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,7 +3752,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,7 +3753,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,7 +3754,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,7 +3755,,T1087,Account Discovery,[],[],,SI-4,mitigates,7 +3756,,T1087.001,Local Account,[],[],,SI-4,mitigates,7 +3757,,T1087.002,Domain Account,[],[],,SI-4,mitigates,7 +3758,,T1090,Proxy,[],[],,SI-4,mitigates,7 +3759,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,7 +3760,,T1090.002,External Proxy,[],[],,SI-4,mitigates,7 +3761,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,7 +3762,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,7 +3763,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,7 +3764,,T1098,Account Manipulation,[],[],,SI-4,mitigates,7 +3765,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,7 +3766,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,7 +3767,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,7 +3768,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,7 +3769,,T1102,Web Service,[],[],,SI-4,mitigates,7 +3770,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,7 +3771,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,7 +3772,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,7 +3773,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,7 +3774,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,7 +3775,,T1110,Brute Force,[],[],,SI-4,mitigates,7 +3776,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,7 +3777,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,7 +3778,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,7 +3779,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,7 +3780,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,7 +3781,,T1114,Email Collection,[],[],,SI-4,mitigates,7 +3782,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,7 +3783,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,7 +3784,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,7 +3785,,T1119,Automated Collection,[],[],,SI-4,mitigates,7 +3786,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,7 +3787,,T1127.001,MSBuild,[],[],,SI-4,mitigates,7 +3788,,T1129,Shared Modules,[],[],,SI-4,mitigates,7 +3789,,T1132,Data Encoding,[],[],,SI-4,mitigates,7 +3790,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,7 +3791,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,7 +3792,,T1133,External Remote Services,[],[],,SI-4,mitigates,7 +3793,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,7 +3794,,T1136,Create Account,[],[],,SI-4,mitigates,7 +3795,,T1136.001,Local Account,[],[],,SI-4,mitigates,7 +3796,,T1136.002,Domain Account,[],[],,SI-4,mitigates,7 +3797,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,7 +3798,,T1137,Office Application Startup,[],[],,SI-4,mitigates,7 +3799,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,7 +3800,,T1176,Browser Extensions,[],[],,SI-4,mitigates,7 +3801,,T1185,Man in the Browser,[],[],,SI-4,mitigates,7 +3802,,T1187,Forced Authentication,[],[],,SI-4,mitigates,7 +3803,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,7 +3804,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,7 +3805,,T1197,BITS Jobs,[],[],,SI-4,mitigates,7 +3806,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,7 +3807,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,7 +3808,,T1204,User Execution,[],[],,SI-4,mitigates,7 +3809,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,7 +3810,,T1204.002,Malicious File,[],[],,SI-4,mitigates,7 +3811,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,7 +3812,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,7 +3813,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,7 +3814,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,7 +3815,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,7 +3816,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,7 +3817,,T1213.001,Confluence,[],[],,SI-4,mitigates,7 +3818,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,7 +3819,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,7 +3820,,T1216.001,PubPrn,[],[],,SI-4,mitigates,7 +3821,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,7 +3822,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,7 +3823,,T1218.002,Control Panel,[],[],,SI-4,mitigates,7 +3824,,T1218.003,CMSTP,[],[],,SI-4,mitigates,7 +3825,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,7 +3826,,T1218.005,Mshta,[],[],,SI-4,mitigates,7 +3827,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,7 +3828,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,7 +3829,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,7 +3830,,T1218.011,Rundll32,[],[],,SI-4,mitigates,7 +3831,,T1218.012,Verclsid,[],[],,SI-4,mitigates,7 +3832,,T1219,Remote Access Software,[],[],,SI-4,mitigates,7 +3833,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,7 +3834,,T1221,Template Injection,[],[],,SI-4,mitigates,7 +3835,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,7 +3836,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,7 +3837,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,7 +3838,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,7 +3839,,T1485,Data Destruction,[],[],,SI-4,mitigates,7 +3840,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,7 +3841,,T1489,Service Stop,[],[],,SI-4,mitigates,7 +3842,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,7 +3843,,T1491,Defacement,[],[],,SI-4,mitigates,7 +3844,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,7 +3845,,T1491.002,External Defacement,[],[],,SI-4,mitigates,7 +3846,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,7 +3847,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,7 +3848,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,7 +3849,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,7 +3850,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,7 +3851,,T1505,Server Software Component,[],[],,SI-4,mitigates,7 +3852,,T1505.001,SQL Stored Procedures,[],[],,SI-4,mitigates,7 +3853,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,7 +3854,,T1525,Implant Container Image,[],[],,SI-4,mitigates,7 +3855,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,7 +3856,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,7 +3857,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,7 +3858,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,7 +3859,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,7 +3860,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,7 +3861,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,7 +3862,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,7 +3863,,T1543.003,Windows Service,[],[],,SI-4,mitigates,7 +3864,,T1546.002,Screensaver,[],[],,SI-4,mitigates,7 +3865,,T1546.004,.bash_profile and .bashrc,[],[],,SI-4,mitigates,7 +3866,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,7 +3867,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,7 +3868,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,7 +3869,,T1546.014,Emond,[],[],,SI-4,mitigates,7 +3870,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,7 +3871,,T1547.003,Time Providers,[],[],,SI-4,mitigates,7 +3872,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,7 +3873,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,7 +3874,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,7 +3875,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,7 +3876,,T1547.011,Plist Modification,[],[],,SI-4,mitigates,7 +3877,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,7 +3878,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,7 +3879,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,7 +3880,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,7 +3881,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,7 +3882,,T1550,Use Alternate Authentication Material,[],[],,SI-4,mitigates,7 +3883,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,7 +3884,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,7 +3885,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,7 +3886,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,7 +3887,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,7 +3888,,T1552.003,Bash History,[],[],,SI-4,mitigates,7 +3889,,T1552.004,Private Keys,[],[],,SI-4,mitigates,7 +3890,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,7 +3891,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,7 +3892,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,7 +3893,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,7 +3894,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,7 +3895,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,7 +3896,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,7 +3897,,T1555.001,Keychain,[],[],,SI-4,mitigates,7 +3898,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,7 +3899,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,7 +3900,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,7 +3901,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,7 +3902,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,7 +3903,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,7 +3904,,T1557,Man-in-the-Middle,[],[],,SI-4,mitigates,7 +3905,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,7 +3906,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,7 +3907,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,7 +3908,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,7 +3909,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,7 +3910,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,7 +3911,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,7 +3912,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,7 +3913,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,7 +3914,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,7 +3915,,T1561,Disk Wipe,[],[],,SI-4,mitigates,7 +3916,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,7 +3917,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,7 +3918,,T1562,Impair Defenses,[],[],,SI-4,mitigates,7 +3919,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,7 +3920,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,7 +3921,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,7 +3922,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,7 +3923,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,7 +3924,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,7 +3925,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,7 +3926,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,7 +3927,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,7 +3928,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,7 +3929,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,7 +3930,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,7 +3931,,T1565,Data Manipulation,[],[],,SI-4,mitigates,7 +3932,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,7 +3933,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,7 +3934,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,7 +3935,,T1566,Phishing,[],[],,SI-4,mitigates,7 +3936,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,7 +3937,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,7 +3938,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,7 +3939,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,7 +3940,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,7 +3941,,T1569,System Services,[],[],,SI-4,mitigates,7 +3942,,T1569.002,Service Execution,[],[],,SI-4,mitigates,7 +3943,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,7 +3944,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,7 +3945,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,7 +3946,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,7 +3947,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,7 +3948,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,7 +3949,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,7 +3950,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,7 +3951,,T1574.002,DLL Side-Loading,[],[],,SI-4,mitigates,7 +3952,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,7 +3953,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,7 +3954,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,7 +3955,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,7 +3956,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,7 +3957,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,7 +3958,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,7 +3959,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,7 +3960,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,7 +3961,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,7 +3962,,T1598,Phishing for Information,[],[],,SI-4,mitigates,7 +3963,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,7 +3964,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,7 +3965,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,7 +3966,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,7 +3967,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,7 +3968,,T1601,Modify System Image,[],[],,SI-4,mitigates,7 +3969,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,7 +3970,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,7 +3971,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,7 +3972,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,7 +3973,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,7 +3974,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,7 +3975,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,7 +3976,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,7 +3977,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,7 +3978,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,7 +3979,,T1003.003,NTDS,[],[],,SI-7,mitigates,7 +3980,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,7 +3981,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,7 +3982,,T1027.002,Software Packing,[],[],,SI-7,mitigates,7 +3983,,T1036,Masquerading,[],[],,SI-7,mitigates,7 +3984,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,7 +3985,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,7 +3986,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,7 +3987,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,7 +3988,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,7 +3989,,T1037.004,Rc.common,[],[],,SI-7,mitigates,7 +3990,,T1037.005,Startup Items,[],[],,SI-7,mitigates,7 +3991,,T1040,Network Sniffing,[],[],,SI-7,mitigates,7 +3992,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,7 +3993,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,7 +3994,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,7 +3995,,T1059.001,PowerShell,[],[],,SI-7,mitigates,7 +3996,,T1059.002,AppleScript,[],[],,SI-7,mitigates,7 +3997,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,7 +3998,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,7 +3999,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,7 +4000,,T1059.006,Python,[],[],,SI-7,mitigates,7 +4001,,T1059.007,JavaScript/JScript,[],[],,SI-7,mitigates,7 +4002,,T1059.008,Network Device CLI,[],[],,SI-7,mitigates,7 +4003,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,7 +4004,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,7 +4005,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,7 +4006,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,7 +4007,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,7 +4008,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,7 +4009,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,7 +4010,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,7 +4011,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,7 +4012,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,7 +4013,,T1114,Email Collection,[],[],,SI-7,mitigates,7 +4014,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,7 +4015,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,7 +4016,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,7 +4017,,T1119,Automated Collection,[],[],,SI-7,mitigates,7 +4018,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,7 +4019,,T1129,Shared Modules,[],[],,SI-7,mitigates,7 +4020,,T1133,External Remote Services,[],[],,SI-7,mitigates,7 +4021,,T1136,Create Account,[],[],,SI-7,mitigates,7 +4022,,T1136.001,Local Account,[],[],,SI-7,mitigates,7 +4023,,T1136.002,Domain Account,[],[],,SI-7,mitigates,7 +4024,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,7 +4025,,T1176,Browser Extensions,[],[],,SI-7,mitigates,7 +4026,,T1185,Man in the Browser,[],[],,SI-7,mitigates,7 +4027,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,7 +4028,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,7 +4029,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,7 +4030,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,7 +4031,,T1204,User Execution,[],[],,SI-7,mitigates,7 +4032,,T1204.001,Malicious Link,[],[],,SI-7,mitigates,7 +4033,,T1204.002,Malicious File,[],[],,SI-7,mitigates,7 +4034,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,7 +4035,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,7 +4036,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,7 +4037,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,7 +4038,,T1216.001,PubPrn,[],[],,SI-7,mitigates,7 +4039,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,7 +4040,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,7 +4041,,T1218.002,Control Panel,[],[],,SI-7,mitigates,7 +4042,,T1218.003,CMSTP,[],[],,SI-7,mitigates,7 +4043,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,7 +4044,,T1218.005,Mshta,[],[],,SI-7,mitigates,7 +4045,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,7 +4046,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,7 +4047,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,7 +4048,,T1218.011,Rundll32,[],[],,SI-7,mitigates,7 +4049,,T1218.012,Verclsid,[],[],,SI-7,mitigates,7 +4050,,T1219,Remote Access Software,[],[],,SI-7,mitigates,7 +4051,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,7 +4052,,T1221,Template Injection,[],[],,SI-7,mitigates,7 +4053,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,7 +4054,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,7 +4055,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,7 +4056,,T1485,Data Destruction,[],[],,SI-7,mitigates,7 +4057,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,7 +4058,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,7 +4059,,T1491,Defacement,[],[],,SI-7,mitigates,7 +4060,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,7 +4061,,T1491.002,External Defacement,[],[],,SI-7,mitigates,7 +4062,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,7 +4063,,T1505,Server Software Component,[],[],,SI-7,mitigates,7 +4064,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,7 +4065,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,7 +4066,,T1525,Implant Container Image,[],[],,SI-7,mitigates,7 +4067,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,7 +4068,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,7 +4069,,T1542.001,System Firmware,[],[],,SI-7,mitigates,7 +4070,,T1542.003,Bootkit,[],[],,SI-7,mitigates,7 +4071,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,7 +4072,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,7 +4073,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,7 +4074,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,7 +4075,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,7 +4076,,T1546.002,Screensaver,[],[],,SI-7,mitigates,7 +4077,,T1546.004,.bash_profile and .bashrc,[],[],,SI-7,mitigates,7 +4078,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,7 +4079,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,7 +4080,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,7 +4081,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,7 +4082,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,7 +4083,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,7 +4084,,T1547.003,Time Providers,[],[],,SI-7,mitigates,7 +4085,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,7 +4086,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,7 +4087,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,7 +4088,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,7 +4089,,T1547.011,Plist Modification,[],[],,SI-7,mitigates,7 +4090,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,7 +4091,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,7 +4092,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,7 +4093,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,7 +4094,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,7 +4095,,T1552.004,Private Keys,[],[],,SI-7,mitigates,7 +4096,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,7 +4097,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,7 +4098,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,7 +4099,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,7 +4100,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,7 +4101,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,7 +4102,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,7 +4103,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,7 +4104,,T1557,Man-in-the-Middle,[],[],,SI-7,mitigates,7 +4105,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,7 +4106,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,7 +4107,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,7 +4108,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,7 +4109,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,7 +4110,,T1561,Disk Wipe,[],[],,SI-7,mitigates,7 +4111,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,7 +4112,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,7 +4113,,T1562,Impair Defenses,[],[],,SI-7,mitigates,7 +4114,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,7 +4115,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,7 +4116,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,7 +4117,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,7 +4118,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,7 +4119,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,7 +4120,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,7 +4121,,T1565,Data Manipulation,[],[],,SI-7,mitigates,7 +4122,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,7 +4123,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,7 +4124,,T1569,System Services,[],[],,SI-7,mitigates,7 +4125,,T1569.002,Service Execution,[],[],,SI-7,mitigates,7 +4126,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,7 +4127,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,7 +4128,,T1574.002,DLL Side-Loading,[],[],,SI-7,mitigates,7 +4129,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,7 +4130,,T1574.006,LD_PRELOAD,[],[],,SI-7,mitigates,7 +4131,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,7 +4132,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,7 +4133,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,7 +4134,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,7 +4135,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,7 +4136,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,7 +4137,,T1601,Modify System Image,[],[],,SI-7,mitigates,7 +4138,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,7 +4139,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,7 +4140,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,7 +4141,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,7 +4142,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,7 +4143,,T1204,User Execution,[],[],,SI-8,mitigates,7 +4144,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,7 +4145,,T1204.002,Malicious File,[],[],,SI-8,mitigates,7 +4146,,T1221,Template Injection,[],[],,SI-8,mitigates,7 +4147,,T1566,Phishing,[],[],,SI-8,mitigates,7 +4148,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,7 +4149,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,7 +4150,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,7 +4151,,T1598,Phishing for Information,[],[],,SI-8,mitigates,7 +4152,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,7 +4153,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,7 +4154,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,7 +4155,,T1059.002,AppleScript,[],[],,SR-11,mitigates,7 +4156,,T1505,Server Software Component,[],[],,SR-11,mitigates,7 +4157,,T1505.001,SQL Stored Procedures,[],[],,SR-11,mitigates,7 +4158,,T1505.002,Transport Agent,[],[],,SR-11,mitigates,7 +4159,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-11,mitigates,7 +4160,,T1554,Compromise Client Software Binary,[],[],,SR-11,mitigates,7 +4161,,T1601,Modify System Image,[],[],,SR-11,mitigates,7 +4162,,T1601.001,Patch System Image,[],[],,SR-11,mitigates,7 +4163,,T1601.002,Downgrade System Image,[],[],,SR-11,mitigates,7 +4164,,T1059.002,AppleScript,[],[],,SR-4,mitigates,7 +4165,,T1505,Server Software Component,[],[],,SR-4,mitigates,7 +4166,,T1505.001,SQL Stored Procedures,[],[],,SR-4,mitigates,7 +4167,,T1505.002,Transport Agent,[],[],,SR-4,mitigates,7 +4168,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-4,mitigates,7 +4169,,T1554,Compromise Client Software Binary,[],[],,SR-4,mitigates,7 +4170,,T1601,Modify System Image,[],[],,SR-4,mitigates,7 +4171,,T1601.001,Patch System Image,[],[],,SR-4,mitigates,7 +4172,,T1601.002,Downgrade System Image,[],[],,SR-4,mitigates,7 +4173,,T1059.002,AppleScript,[],[],,SR-5,mitigates,7 +4174,,T1505,Server Software Component,[],[],,SR-5,mitigates,7 +4175,,T1505.001,SQL Stored Procedures,[],[],,SR-5,mitigates,7 +4176,,T1505.002,Transport Agent,[],[],,SR-5,mitigates,7 +4177,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-5,mitigates,7 +4178,,T1554,Compromise Client Software Binary,[],[],,SR-5,mitigates,7 +4179,,T1601,Modify System Image,[],[],,SR-5,mitigates,7 +4180,,T1601.001,Patch System Image,[],[],,SR-5,mitigates,7 +4181,,T1601.002,Downgrade System Image,[],[],,SR-5,mitigates,7 +4182,,T1059.002,AppleScript,[],[],,SR-6,mitigates,7 +4183,,T1505,Server Software Component,[],[],,SR-6,mitigates,7 +4184,,T1505.001,SQL Stored Procedures,[],[],,SR-6,mitigates,7 +4185,,T1505.002,Transport Agent,[],[],,SR-6,mitigates,7 +4186,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-6,mitigates,7 +4187,,T1554,Compromise Client Software Binary,[],[],,SR-6,mitigates,7 +4188,,T1601,Modify System Image,[],[],,SR-6,mitigates,7 +4189,,T1601.001,Patch System Image,[],[],,SR-6,mitigates,7 +4190,,T1601.002,Downgrade System Image,[],[],,SR-6,mitigates,7 diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata.csv new file mode 100644 index 00000000..ee33bb1d --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,8.2,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,7 diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata_object.csv new file mode 100644 index 00000000..ee33bb1d --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,8.2,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,7 diff --git a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_navigator_layer.json index 26de3990..8d2120ae 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/8.2/r5/parsed_nist800-53-r5-8.2_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "8.2"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to Concurrent Session Control, Remote Access, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions for Change"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Monitoring"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to Session Termination, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Key Establishment and Management, Public Key Infrastructure Certificates, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Backup, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Backup, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1204", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Protection of Information at Rest, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.001", "score": 23, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Protection of Information at Rest, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.002", "score": 23, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Protection of Information at Rest, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Authentication Feedback, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Identification and Authentication (non-organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.011", "score": 10, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1550.001", "score": 13, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Software Usage Restrictions, User-installed Software, Baseline Configuration, Configuration Settings, Protection of Information at Rest, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security and Privacy Attributes, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification and Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Session Authenticity, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to Remote Access, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Session Authenticity, System Monitoring"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.008", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1078", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Security and Privacy Architectures, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Supply Chain Protection, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1213.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1213.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.007", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1505.001", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1505.002", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1547.004", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.009", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1547.012", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1550", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Monitoring"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, System Monitoring"}, {"techniqueID": "T1552.002", "score": 17, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1556", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Transmission Confidentiality and Integrity, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Testing and Evaluation, Developer Security and Privacy Architecture and Design, Acquisition Process, Security and Privacy Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Media Use, Port and I/O Device Access"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1048", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1048.002", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1048.003", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information in Shared System Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to Access Enforcement, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1205", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, System Backup, Protection of Information at Rest, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Memory Protection, System Monitoring"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Unsupported System Components, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, System Component Inventory, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Boundary Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1482", "score": 10, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Security and Privacy Architectures, Vulnerability Monitoring and Scanning, Developer Security and Privacy Architecture and Design, Security and Privacy Engineering Principles, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1566", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1598", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to Least Privilege, User-installed Software, Configuration Change Control, Access Restrictions for Change, Least Functionality, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1553", "score": 9, "comment": "Related to Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions for Change"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions for Change, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), System Monitoring"}, {"techniqueID": "T1036.001", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.002", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1137.003", "score": 2, "comment": "Related to Baseline Configuration, Flaw Remediation"}, {"techniqueID": "T1137.004", "score": 2, "comment": "Related to Baseline Configuration, Flaw Remediation"}, {"techniqueID": "T1137.005", "score": 2, "comment": "Related to Baseline Configuration, Flaw Remediation"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Service Identification and Authentication, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1059.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.004", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to Least Functionality"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.006", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality and Integrity, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality and Integrity"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "8.2"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to AC-10, AC-17, CM-2, CM-6, CM-8, RA-5, SI-2, SI-3, SI-4"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-46, SC-7, SI-2, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, SC-28, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.001", "score": 23, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, SC-28, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.002", "score": 23, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, SC-28, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.011", "score": 10, "comment": "Related to AC-16, AC-3, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CM-10, CM-11, CM-2, CM-6, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-46, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-46, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-8, IA-2, IA-8, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8, SI-10, SI-7"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-12, IA-2, IA-5, PL-8, RA-5, SA-10, SA-11, SA-12, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-12, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-12, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-12, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-46, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-46, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1213", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1213.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1213.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, CM-6, CM-7, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.007", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, RA-9, SA-10, SA-11, SI-2, SI-7"}, {"techniqueID": "T1505", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1505.001", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1505.002", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1547.004", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1547.012", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1550", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.002", "score": 17, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1556", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, SC-18, SC-3, SC-7, SI-3"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.002", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.003", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to AC-3, CM-2, CM-6, CM-7, CM-8, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-46, SC-7"}, {"techniqueID": "T1205", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to AC-3, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-46, SC-7, SI-16, SI-4"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to AC-4, CA-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1482", "score": 10, "comment": "Related to AC-4, CA-8, CM-6, CM-7, PL-8, RA-5, SA-17, SA-8, SC-46, SC-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1566", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.002", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to AC-6, CM-11, CM-3, CM-5, CM-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1553", "score": 9, "comment": "Related to AC-6, CM-10, CM-2, CM-6, CM-7, IA-9, SI-10, SI-4, SI-7"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1036.001", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1059.002", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, IA-9, SI-10, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1137.003", "score": 2, "comment": "Related to CM-2, SI-2"}, {"techniqueID": "T1137.004", "score": 2, "comment": "Related to CM-2, SI-2"}, {"techniqueID": "T1137.005", "score": 2, "comment": "Related to CM-2, SI-2"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, SC-18, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SI-10, SI-2, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1059.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1059.004", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to CM-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.006", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings.yaml index 10fde136..398d26c4 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification Or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control For Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use Of External Information Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Publicly Accessible Content + capability-id: AC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Control Decisions + capability-id: AC-24 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Reference Monitor + capability-id: AC-25 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation Of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-Installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Restrictions For Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Recovery And Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-Authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Identification And Authentication (Organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification And Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authenticator Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification And Authentication (Non-Organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Service Identification And Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Vulnerability Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Developer Security Testing And Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Trustworthiness + capability-id: SA-13 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: SA-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Development Process, Standards, And Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer-Provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security Architecture And Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SA-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Security Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment And Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission Of Security Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Application Partitioning + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Secure Name / Address Resolution Service (Authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture And Provisioning For Name / Address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeypots + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection Of Information At Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment And Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Non-Modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Honeyclients + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing And Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-Of-Band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information In Shared Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port And I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality And Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Handling And Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Information System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, And Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33529,7 +33529,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33537,7 +33537,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33545,7 +33545,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33553,7 +33553,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33561,7 +33561,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33569,7 +33569,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33577,7 +33577,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33585,7 +33585,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33593,7 +33593,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33601,7 +33601,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33609,7 +33609,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33617,7 +33617,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33625,7 +33625,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33633,7 +33633,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33641,7 +33641,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33649,7 +33649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33657,7 +33657,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33665,7 +33665,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33673,7 +33673,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33681,7 +33681,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33689,7 +33689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33697,7 +33697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33705,7 +33705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33713,7 +33713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33721,7 +33721,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33729,7 +33729,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33737,7 +33737,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33745,7 +33745,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33753,7 +33753,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33761,7 +33761,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33769,7 +33769,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33777,7 +33777,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33785,7 +33785,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33793,7 +33793,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33801,7 +33801,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33809,7 +33809,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33817,7 +33817,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33825,7 +33825,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33833,7 +33833,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33841,7 +33841,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33849,7 +33849,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33857,7 +33857,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33865,7 +33865,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33873,7 +33873,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33881,7 +33881,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33889,7 +33889,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33897,7 +33897,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33905,7 +33905,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33913,7 +33913,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33921,7 +33921,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33929,7 +33929,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33937,7 +33937,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33945,7 +33945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33953,7 +33953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33961,7 +33961,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33969,7 +33969,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33977,7 +33977,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33985,7 +33985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33993,7 +33993,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34001,7 +34001,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34009,7 +34009,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34017,7 +34017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34025,7 +34025,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34033,7 +34033,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34041,7 +34041,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34049,7 +34049,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34057,7 +34057,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34065,7 +34065,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34073,7 +34073,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34081,7 +34081,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34089,7 +34089,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34097,7 +34097,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34105,7 +34105,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34113,7 +34113,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34121,7 +34121,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34129,7 +34129,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34137,7 +34137,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34145,7 +34145,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34153,7 +34153,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34161,7 +34161,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34169,7 +34169,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34177,7 +34177,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34185,7 +34185,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34193,7 +34193,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34201,7 +34201,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34209,7 +34209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34217,7 +34217,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34225,7 +34225,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34233,7 +34233,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34241,7 +34241,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34249,7 +34249,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34257,7 +34257,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34265,7 +34265,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34273,7 +34273,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34281,7 +34281,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34289,7 +34289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34297,7 +34297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34305,7 +34305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34313,7 +34313,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34321,7 +34321,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34329,7 +34329,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34337,7 +34337,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34345,7 +34345,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34353,7 +34353,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34361,7 +34361,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34369,7 +34369,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34377,7 +34377,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34385,7 +34385,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34393,7 +34393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34401,7 +34401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34409,7 +34409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34417,7 +34417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34425,7 +34425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34433,7 +34433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34441,7 +34441,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34449,7 +34449,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34457,7 +34457,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34465,7 +34465,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34473,7 +34473,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34481,7 +34481,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34489,7 +34489,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34497,7 +34497,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34505,7 +34505,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34513,7 +34513,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Software, Firmware, And Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34521,7 +34521,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34529,7 +34529,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34537,7 +34537,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34545,7 +34545,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34553,7 +34553,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34561,7 +34561,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34569,7 +34569,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34577,7 +34577,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34585,7 +34585,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34593,7 +34593,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34601,7 +34601,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34609,7 +34609,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34617,7 +34617,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_attack_objects.csv new file mode 100644 index 00000000..904350e9 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_attack_objects.csv @@ -0,0 +1,4329 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,2 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,2 +2,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,2 +3,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,2 +4,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,2 +5,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,2 +6,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,2 +7,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,2 +8,,T1137.002,Office Test,[],[],,AC-14,mitigates,2 +9,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,2 +10,,T1003.003,NTDS,[],[],,AC-16,mitigates,2 +11,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,2 +12,,T1040,Network Sniffing,[],[],,AC-16,mitigates,2 +13,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,2 +14,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,2 +15,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,2 +16,,T1114,Email Collection,[],[],,AC-16,mitigates,2 +17,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,2 +18,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,2 +19,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,2 +20,,T1119,Automated Collection,[],[],,AC-16,mitigates,2 +21,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,2 +22,,T1213.001,Confluence,[],[],,AC-16,mitigates,2 +23,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,2 +24,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,2 +25,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,2 +26,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,2 +27,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,2 +28,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,2 +29,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,2 +30,,T1547.011,Plist Modification,[],[],,AC-16,mitigates,2 +31,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,2 +32,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,2 +33,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,2 +34,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,2 +35,,T1552.004,Private Keys,[],[],,AC-16,mitigates,2 +36,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,2 +37,,T1557,Man-in-the-Middle,[],[],,AC-16,mitigates,2 +38,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,2 +39,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,2 +40,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,2 +41,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,2 +42,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,2 +43,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,2 +44,,T1565,Data Manipulation,[],[],,AC-16,mitigates,2 +45,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,2 +46,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,2 +47,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,2 +48,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,2 +49,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,2 +50,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,2 +51,,T1021,Remote Services,[],[],,AC-17,mitigates,2 +52,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,2 +53,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,2 +54,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,2 +55,,T1021.004,SSH,[],[],,AC-17,mitigates,2 +56,,T1021.005,VNC,[],[],,AC-17,mitigates,2 +57,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,2 +58,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,2 +59,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,2 +60,,T1040,Network Sniffing,[],[],,AC-17,mitigates,2 +61,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,2 +62,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,2 +63,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,2 +64,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,2 +65,,T1114,Email Collection,[],[],,AC-17,mitigates,2 +66,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,2 +67,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,2 +68,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,2 +69,,T1119,Automated Collection,[],[],,AC-17,mitigates,2 +70,,T1133,External Remote Services,[],[],,AC-17,mitigates,2 +71,,T1137,Office Application Startup,[],[],,AC-17,mitigates,2 +72,,T1137.002,Office Test,[],[],,AC-17,mitigates,2 +73,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,2 +74,,T1213.001,Confluence,[],[],,AC-17,mitigates,2 +75,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,2 +76,,T1219,Remote Access Software,[],[],,AC-17,mitigates,2 +77,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,2 +78,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,2 +79,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,2 +80,,T1543.003,Windows Service,[],[],,AC-17,mitigates,2 +81,,T1547.003,Time Providers,[],[],,AC-17,mitigates,2 +82,,T1547.004,Winlogon Helper DLL,[],[],,AC-17,mitigates,2 +83,,T1547.009,Shortcut Modification,[],[],,AC-17,mitigates,2 +84,,T1547.011,Plist Modification,[],[],,AC-17,mitigates,2 +85,,T1547.012,Print Processors,[],[],,AC-17,mitigates,2 +86,,T1547.013,XDG Autostart Entries,[],[],,AC-17,mitigates,2 +87,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,2 +88,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,2 +89,,T1552.002,Credentials in Registry,[],[],,AC-17,mitigates,2 +90,,T1552.004,Private Keys,[],[],,AC-17,mitigates,2 +91,,T1552.007,Container API,[],[],,AC-17,mitigates,2 +92,,T1557,Man-in-the-Middle,[],[],,AC-17,mitigates,2 +93,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,2 +94,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,2 +95,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,2 +96,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,2 +97,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,2 +98,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,2 +99,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,2 +100,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,2 +101,,T1565,Data Manipulation,[],[],,AC-17,mitigates,2 +102,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,2 +103,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,2 +104,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,2 +105,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,2 +106,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,2 +107,,T1609,Container Administration Command,[],[],,AC-17,mitigates,2 +108,,T1610,Deploy Container,[],[],,AC-17,mitigates,2 +109,,T1612,Build Image on Host,[],[],,AC-17,mitigates,2 +110,,T1613,Container and Resource Discovery,[],[],,AC-17,mitigates,2 +111,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,2 +112,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,2 +113,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,2 +114,,T1040,Network Sniffing,[],[],,AC-18,mitigates,2 +115,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,2 +116,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,2 +117,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,2 +118,,T1119,Automated Collection,[],[],,AC-18,mitigates,2 +119,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,2 +120,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,2 +121,,T1552.004,Private Keys,[],[],,AC-18,mitigates,2 +122,,T1557,Man-in-the-Middle,[],[],,AC-18,mitigates,2 +123,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,2 +124,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,2 +125,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,2 +126,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,2 +127,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,2 +128,,T1565,Data Manipulation,[],[],,AC-18,mitigates,2 +129,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,2 +130,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,2 +131,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,2 +132,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,2 +133,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,2 +134,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,2 +135,,T1040,Network Sniffing,[],[],,AC-19,mitigates,2 +136,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,2 +137,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,2 +138,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,2 +139,,T1114,Email Collection,[],[],,AC-19,mitigates,2 +140,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,2 +141,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,2 +142,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,2 +143,,T1119,Automated Collection,[],[],,AC-19,mitigates,2 +144,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,2 +145,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,2 +146,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,2 +147,,T1552.004,Private Keys,[],[],,AC-19,mitigates,2 +148,,T1557,Man-in-the-Middle,[],[],,AC-19,mitigates,2 +149,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,2 +150,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,2 +151,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,2 +152,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,2 +153,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,2 +154,,T1565,Data Manipulation,[],[],,AC-19,mitigates,2 +155,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,2 +156,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,2 +157,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,2 +158,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,2 +159,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,2 +160,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,2 +161,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,2 +162,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,2 +163,,T1003.003,NTDS,[],[],,AC-2,mitigates,2 +164,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,2 +165,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,2 +166,,T1003.006,DCSync,[],[],,AC-2,mitigates,2 +167,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,2 +168,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,2 +169,,T1021,Remote Services,[],[],,AC-2,mitigates,2 +170,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,2 +171,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,2 +172,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,2 +173,,T1021.004,SSH,[],[],,AC-2,mitigates,2 +174,,T1021.005,VNC,[],[],,AC-2,mitigates,2 +175,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,2 +176,,T1036,Masquerading,[],[],,AC-2,mitigates,2 +177,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,2 +178,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,2 +179,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,2 +180,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,2 +181,,T1053.001,At (Linux),[],[],,AC-2,mitigates,2 +182,,T1053.002,At (Windows),[],[],,AC-2,mitigates,2 +183,,T1053.003,Cron,[],[],,AC-2,mitigates,2 +184,,T1053.004,Launchd,[],[],,AC-2,mitigates,2 +185,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,2 +186,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,2 +187,,T1053.007,Container Orchestration Job,[],[],,AC-2,mitigates,2 +188,,T1055,Process Injection,[],[],,AC-2,mitigates,2 +189,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,2 +190,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,2 +191,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,2 +192,,T1059.001,PowerShell,[],[],,AC-2,mitigates,2 +193,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,2 +194,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,2 +195,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,2 +196,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,2 +197,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,2 +198,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,2 +199,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,2 +200,,T1078,Valid Accounts,[],[],,AC-2,mitigates,2 +201,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,2 +202,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,2 +203,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,2 +204,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,2 +205,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,2 +206,,T1098,Account Manipulation,[],[],,AC-2,mitigates,2 +207,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,2 +208,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,2 +209,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,2 +210,,T1110,Brute Force,[],[],,AC-2,mitigates,2 +211,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,2 +212,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,2 +213,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,2 +214,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,2 +215,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,2 +216,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,2 +217,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,2 +218,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,2 +219,,T1136,Create Account,[],[],,AC-2,mitigates,2 +220,,T1136.001,Local Account,[],[],,AC-2,mitigates,2 +221,,T1136.002,Domain Account,[],[],,AC-2,mitigates,2 +222,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,2 +223,,T1185,Man in the Browser,[],[],,AC-2,mitigates,2 +224,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,2 +225,,T1197,BITS Jobs,[],[],,AC-2,mitigates,2 +226,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,2 +227,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,2 +228,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,2 +229,,T1213.001,Confluence,[],[],,AC-2,mitigates,2 +230,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,2 +231,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,2 +232,,T1218.007,Msiexec,[],[],,AC-2,mitigates,2 +233,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,2 +234,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,2 +235,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,2 +236,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,2 +237,,T1489,Service Stop,[],[],,AC-2,mitigates,2 +238,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,2 +239,,T1505,Server Software Component,[],[],,AC-2,mitigates,2 +240,,T1505.001,SQL Stored Procedures,[],[],,AC-2,mitigates,2 +241,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,2 +242,,T1525,Implant Internal Image,[],[],,AC-2,mitigates,2 +243,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,2 +244,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,2 +245,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,2 +246,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,2 +247,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,2 +248,,T1542.001,System Firmware,[],[],,AC-2,mitigates,2 +249,,T1542.003,Bootkit,[],[],,AC-2,mitigates,2 +250,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,2 +251,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,2 +252,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,2 +253,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,2 +254,,T1543.003,Windows Service,[],[],,AC-2,mitigates,2 +255,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,2 +256,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,2 +257,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,2 +258,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,2 +259,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,2 +260,,T1547.012,Print Processors,[],[],,AC-2,mitigates,2 +261,,T1547.013,XDG Autostart Entries,[],[],,AC-2,mitigates,2 +262,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,2 +263,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,2 +264,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,2 +265,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,2 +266,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,2 +267,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,2 +268,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,2 +269,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,2 +270,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,2 +271,,T1552.004,Private Keys,[],[],,AC-2,mitigates,2 +272,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,2 +273,,T1552.007,Container API,[],[],,AC-2,mitigates,2 +274,,T1553,Subvert Trust Controls,[],[],,AC-2,mitigates,2 +275,,T1553.006,Code Signing Policy Modification,[],[],,AC-2,mitigates,2 +276,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,2 +277,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,2 +278,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,2 +279,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,2 +280,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,2 +281,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,2 +282,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,2 +283,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,2 +284,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,2 +285,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,2 +286,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,2 +287,,T1562,Impair Defenses,[],[],,AC-2,mitigates,2 +288,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,2 +289,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,2 +290,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,2 +291,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,2 +292,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,2 +293,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,2 +294,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,2 +295,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,2 +296,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,2 +297,,T1569,System Services,[],[],,AC-2,mitigates,2 +298,,T1569.001,Launchctl,[],[],,AC-2,mitigates,2 +299,,T1569.002,Service Execution,[],[],,AC-2,mitigates,2 +300,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,2 +301,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,2 +302,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,2 +303,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,2 +304,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,2 +305,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,2 +306,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,2 +307,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,2 +308,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,2 +309,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,2 +310,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,2 +311,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,2 +312,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,2 +313,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,2 +314,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,2 +315,,T1601,Modify System Image,[],[],,AC-2,mitigates,2 +316,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,2 +317,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,2 +318,,T1609,Container Administration Command,[],[],,AC-2,mitigates,2 +319,,T1610,Deploy Container,[],[],,AC-2,mitigates,2 +320,,T1611,Escape to Host,[],[],,AC-2,mitigates,2 +321,,T1612,Build Image on Host,[],[],,AC-2,mitigates,2 +322,,T1613,Container and Resource Discovery,[],[],,AC-2,mitigates,2 +323,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,2 +324,,T1021,Remote Services,[],[],,AC-20,mitigates,2 +325,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,2 +326,,T1021.004,SSH,[],[],,AC-20,mitigates,2 +327,,T1053,Scheduled Task/Job,[],[],,AC-20,mitigates,2 +328,,T1053.002,At (Windows),[],[],,AC-20,mitigates,2 +329,,T1053.005,Scheduled Task,[],[],,AC-20,mitigates,2 +330,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,2 +331,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,2 +332,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,2 +333,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,2 +334,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,2 +335,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,2 +336,,T1110,Brute Force,[],[],,AC-20,mitigates,2 +337,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,2 +338,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,2 +339,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,2 +340,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,2 +341,,T1114,Email Collection,[],[],,AC-20,mitigates,2 +342,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,2 +343,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,2 +344,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,2 +345,,T1119,Automated Collection,[],[],,AC-20,mitigates,2 +346,,T1133,External Remote Services,[],[],,AC-20,mitigates,2 +347,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,2 +348,,T1136,Create Account,[],[],,AC-20,mitigates,2 +349,,T1136.001,Local Account,[],[],,AC-20,mitigates,2 +350,,T1136.002,Domain Account,[],[],,AC-20,mitigates,2 +351,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,2 +352,,T1200,Hardware Additions,[],[],,AC-20,mitigates,2 +353,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,2 +354,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,2 +355,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,2 +356,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,2 +357,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,2 +358,,T1552.004,Private Keys,[],[],,AC-20,mitigates,2 +359,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,2 +360,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,2 +361,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,2 +362,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,2 +363,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,2 +364,,T1557,Man-in-the-Middle,[],[],,AC-20,mitigates,2 +365,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,2 +366,,T1565,Data Manipulation,[],[],,AC-20,mitigates,2 +367,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,2 +368,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,2 +369,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,2 +370,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,2 +371,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,2 +372,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,2 +373,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,2 +374,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,2 +375,,T1053,Scheduled Task/Job,[],[],,AC-21,mitigates,2 +376,,T1053.002,At (Windows),[],[],,AC-21,mitigates,2 +377,,T1053.005,Scheduled Task,[],[],,AC-21,mitigates,2 +378,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,2 +379,,T1213.001,Confluence,[],[],,AC-21,mitigates,2 +380,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,2 +381,,T1053,Scheduled Task/Job,[],[],,AC-22,mitigates,2 +382,,T1053.002,At (Windows),[],[],,AC-22,mitigates,2 +383,,T1053.005,Scheduled Task,[],[],,AC-22,mitigates,2 +384,,T1053,Scheduled Task/Job,[],[],,AC-23,mitigates,2 +385,,T1053.002,At (Windows),[],[],,AC-23,mitigates,2 +386,,T1053.005,Scheduled Task,[],[],,AC-23,mitigates,2 +387,,T1133,External Remote Services,[],[],,AC-23,mitigates,2 +388,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,2 +389,,T1213.001,Confluence,[],[],,AC-23,mitigates,2 +390,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,2 +391,,T1552.007,Container API,[],[],,AC-23,mitigates,2 +392,,T1053,Scheduled Task/Job,[],[],,AC-24,mitigates,2 +393,,T1053.002,At (Windows),[],[],,AC-24,mitigates,2 +394,,T1053.005,Scheduled Task,[],[],,AC-24,mitigates,2 +395,,T1053,Scheduled Task/Job,[],[],,AC-25,mitigates,2 +396,,T1053.002,At (Windows),[],[],,AC-25,mitigates,2 +397,,T1053.005,Scheduled Task,[],[],,AC-25,mitigates,2 +398,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,2 +399,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,2 +400,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,2 +401,,T1003.003,NTDS,[],[],,AC-3,mitigates,2 +402,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,2 +403,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,2 +404,,T1003.006,DCSync,[],[],,AC-3,mitigates,2 +405,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,2 +406,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,2 +407,,T1021,Remote Services,[],[],,AC-3,mitigates,2 +408,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,2 +409,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,2 +410,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,2 +411,,T1021.004,SSH,[],[],,AC-3,mitigates,2 +412,,T1021.005,VNC,[],[],,AC-3,mitigates,2 +413,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,2 +414,,T1036,Masquerading,[],[],,AC-3,mitigates,2 +415,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,2 +416,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,2 +417,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,2 +418,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,2 +419,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,2 +420,,T1037.004,RC Scripts,[],[],,AC-3,mitigates,2 +421,,T1037.005,Startup Items,[],[],,AC-3,mitigates,2 +422,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,2 +423,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,2 +424,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,2 +425,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,2 +426,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,2 +427,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,2 +428,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,2 +429,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,2 +430,,T1053.001,At (Linux),[],[],,AC-3,mitigates,2 +431,,T1053.002,At (Windows),[],[],,AC-3,mitigates,2 +432,,T1053.003,Cron,[],[],,AC-3,mitigates,2 +433,,T1053.004,Launchd,[],[],,AC-3,mitigates,2 +434,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,2 +435,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,2 +436,,T1053.007,Container Orchestration Job,[],[],,AC-3,mitigates,2 +437,,T1055,Process Injection,[],[],,AC-3,mitigates,2 +438,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,2 +439,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,2 +440,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,2 +441,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,2 +442,,T1059.001,PowerShell,[],[],,AC-3,mitigates,2 +443,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,2 +444,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,2 +445,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,2 +446,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,2 +447,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,2 +448,,T1071.004,DNS,[],[],,AC-3,mitigates,2 +449,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,2 +450,,T1078,Valid Accounts,[],[],,AC-3,mitigates,2 +451,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,2 +452,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,2 +453,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,2 +454,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,2 +455,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,2 +456,,T1090,Proxy,[],[],,AC-3,mitigates,2 +457,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,2 +458,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,2 +459,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,2 +460,,T1098,Account Manipulation,[],[],,AC-3,mitigates,2 +461,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,2 +462,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,2 +463,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,2 +464,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,2 +465,,T1110,Brute Force,[],[],,AC-3,mitigates,2 +466,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,2 +467,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,2 +468,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,2 +469,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,2 +470,,T1114,Email Collection,[],[],,AC-3,mitigates,2 +471,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,2 +472,,T1133,External Remote Services,[],[],,AC-3,mitigates,2 +473,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,2 +474,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,2 +475,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,2 +476,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,2 +477,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,2 +478,,T1136,Create Account,[],[],,AC-3,mitigates,2 +479,,T1136.001,Local Account,[],[],,AC-3,mitigates,2 +480,,T1136.002,Domain Account,[],[],,AC-3,mitigates,2 +481,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,2 +482,,T1185,Man in the Browser,[],[],,AC-3,mitigates,2 +483,,T1187,Forced Authentication,[],[],,AC-3,mitigates,2 +484,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,2 +485,,T1197,BITS Jobs,[],[],,AC-3,mitigates,2 +486,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,2 +487,,T1200,Hardware Additions,[],[],,AC-3,mitigates,2 +488,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,2 +489,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,2 +490,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,2 +491,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,2 +492,,T1213.001,Confluence,[],[],,AC-3,mitigates,2 +493,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,2 +494,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,2 +495,,T1218.002,Control Panel,[],[],,AC-3,mitigates,2 +496,,T1218.007,Msiexec,[],[],,AC-3,mitigates,2 +497,,T1218.012,Verclsid,[],[],,AC-3,mitigates,2 +498,,T1219,Remote Access Software,[],[],,AC-3,mitigates,2 +499,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,2 +500,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,2 +501,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,2 +502,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,2 +503,,T1485,Data Destruction,[],[],,AC-3,mitigates,2 +504,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,2 +505,,T1489,Service Stop,[],[],,AC-3,mitigates,2 +506,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,2 +507,,T1491,Defacement,[],[],,AC-3,mitigates,2 +508,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,2 +509,,T1491.002,External Defacement,[],[],,AC-3,mitigates,2 +510,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,2 +511,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,2 +512,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,2 +513,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,2 +514,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,2 +515,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,2 +516,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,2 +517,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,2 +518,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,2 +519,,T1505,Server Software Component,[],[],,AC-3,mitigates,2 +520,,T1505.001,SQL Stored Procedures,[],[],,AC-3,mitigates,2 +521,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,2 +522,,T1525,Implant Internal Image,[],[],,AC-3,mitigates,2 +523,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,2 +524,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,2 +525,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,2 +526,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,2 +527,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,2 +528,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,2 +529,,T1542.001,System Firmware,[],[],,AC-3,mitigates,2 +530,,T1542.003,Bootkit,[],[],,AC-3,mitigates,2 +531,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,2 +532,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,2 +533,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,2 +534,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,2 +535,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,2 +536,,T1543.003,Windows Service,[],[],,AC-3,mitigates,2 +537,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,2 +538,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,2 +539,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-3,mitigates,2 +540,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,2 +541,,T1547.003,Time Providers,[],[],,AC-3,mitigates,2 +542,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,2 +543,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,2 +544,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,2 +545,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,2 +546,,T1547.011,Plist Modification,[],[],,AC-3,mitigates,2 +547,,T1547.012,Print Processors,[],[],,AC-3,mitigates,2 +548,,T1547.013,XDG Autostart Entries,[],[],,AC-3,mitigates,2 +549,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,2 +550,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,2 +551,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,2 +552,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,2 +553,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,2 +554,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,2 +555,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,2 +556,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,2 +557,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,2 +558,,T1552.007,Container API,[],[],,AC-3,mitigates,2 +559,,T1553,Subvert Trust Controls,[],[],,AC-3,mitigates,2 +560,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,2 +561,,T1553.006,Code Signing Policy Modification,[],[],,AC-3,mitigates,2 +562,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,2 +563,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,2 +564,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,2 +565,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,2 +566,,T1557,Man-in-the-Middle,[],[],,AC-3,mitigates,2 +567,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,2 +568,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,2 +569,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,2 +570,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,2 +571,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,2 +572,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,2 +573,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,2 +574,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,2 +575,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,2 +576,,T1561,Disk Wipe,[],[],,AC-3,mitigates,2 +577,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,2 +578,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,2 +579,,T1562,Impair Defenses,[],[],,AC-3,mitigates,2 +580,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,2 +581,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,2 +582,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,2 +583,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,2 +584,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,2 +585,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,2 +586,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,2 +587,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,2 +588,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,2 +589,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,2 +590,,T1565,Data Manipulation,[],[],,AC-3,mitigates,2 +591,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,2 +592,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,2 +593,,T1569,System Services,[],[],,AC-3,mitigates,2 +594,,T1569.001,Launchctl,[],[],,AC-3,mitigates,2 +595,,T1569.002,Service Execution,[],[],,AC-3,mitigates,2 +596,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,2 +597,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,2 +598,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,2 +599,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,2 +600,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,2 +601,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,2 +602,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,2 +603,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,2 +604,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,2 +605,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,2 +606,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,2 +607,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,2 +608,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,2 +609,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,2 +610,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,2 +611,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,2 +612,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,2 +613,,T1601,Modify System Image,[],[],,AC-3,mitigates,2 +614,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,2 +615,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,2 +616,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,2 +617,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,2 +618,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,2 +619,,T1609,Container Administration Command,[],[],,AC-3,mitigates,2 +620,,T1610,Deploy Container,[],[],,AC-3,mitigates,2 +621,,T1611,Escape to Host,[],[],,AC-3,mitigates,2 +622,,T1612,Build Image on Host,[],[],,AC-3,mitigates,2 +623,,T1613,Container and Resource Discovery,[],[],,AC-3,mitigates,2 +624,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,2 +625,,T1001.001,Junk Data,[],[],,AC-4,mitigates,2 +626,,T1001.002,Steganography,[],[],,AC-4,mitigates,2 +627,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,2 +628,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,2 +629,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,2 +630,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,2 +631,,T1003.006,DCSync,[],[],,AC-4,mitigates,2 +632,,T1008,Fallback Channels,[],[],,AC-4,mitigates,2 +633,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,2 +634,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,2 +635,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,2 +636,,T1021.005,VNC,[],[],,AC-4,mitigates,2 +637,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,2 +638,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,2 +639,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,2 +640,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,2 +641,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,2 +642,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,2 +643,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,2 +644,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,2 +645,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,2 +646,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,2 +647,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,2 +648,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,2 +649,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,2 +650,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,2 +651,,T1071.004,DNS,[],[],,AC-4,mitigates,2 +652,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,2 +653,,T1090,Proxy,[],[],,AC-4,mitigates,2 +654,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,2 +655,,T1090.002,External Proxy,[],[],,AC-4,mitigates,2 +656,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,2 +657,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,2 +658,,T1098,Account Manipulation,[],[],,AC-4,mitigates,2 +659,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,2 +660,,T1102,Web Service,[],[],,AC-4,mitigates,2 +661,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,2 +662,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,2 +663,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,2 +664,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,2 +665,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,2 +666,,T1114,Email Collection,[],[],,AC-4,mitigates,2 +667,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,2 +668,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,2 +669,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,2 +670,,T1132,Data Encoding,[],[],,AC-4,mitigates,2 +671,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,2 +672,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,2 +673,,T1133,External Remote Services,[],[],,AC-4,mitigates,2 +674,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,2 +675,,T1136,Create Account,[],[],,AC-4,mitigates,2 +676,,T1136.002,Domain Account,[],[],,AC-4,mitigates,2 +677,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,2 +678,,T1187,Forced Authentication,[],[],,AC-4,mitigates,2 +679,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,2 +680,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,2 +681,,T1197,BITS Jobs,[],[],,AC-4,mitigates,2 +682,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,2 +683,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,2 +684,,T1204,User Execution,[],[],,AC-4,mitigates,2 +685,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,2 +686,,T1204.002,Malicious File,[],[],,AC-4,mitigates,2 +687,,T1204.003,Malicious Image,[],[],,AC-4,mitigates,2 +688,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,2 +689,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,2 +690,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,2 +691,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,2 +692,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,2 +693,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,2 +694,,T1213.001,Confluence,[],[],,AC-4,mitigates,2 +695,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,2 +696,,T1218.012,Verclsid,[],[],,AC-4,mitigates,2 +697,,T1219,Remote Access Software,[],[],,AC-4,mitigates,2 +698,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,2 +699,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,2 +700,,T1489,Service Stop,[],[],,AC-4,mitigates,2 +701,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,2 +702,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,2 +703,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,2 +704,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,2 +705,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,2 +706,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,2 +707,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,2 +708,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,2 +709,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,2 +710,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,2 +711,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,2 +712,,T1547.003,Time Providers,[],[],,AC-4,mitigates,2 +713,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,2 +714,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,2 +715,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,2 +716,,T1552.007,Container API,[],[],,AC-4,mitigates,2 +717,,T1557,Man-in-the-Middle,[],[],,AC-4,mitigates,2 +718,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,2 +719,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,2 +720,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,2 +721,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,2 +722,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,2 +723,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,2 +724,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,2 +725,,T1565,Data Manipulation,[],[],,AC-4,mitigates,2 +726,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,2 +727,,T1566,Phishing,[],[],,AC-4,mitigates,2 +728,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,2 +729,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,2 +730,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,2 +731,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,2 +732,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,2 +733,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,2 +734,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,2 +735,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,2 +736,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,2 +737,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,2 +738,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,2 +739,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,2 +740,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,2 +741,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,2 +742,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,2 +743,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,2 +744,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,2 +745,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,2 +746,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,2 +747,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,2 +748,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,2 +749,,T1598,Phishing for Information,[],[],,AC-4,mitigates,2 +750,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,2 +751,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,2 +752,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,2 +753,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,2 +754,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,2 +755,,T1601,Modify System Image,[],[],,AC-4,mitigates,2 +756,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,2 +757,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,2 +758,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,2 +759,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,2 +760,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,2 +761,,T1611,Escape to Host,[],[],,AC-4,mitigates,2 +762,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,2 +763,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,2 +764,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,2 +765,,T1003.003,NTDS,[],[],,AC-5,mitigates,2 +766,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,2 +767,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,2 +768,,T1003.006,DCSync,[],[],,AC-5,mitigates,2 +769,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,2 +770,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,2 +771,,T1021,Remote Services,[],[],,AC-5,mitigates,2 +772,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,2 +773,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,2 +774,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,2 +775,,T1021.004,SSH,[],[],,AC-5,mitigates,2 +776,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,2 +777,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,2 +778,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,2 +779,,T1053.001,At (Linux),[],[],,AC-5,mitigates,2 +780,,T1053.002,At (Windows),[],[],,AC-5,mitigates,2 +781,,T1053.003,Cron,[],[],,AC-5,mitigates,2 +782,,T1053.004,Launchd,[],[],,AC-5,mitigates,2 +783,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,2 +784,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,2 +785,,T1053.007,Container Orchestration Job,[],[],,AC-5,mitigates,2 +786,,T1055,Process Injection,[],[],,AC-5,mitigates,2 +787,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,2 +788,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,2 +789,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,2 +790,,T1059.001,PowerShell,[],[],,AC-5,mitigates,2 +791,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,2 +792,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,2 +793,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,2 +794,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,2 +795,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,2 +796,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,2 +797,,T1078,Valid Accounts,[],[],,AC-5,mitigates,2 +798,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,2 +799,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,2 +800,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,2 +801,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,2 +802,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,2 +803,,T1098,Account Manipulation,[],[],,AC-5,mitigates,2 +804,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,2 +805,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,2 +806,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,2 +807,,T1110,Brute Force,[],[],,AC-5,mitigates,2 +808,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,2 +809,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,2 +810,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,2 +811,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,2 +812,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,2 +813,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,2 +814,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,2 +815,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,2 +816,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,2 +817,,T1136,Create Account,[],[],,AC-5,mitigates,2 +818,,T1136.001,Local Account,[],[],,AC-5,mitigates,2 +819,,T1136.002,Domain Account,[],[],,AC-5,mitigates,2 +820,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,2 +821,,T1185,Man in the Browser,[],[],,AC-5,mitigates,2 +822,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,2 +823,,T1197,BITS Jobs,[],[],,AC-5,mitigates,2 +824,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,2 +825,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,2 +826,,T1213.001,Confluence,[],[],,AC-5,mitigates,2 +827,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,2 +828,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,2 +829,,T1218.007,Msiexec,[],[],,AC-5,mitigates,2 +830,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,2 +831,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,2 +832,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,2 +833,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,2 +834,,T1489,Service Stop,[],[],,AC-5,mitigates,2 +835,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,2 +836,,T1505,Server Software Component,[],[],,AC-5,mitigates,2 +837,,T1505.001,SQL Stored Procedures,[],[],,AC-5,mitigates,2 +838,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,2 +839,,T1525,Implant Internal Image,[],[],,AC-5,mitigates,2 +840,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,2 +841,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,2 +842,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,2 +843,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,2 +844,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,2 +845,,T1542.001,System Firmware,[],[],,AC-5,mitigates,2 +846,,T1542.003,Bootkit,[],[],,AC-5,mitigates,2 +847,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,2 +848,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,2 +849,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,2 +850,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,2 +851,,T1543.003,Windows Service,[],[],,AC-5,mitigates,2 +852,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,2 +853,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,2 +854,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,2 +855,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,2 +856,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,2 +857,,T1547.012,Print Processors,[],[],,AC-5,mitigates,2 +858,,T1547.013,XDG Autostart Entries,[],[],,AC-5,mitigates,2 +859,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,2 +860,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,2 +861,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,2 +862,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,2 +863,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,2 +864,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,2 +865,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,2 +866,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,2 +867,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,2 +868,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,2 +869,,T1552.007,Container API,[],[],,AC-5,mitigates,2 +870,,T1553,Subvert Trust Controls,[],[],,AC-5,mitigates,2 +871,,T1553.006,Code Signing Policy Modification,[],[],,AC-5,mitigates,2 +872,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,2 +873,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,2 +874,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,2 +875,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,2 +876,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,2 +877,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,2 +878,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,2 +879,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,2 +880,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,2 +881,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,2 +882,,T1562,Impair Defenses,[],[],,AC-5,mitigates,2 +883,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,2 +884,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,2 +885,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,2 +886,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,2 +887,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,2 +888,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,2 +889,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,2 +890,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,2 +891,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,2 +892,,T1569,System Services,[],[],,AC-5,mitigates,2 +893,,T1569.001,Launchctl,[],[],,AC-5,mitigates,2 +894,,T1569.002,Service Execution,[],[],,AC-5,mitigates,2 +895,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,2 +896,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,2 +897,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,2 +898,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,2 +899,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,2 +900,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,2 +901,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,2 +902,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,2 +903,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,2 +904,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,2 +905,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,2 +906,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,2 +907,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,2 +908,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,2 +909,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,2 +910,,T1601,Modify System Image,[],[],,AC-5,mitigates,2 +911,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,2 +912,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,2 +913,,T1611,Escape to Host,[],[],,AC-5,mitigates,2 +914,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,2 +915,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,2 +916,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,2 +917,,T1003.003,NTDS,[],[],,AC-6,mitigates,2 +918,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,2 +919,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,2 +920,,T1003.006,DCSync,[],[],,AC-6,mitigates,2 +921,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,2 +922,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,2 +923,,T1021,Remote Services,[],[],,AC-6,mitigates,2 +924,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,2 +925,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,2 +926,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,2 +927,,T1021.004,SSH,[],[],,AC-6,mitigates,2 +928,,T1021.005,VNC,[],[],,AC-6,mitigates,2 +929,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,2 +930,,T1036,Masquerading,[],[],,AC-6,mitigates,2 +931,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,2 +932,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,2 +933,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,2 +934,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,2 +935,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,2 +936,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,2 +937,,T1053.001,At (Linux),[],[],,AC-6,mitigates,2 +938,,T1053.002,At (Windows),[],[],,AC-6,mitigates,2 +939,,T1053.003,Cron,[],[],,AC-6,mitigates,2 +940,,T1053.004,Launchd,[],[],,AC-6,mitigates,2 +941,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,2 +942,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,2 +943,,T1053.007,Container Orchestration Job,[],[],,AC-6,mitigates,2 +944,,T1055,Process Injection,[],[],,AC-6,mitigates,2 +945,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,2 +946,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,2 +947,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,2 +948,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,2 +949,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,2 +950,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,2 +951,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,2 +952,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,2 +953,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,2 +954,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,2 +955,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,2 +956,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,2 +957,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,2 +958,,T1059.001,PowerShell,[],[],,AC-6,mitigates,2 +959,,T1059.006,Python,[],[],,AC-6,mitigates,2 +960,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,2 +961,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,2 +962,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,2 +963,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,2 +964,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,2 +965,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,2 +966,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,2 +967,,T1078,Valid Accounts,[],[],,AC-6,mitigates,2 +968,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,2 +969,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,2 +970,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,2 +971,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,2 +972,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,2 +973,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,2 +974,,T1098,Account Manipulation,[],[],,AC-6,mitigates,2 +975,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,2 +976,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,2 +977,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,2 +978,,T1110,Brute Force,[],[],,AC-6,mitigates,2 +979,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,2 +980,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,2 +981,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,2 +982,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,2 +983,,T1112,Modify Registry,[],[],,AC-6,mitigates,2 +984,,T1133,External Remote Services,[],[],,AC-6,mitigates,2 +985,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,2 +986,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,2 +987,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,2 +988,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,2 +989,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,2 +990,,T1136,Create Account,[],[],,AC-6,mitigates,2 +991,,T1136.001,Local Account,[],[],,AC-6,mitigates,2 +992,,T1136.002,Domain Account,[],[],,AC-6,mitigates,2 +993,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,2 +994,,T1137.002,Office Test,[],[],,AC-6,mitigates,2 +995,,T1176,Browser Extensions,[],[],,AC-6,mitigates,2 +996,,T1185,Man in the Browser,[],[],,AC-6,mitigates,2 +997,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,2 +998,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,2 +999,,T1197,BITS Jobs,[],[],,AC-6,mitigates,2 +1000,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,2 +1001,,T1200,Hardware Additions,[],[],,AC-6,mitigates,2 +1002,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,2 +1003,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,2 +1004,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,2 +1005,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,2 +1006,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,2 +1007,,T1213.001,Confluence,[],[],,AC-6,mitigates,2 +1008,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,2 +1009,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,2 +1010,,T1218.007,Msiexec,[],[],,AC-6,mitigates,2 +1011,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,2 +1012,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,2 +1013,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,2 +1014,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,2 +1015,,T1485,Data Destruction,[],[],,AC-6,mitigates,2 +1016,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,2 +1017,,T1489,Service Stop,[],[],,AC-6,mitigates,2 +1018,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,2 +1019,,T1491,Defacement,[],[],,AC-6,mitigates,2 +1020,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,2 +1021,,T1491.002,External Defacement,[],[],,AC-6,mitigates,2 +1022,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,2 +1023,,T1505,Server Software Component,[],[],,AC-6,mitigates,2 +1024,,T1505.001,SQL Stored Procedures,[],[],,AC-6,mitigates,2 +1025,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,2 +1026,,T1525,Implant Internal Image,[],[],,AC-6,mitigates,2 +1027,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,2 +1028,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,2 +1029,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,2 +1030,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,2 +1031,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,2 +1032,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,2 +1033,,T1542.001,System Firmware,[],[],,AC-6,mitigates,2 +1034,,T1542.003,Bootkit,[],[],,AC-6,mitigates,2 +1035,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,2 +1036,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,2 +1037,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,2 +1038,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,2 +1039,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,2 +1040,,T1543.003,Windows Service,[],[],,AC-6,mitigates,2 +1041,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,2 +1042,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,2 +1043,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-6,mitigates,2 +1044,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,2 +1045,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,2 +1046,,T1547.003,Time Providers,[],[],,AC-6,mitigates,2 +1047,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,2 +1048,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,2 +1049,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,2 +1050,,T1547.011,Plist Modification,[],[],,AC-6,mitigates,2 +1051,,T1547.012,Print Processors,[],[],,AC-6,mitigates,2 +1052,,T1547.013,XDG Autostart Entries,[],[],,AC-6,mitigates,2 +1053,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,2 +1054,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,2 +1055,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,2 +1056,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,2 +1057,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,2 +1058,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,2 +1059,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,2 +1060,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,2 +1061,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,2 +1062,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,2 +1063,,T1552.007,Container API,[],[],,AC-6,mitigates,2 +1064,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,2 +1065,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,2 +1066,,T1553.006,Code Signing Policy Modification,[],[],,AC-6,mitigates,2 +1067,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,2 +1068,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,2 +1069,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,2 +1070,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,2 +1071,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,2 +1072,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,2 +1073,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,2 +1074,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,2 +1075,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,2 +1076,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,2 +1077,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,2 +1078,,T1561,Disk Wipe,[],[],,AC-6,mitigates,2 +1079,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,2 +1080,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,2 +1081,,T1562,Impair Defenses,[],[],,AC-6,mitigates,2 +1082,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,2 +1083,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,2 +1084,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,2 +1085,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,2 +1086,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,2 +1087,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,2 +1088,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,2 +1089,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,2 +1090,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,2 +1091,,T1569,System Services,[],[],,AC-6,mitigates,2 +1092,,T1569.001,Launchctl,[],[],,AC-6,mitigates,2 +1093,,T1569.002,Service Execution,[],[],,AC-6,mitigates,2 +1094,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,2 +1095,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,2 +1096,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,2 +1097,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,2 +1098,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,2 +1099,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,2 +1100,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,2 +1101,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,2 +1102,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,2 +1103,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,2 +1104,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,2 +1105,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,2 +1106,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,2 +1107,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,2 +1108,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,2 +1109,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,2 +1110,,T1601,Modify System Image,[],[],,AC-6,mitigates,2 +1111,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,2 +1112,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,2 +1113,,T1609,Container Administration Command,[],[],,AC-6,mitigates,2 +1114,,T1610,Deploy Container,[],[],,AC-6,mitigates,2 +1115,,T1611,Escape to Host,[],[],,AC-6,mitigates,2 +1116,,T1612,Build Image on Host,[],[],,AC-6,mitigates,2 +1117,,T1613,Container and Resource Discovery,[],[],,AC-6,mitigates,2 +1118,,T1021,Remote Services,[],[],,AC-7,mitigates,2 +1119,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,2 +1120,,T1021.004,SSH,[],[],,AC-7,mitigates,2 +1121,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,2 +1122,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,2 +1123,,T1110,Brute Force,[],[],,AC-7,mitigates,2 +1124,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,2 +1125,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,2 +1126,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,2 +1127,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,2 +1128,,T1133,External Remote Services,[],[],,AC-7,mitigates,2 +1129,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,2 +1130,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,2 +1131,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,2 +1132,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,2 +1133,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,2 +1134,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,2 +1135,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,2 +1136,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,2 +1137,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,2 +1138,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,2 +1139,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,2 +1140,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,2 +1141,,T1001.001,Junk Data,[],[],,CA-7,mitigates,2 +1142,,T1001.002,Steganography,[],[],,CA-7,mitigates,2 +1143,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,2 +1144,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,2 +1145,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,2 +1146,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,2 +1147,,T1003.003,NTDS,[],[],,CA-7,mitigates,2 +1148,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,2 +1149,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,2 +1150,,T1003.006,DCSync,[],[],,CA-7,mitigates,2 +1151,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,2 +1152,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,2 +1153,,T1008,Fallback Channels,[],[],,CA-7,mitigates,2 +1154,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,2 +1155,,T1021.005,VNC,[],[],,CA-7,mitigates,2 +1156,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,2 +1157,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,2 +1158,,T1036,Masquerading,[],[],,CA-7,mitigates,2 +1159,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,2 +1160,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,2 +1161,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,2 +1162,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,2 +1163,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,2 +1164,,T1037.004,RC Scripts,[],[],,CA-7,mitigates,2 +1165,,T1037.005,Startup Items,[],[],,CA-7,mitigates,2 +1166,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,2 +1167,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,2 +1168,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,2 +1169,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,2 +1170,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,2 +1171,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,2 +1172,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,2 +1173,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,2 +1174,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,2 +1175,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,2 +1176,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,2 +1177,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,2 +1178,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,2 +1179,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,2 +1180,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,2 +1181,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,2 +1182,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,2 +1183,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,2 +1184,,T1071.004,DNS,[],[],,CA-7,mitigates,2 +1185,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,2 +1186,,T1078,Valid Accounts,[],[],,CA-7,mitigates,2 +1187,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,2 +1188,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,2 +1189,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,2 +1190,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,2 +1191,,T1090,Proxy,[],[],,CA-7,mitigates,2 +1192,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,2 +1193,,T1090.002,External Proxy,[],[],,CA-7,mitigates,2 +1194,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,2 +1195,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,2 +1196,,T1102,Web Service,[],[],,CA-7,mitigates,2 +1197,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,2 +1198,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,2 +1199,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,2 +1200,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,2 +1201,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,2 +1202,,T1110,Brute Force,[],[],,CA-7,mitigates,2 +1203,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,2 +1204,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,2 +1205,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,2 +1206,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,2 +1207,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,2 +1208,,T1132,Data Encoding,[],[],,CA-7,mitigates,2 +1209,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,2 +1210,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,2 +1211,,T1176,Browser Extensions,[],[],,CA-7,mitigates,2 +1212,,T1185,Man in the Browser,[],[],,CA-7,mitigates,2 +1213,,T1187,Forced Authentication,[],[],,CA-7,mitigates,2 +1214,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,2 +1215,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,2 +1216,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,2 +1217,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,2 +1218,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,2 +1219,,T1197,BITS Jobs,[],[],,CA-7,mitigates,2 +1220,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,2 +1221,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,2 +1222,,T1204,User Execution,[],[],,CA-7,mitigates,2 +1223,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,2 +1224,,T1204.002,Malicious File,[],[],,CA-7,mitigates,2 +1225,,T1204.003,Malicious Image,[],[],,CA-7,mitigates,2 +1226,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,2 +1227,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,2 +1228,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,2 +1229,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,2 +1230,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,2 +1231,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,2 +1232,,T1213.001,Confluence,[],[],,CA-7,mitigates,2 +1233,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,2 +1234,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,2 +1235,,T1218.002,Control Panel,[],[],,CA-7,mitigates,2 +1236,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,2 +1237,,T1218.011,Rundll32,[],[],,CA-7,mitigates,2 +1238,,T1218.012,Verclsid,[],[],,CA-7,mitigates,2 +1239,,T1219,Remote Access Software,[],[],,CA-7,mitigates,2 +1240,,T1221,Template Injection,[],[],,CA-7,mitigates,2 +1241,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,2 +1242,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,2 +1243,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,2 +1244,,T1489,Service Stop,[],[],,CA-7,mitigates,2 +1245,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,2 +1246,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,2 +1247,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,2 +1248,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,2 +1249,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,2 +1250,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,2 +1251,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,2 +1252,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,2 +1253,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,2 +1254,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,2 +1255,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,2 +1256,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,2 +1257,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,2 +1258,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,2 +1259,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,2 +1260,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,2 +1261,,T1546.004,Unix Shell Configuration Modification,[],[],,CA-7,mitigates,2 +1262,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,2 +1263,,T1547.003,Time Providers,[],[],,CA-7,mitigates,2 +1264,,T1547.011,Plist Modification,[],[],,CA-7,mitigates,2 +1265,,T1547.013,XDG Autostart Entries,[],[],,CA-7,mitigates,2 +1266,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,2 +1267,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,2 +1268,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,2 +1269,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,2 +1270,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,2 +1271,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,2 +1272,,T1552.004,Private Keys,[],[],,CA-7,mitigates,2 +1273,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,2 +1274,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,2 +1275,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,2 +1276,,T1555.001,Keychain,[],[],,CA-7,mitigates,2 +1277,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,2 +1278,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,2 +1279,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,2 +1280,,T1557,Man-in-the-Middle,[],[],,CA-7,mitigates,2 +1281,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,2 +1282,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,2 +1283,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,2 +1284,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,2 +1285,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,2 +1286,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,2 +1287,,T1562,Impair Defenses,[],[],,CA-7,mitigates,2 +1288,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,2 +1289,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,2 +1290,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,2 +1291,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,2 +1292,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,2 +1293,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,2 +1294,,T1565,Data Manipulation,[],[],,CA-7,mitigates,2 +1295,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,2 +1296,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,2 +1297,,T1566,Phishing,[],[],,CA-7,mitigates,2 +1298,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,2 +1299,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,2 +1300,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,2 +1301,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,2 +1302,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,2 +1303,,T1569,System Services,[],[],,CA-7,mitigates,2 +1304,,T1569.002,Service Execution,[],[],,CA-7,mitigates,2 +1305,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,2 +1306,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,2 +1307,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,2 +1308,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,2 +1309,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,2 +1310,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,2 +1311,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,2 +1312,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,2 +1313,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,2 +1314,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,2 +1315,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,2 +1316,,T1598,Phishing for Information,[],[],,CA-7,mitigates,2 +1317,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,2 +1318,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,2 +1319,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,2 +1320,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,2 +1321,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,2 +1322,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,2 +1323,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,2 +1324,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,2 +1325,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,2 +1326,,T1021.005,VNC,[],[],,CA-8,mitigates,2 +1327,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,2 +1328,,T1053.001,At (Linux),[],[],,CA-8,mitigates,2 +1329,,T1053.002,At (Windows),[],[],,CA-8,mitigates,2 +1330,,T1053.003,Cron,[],[],,CA-8,mitigates,2 +1331,,T1053.004,Launchd,[],[],,CA-8,mitigates,2 +1332,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,2 +1333,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,2 +1334,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,2 +1335,,T1078,Valid Accounts,[],[],,CA-8,mitigates,2 +1336,,T1176,Browser Extensions,[],[],,CA-8,mitigates,2 +1337,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,2 +1338,,T1204.003,Malicious Image,[],[],,CA-8,mitigates,2 +1339,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,2 +1340,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,2 +1341,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,2 +1342,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,2 +1343,,T1213.001,Confluence,[],[],,CA-8,mitigates,2 +1344,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,2 +1345,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,2 +1346,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,2 +1347,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,2 +1348,,T1505,Server Software Component,[],[],,CA-8,mitigates,2 +1349,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,2 +1350,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,2 +1351,,T1525,Implant Internal Image,[],[],,CA-8,mitigates,2 +1352,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,2 +1353,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,2 +1354,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,2 +1355,,T1542.001,System Firmware,[],[],,CA-8,mitigates,2 +1356,,T1542.003,Bootkit,[],[],,CA-8,mitigates,2 +1357,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,2 +1358,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,2 +1359,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,2 +1360,,T1543.003,Windows Service,[],[],,CA-8,mitigates,2 +1361,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,2 +1362,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,2 +1363,,T1550.001,Application Access Token,[],[],,CA-8,mitigates,2 +1364,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,2 +1365,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,2 +1366,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,2 +1367,,T1552.004,Private Keys,[],[],,CA-8,mitigates,2 +1368,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,2 +1369,,T1553,Subvert Trust Controls,[],[],,CA-8,mitigates,2 +1370,,T1553.006,Code Signing Policy Modification,[],[],,CA-8,mitigates,2 +1371,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,2 +1372,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,2 +1373,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,2 +1374,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,2 +1375,,T1562,Impair Defenses,[],[],,CA-8,mitigates,2 +1376,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,2 +1377,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,2 +1378,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,2 +1379,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,2 +1380,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,2 +1381,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,2 +1382,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,2 +1383,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,2 +1384,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,2 +1385,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,2 +1386,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,2 +1387,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,2 +1388,,T1601,Modify System Image,[],[],,CA-8,mitigates,2 +1389,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,2 +1390,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,2 +1391,,T1612,Build Image on Host,[],[],,CA-8,mitigates,2 +1392,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,2 +1393,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,2 +1394,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,2 +1395,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,2 +1396,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,2 +1397,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,2 +1398,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,2 +1399,,T1021.005,VNC,[],[],,CM-11,mitigates,2 +1400,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,2 +1401,,T1059.006,Python,[],[],,CM-11,mitigates,2 +1402,,T1176,Browser Extensions,[],[],,CM-11,mitigates,2 +1403,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,2 +1404,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,2 +1405,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,2 +1406,,T1505,Server Software Component,[],[],,CM-11,mitigates,2 +1407,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,2 +1408,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,2 +1409,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,2 +1410,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,2 +1411,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,2 +1412,,T1543.003,Windows Service,[],[],,CM-11,mitigates,2 +1413,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,2 +1414,,T1547.013,XDG Autostart Entries,[],[],,CM-11,mitigates,2 +1415,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,2 +1416,,T1569,System Services,[],[],,CM-11,mitigates,2 +1417,,T1569.001,Launchctl,[],[],,CM-11,mitigates,2 +1418,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,2 +1419,,T1001.001,Junk Data,[],[],,CM-2,mitigates,2 +1420,,T1001.002,Steganography,[],[],,CM-2,mitigates,2 +1421,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,2 +1422,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,2 +1423,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,2 +1424,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,2 +1425,,T1003.003,NTDS,[],[],,CM-2,mitigates,2 +1426,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,2 +1427,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,2 +1428,,T1003.006,DCSync,[],[],,CM-2,mitigates,2 +1429,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,2 +1430,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,2 +1431,,T1008,Fallback Channels,[],[],,CM-2,mitigates,2 +1432,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,2 +1433,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,2 +1434,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,2 +1435,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,2 +1436,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,2 +1437,,T1021.004,SSH,[],[],,CM-2,mitigates,2 +1438,,T1021.005,VNC,[],[],,CM-2,mitigates,2 +1439,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,2 +1440,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,2 +1441,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,2 +1442,,T1036,Masquerading,[],[],,CM-2,mitigates,2 +1443,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,2 +1444,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,2 +1445,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,2 +1446,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,2 +1447,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,2 +1448,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,2 +1449,,T1037.004,RC Scripts,[],[],,CM-2,mitigates,2 +1450,,T1037.005,Startup Items,[],[],,CM-2,mitigates,2 +1451,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,2 +1452,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,2 +1453,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,2 +1454,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,2 +1455,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,2 +1456,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,2 +1457,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,2 +1458,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,2 +1459,,T1053.002,At (Windows),[],[],,CM-2,mitigates,2 +1460,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,2 +1461,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,2 +1462,,T1059.001,PowerShell,[],[],,CM-2,mitigates,2 +1463,,T1059.002,AppleScript,[],[],,CM-2,mitigates,2 +1464,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,2 +1465,,T1059.007,JavaScript,[],[],,CM-2,mitigates,2 +1466,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,2 +1467,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,2 +1468,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,2 +1469,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,2 +1470,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,2 +1471,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,2 +1472,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,2 +1473,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,2 +1474,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,2 +1475,,T1071.004,DNS,[],[],,CM-2,mitigates,2 +1476,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,2 +1477,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,2 +1478,,T1090,Proxy,[],[],,CM-2,mitigates,2 +1479,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,2 +1480,,T1090.002,External Proxy,[],[],,CM-2,mitigates,2 +1481,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,2 +1482,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,2 +1483,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,2 +1484,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,2 +1485,,T1102,Web Service,[],[],,CM-2,mitigates,2 +1486,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,2 +1487,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,2 +1488,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,2 +1489,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,2 +1490,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,2 +1491,,T1110,Brute Force,[],[],,CM-2,mitigates,2 +1492,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,2 +1493,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,2 +1494,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,2 +1495,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,2 +1496,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,2 +1497,,T1114,Email Collection,[],[],,CM-2,mitigates,2 +1498,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,2 +1499,,T1119,Automated Collection,[],[],,CM-2,mitigates,2 +1500,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,2 +1501,,T1127.001,MSBuild,[],[],,CM-2,mitigates,2 +1502,,T1129,Shared Modules,[],[],,CM-2,mitigates,2 +1503,,T1132,Data Encoding,[],[],,CM-2,mitigates,2 +1504,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,2 +1505,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,2 +1506,,T1133,External Remote Services,[],[],,CM-2,mitigates,2 +1507,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,2 +1508,,T1137,Office Application Startup,[],[],,CM-2,mitigates,2 +1509,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,2 +1510,,T1137.002,Office Test,[],[],,CM-2,mitigates,2 +1511,,T1176,Browser Extensions,[],[],,CM-2,mitigates,2 +1512,,T1185,Man in the Browser,[],[],,CM-2,mitigates,2 +1513,,T1187,Forced Authentication,[],[],,CM-2,mitigates,2 +1514,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,2 +1515,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,2 +1516,,T1204,User Execution,[],[],,CM-2,mitigates,2 +1517,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,2 +1518,,T1204.002,Malicious File,[],[],,CM-2,mitigates,2 +1519,,T1204.003,Malicious Image,[],[],,CM-2,mitigates,2 +1520,,T1205,Traffic Signaling,[],[],,CM-2,mitigates,2 +1521,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,2 +1522,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,2 +1523,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,2 +1524,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,2 +1525,,T1213.001,Confluence,[],[],,CM-2,mitigates,2 +1526,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,2 +1527,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,2 +1528,,T1216.001,PubPrn,[],[],,CM-2,mitigates,2 +1529,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,2 +1530,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,2 +1531,,T1218.002,Control Panel,[],[],,CM-2,mitigates,2 +1532,,T1218.003,CMSTP,[],[],,CM-2,mitigates,2 +1533,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,2 +1534,,T1218.005,Mshta,[],[],,CM-2,mitigates,2 +1535,,T1218.007,Msiexec,[],[],,CM-2,mitigates,2 +1536,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,2 +1537,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,2 +1538,,T1218.012,Verclsid,[],[],,CM-2,mitigates,2 +1539,,T1219,Remote Access Software,[],[],,CM-2,mitigates,2 +1540,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,2 +1541,,T1221,Template Injection,[],[],,CM-2,mitigates,2 +1542,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,2 +1543,,T1485,Data Destruction,[],[],,CM-2,mitigates,2 +1544,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,2 +1545,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,2 +1546,,T1491,Defacement,[],[],,CM-2,mitigates,2 +1547,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,2 +1548,,T1491.002,External Defacement,[],[],,CM-2,mitigates,2 +1549,,T1505,Server Software Component,[],[],,CM-2,mitigates,2 +1550,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,2 +1551,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,2 +1552,,T1525,Implant Internal Image,[],[],,CM-2,mitigates,2 +1553,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,2 +1554,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,2 +1555,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,2 +1556,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,2 +1557,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,2 +1558,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,2 +1559,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,2 +1560,,T1543.003,Windows Service,[],[],,CM-2,mitigates,2 +1561,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,2 +1562,,T1546.002,Screensaver,[],[],,CM-2,mitigates,2 +1563,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-2,mitigates,2 +1564,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,2 +1565,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,2 +1566,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,2 +1567,,T1546.014,Emond,[],[],,CM-2,mitigates,2 +1568,,T1547.003,Time Providers,[],[],,CM-2,mitigates,2 +1569,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,2 +1570,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,2 +1571,,T1547.011,Plist Modification,[],[],,CM-2,mitigates,2 +1572,,T1547.013,XDG Autostart Entries,[],[],,CM-2,mitigates,2 +1573,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,2 +1574,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,2 +1575,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,2 +1576,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,2 +1577,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,2 +1578,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,2 +1579,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,2 +1580,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,2 +1581,,T1552.004,Private Keys,[],[],,CM-2,mitigates,2 +1582,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,2 +1583,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,2 +1584,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,2 +1585,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,2 +1586,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-2,mitigates,2 +1587,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,2 +1588,,T1555.004,Windows Credential Manager,[],[],,CM-2,mitigates,2 +1589,,T1555.005,Password Managers,[],[],,CM-2,mitigates,2 +1590,,T1556,Modify Authentication Process,[],[],,CM-2,mitigates,2 +1591,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,2 +1592,,T1557,Man-in-the-Middle,[],[],,CM-2,mitigates,2 +1593,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,2 +1594,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,2 +1595,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,2 +1596,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,2 +1597,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,2 +1598,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,2 +1599,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,2 +1600,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,2 +1601,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,2 +1602,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,2 +1603,,T1561,Disk Wipe,[],[],,CM-2,mitigates,2 +1604,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,2 +1605,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,2 +1606,,T1562,Impair Defenses,[],[],,CM-2,mitigates,2 +1607,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,2 +1608,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,2 +1609,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,2 +1610,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,2 +1611,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,2 +1612,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,2 +1613,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,2 +1614,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,2 +1615,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,2 +1616,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,2 +1617,,T1565,Data Manipulation,[],[],,CM-2,mitigates,2 +1618,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,2 +1619,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,2 +1620,,T1566,Phishing,[],[],,CM-2,mitigates,2 +1621,,T1566.001,Spearphishing Attachment,[],[],,CM-2,mitigates,2 +1622,,T1566.002,Spearphishing Link,[],[],,CM-2,mitigates,2 +1623,,T1569,System Services,[],[],,CM-2,mitigates,2 +1624,,T1569.002,Service Execution,[],[],,CM-2,mitigates,2 +1625,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,2 +1626,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,2 +1627,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,2 +1628,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,2 +1629,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,2 +1630,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,2 +1631,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,2 +1632,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,2 +1633,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,2 +1634,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,2 +1635,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,2 +1636,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,2 +1637,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,2 +1638,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,2 +1639,,T1598,Phishing for Information,[],[],,CM-2,mitigates,2 +1640,,T1598.002,Spearphishing Attachment,[],[],,CM-2,mitigates,2 +1641,,T1598.003,Spearphishing Link,[],[],,CM-2,mitigates,2 +1642,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,2 +1643,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,2 +1644,,T1601,Modify System Image,[],[],,CM-2,mitigates,2 +1645,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,2 +1646,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,2 +1647,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,2 +1648,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,2 +1649,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,2 +1650,,T1021.005,VNC,[],[],,CM-3,mitigates,2 +1651,,T1059.006,Python,[],[],,CM-3,mitigates,2 +1652,,T1176,Browser Extensions,[],[],,CM-3,mitigates,2 +1653,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,2 +1654,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,2 +1655,,T1213.001,Confluence,[],[],,CM-3,mitigates,2 +1656,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,2 +1657,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,2 +1658,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,2 +1659,,T1542.001,System Firmware,[],[],,CM-3,mitigates,2 +1660,,T1542.003,Bootkit,[],[],,CM-3,mitigates,2 +1661,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,2 +1662,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,2 +1663,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,2 +1664,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,2 +1665,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,2 +1666,,T1547.011,Plist Modification,[],[],,CM-3,mitigates,2 +1667,,T1547.013,XDG Autostart Entries,[],[],,CM-3,mitigates,2 +1668,,T1553,Subvert Trust Controls,[],[],,CM-3,mitigates,2 +1669,,T1553.006,Code Signing Policy Modification,[],[],,CM-3,mitigates,2 +1670,,T1601,Modify System Image,[],[],,CM-3,mitigates,2 +1671,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,2 +1672,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,2 +1673,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,2 +1674,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,2 +1675,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,2 +1676,,T1003.003,NTDS,[],[],,CM-5,mitigates,2 +1677,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,2 +1678,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,2 +1679,,T1003.006,DCSync,[],[],,CM-5,mitigates,2 +1680,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,2 +1681,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,2 +1682,,T1021,Remote Services,[],[],,CM-5,mitigates,2 +1683,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,2 +1684,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,2 +1685,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,2 +1686,,T1021.004,SSH,[],[],,CM-5,mitigates,2 +1687,,T1021.005,VNC,[],[],,CM-5,mitigates,2 +1688,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,2 +1689,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,2 +1690,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,2 +1691,,T1053.001,At (Linux),[],[],,CM-5,mitigates,2 +1692,,T1053.002,At (Windows),[],[],,CM-5,mitigates,2 +1693,,T1053.003,Cron,[],[],,CM-5,mitigates,2 +1694,,T1053.004,Launchd,[],[],,CM-5,mitigates,2 +1695,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,2 +1696,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,2 +1697,,T1053.007,Container Orchestration Job,[],[],,CM-5,mitigates,2 +1698,,T1055,Process Injection,[],[],,CM-5,mitigates,2 +1699,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,2 +1700,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,2 +1701,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,2 +1702,,T1059.001,PowerShell,[],[],,CM-5,mitigates,2 +1703,,T1059.006,Python,[],[],,CM-5,mitigates,2 +1704,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,2 +1705,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,2 +1706,,T1078,Valid Accounts,[],[],,CM-5,mitigates,2 +1707,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,2 +1708,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,2 +1709,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,2 +1710,,T1098,Account Manipulation,[],[],,CM-5,mitigates,2 +1711,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,2 +1712,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,2 +1713,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,2 +1714,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,2 +1715,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,2 +1716,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,2 +1717,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,2 +1718,,T1136,Create Account,[],[],,CM-5,mitigates,2 +1719,,T1136.001,Local Account,[],[],,CM-5,mitigates,2 +1720,,T1136.002,Domain Account,[],[],,CM-5,mitigates,2 +1721,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,2 +1722,,T1137.002,Office Test,[],[],,CM-5,mitigates,2 +1723,,T1176,Browser Extensions,[],[],,CM-5,mitigates,2 +1724,,T1185,Man in the Browser,[],[],,CM-5,mitigates,2 +1725,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,2 +1726,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,2 +1727,,T1197,BITS Jobs,[],[],,CM-5,mitigates,2 +1728,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,2 +1729,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,2 +1730,,T1213.001,Confluence,[],[],,CM-5,mitigates,2 +1731,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,2 +1732,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,2 +1733,,T1218.007,Msiexec,[],[],,CM-5,mitigates,2 +1734,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,2 +1735,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,2 +1736,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,2 +1737,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,2 +1738,,T1489,Service Stop,[],[],,CM-5,mitigates,2 +1739,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,2 +1740,,T1505,Server Software Component,[],[],,CM-5,mitigates,2 +1741,,T1505.001,SQL Stored Procedures,[],[],,CM-5,mitigates,2 +1742,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,2 +1743,,T1525,Implant Internal Image,[],[],,CM-5,mitigates,2 +1744,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,2 +1745,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,2 +1746,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,2 +1747,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,2 +1748,,T1542.001,System Firmware,[],[],,CM-5,mitigates,2 +1749,,T1542.003,Bootkit,[],[],,CM-5,mitigates,2 +1750,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,2 +1751,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,2 +1752,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,2 +1753,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,2 +1754,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,2 +1755,,T1543.003,Windows Service,[],[],,CM-5,mitigates,2 +1756,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,2 +1757,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,2 +1758,,T1547.003,Time Providers,[],[],,CM-5,mitigates,2 +1759,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,2 +1760,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,2 +1761,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,2 +1762,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,2 +1763,,T1547.011,Plist Modification,[],[],,CM-5,mitigates,2 +1764,,T1547.012,Print Processors,[],[],,CM-5,mitigates,2 +1765,,T1547.013,XDG Autostart Entries,[],[],,CM-5,mitigates,2 +1766,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,2 +1767,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,2 +1768,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,2 +1769,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,2 +1770,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,2 +1771,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,2 +1772,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,2 +1773,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,2 +1774,,T1552.007,Container API,[],[],,CM-5,mitigates,2 +1775,,T1553,Subvert Trust Controls,[],[],,CM-5,mitigates,2 +1776,,T1553.006,Code Signing Policy Modification,[],[],,CM-5,mitigates,2 +1777,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,2 +1778,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,2 +1779,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,2 +1780,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,2 +1781,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,2 +1782,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,2 +1783,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,2 +1784,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,2 +1785,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,2 +1786,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,2 +1787,,T1562,Impair Defenses,[],[],,CM-5,mitigates,2 +1788,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,2 +1789,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,2 +1790,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,2 +1791,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,2 +1792,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,2 +1793,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,2 +1794,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,2 +1795,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,2 +1796,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,2 +1797,,T1569,System Services,[],[],,CM-5,mitigates,2 +1798,,T1569.001,Launchctl,[],[],,CM-5,mitigates,2 +1799,,T1569.002,Service Execution,[],[],,CM-5,mitigates,2 +1800,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,2 +1801,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,2 +1802,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,2 +1803,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,2 +1804,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,2 +1805,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,2 +1806,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,2 +1807,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,2 +1808,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,2 +1809,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,2 +1810,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,2 +1811,,T1601,Modify System Image,[],[],,CM-5,mitigates,2 +1812,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,2 +1813,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,2 +1814,,T1611,Escape to Host,[],[],,CM-5,mitigates,2 +1815,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,2 +1816,,T1001.001,Junk Data,[],[],,CM-6,mitigates,2 +1817,,T1001.002,Steganography,[],[],,CM-6,mitigates,2 +1818,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,2 +1819,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,2 +1820,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,2 +1821,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,2 +1822,,T1003.003,NTDS,[],[],,CM-6,mitigates,2 +1823,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,2 +1824,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,2 +1825,,T1003.006,DCSync,[],[],,CM-6,mitigates,2 +1826,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,2 +1827,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,2 +1828,,T1008,Fallback Channels,[],[],,CM-6,mitigates,2 +1829,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,2 +1830,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,2 +1831,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,2 +1832,,T1021,Remote Services,[],[],,CM-6,mitigates,2 +1833,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,2 +1834,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,2 +1835,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,2 +1836,,T1021.004,SSH,[],[],,CM-6,mitigates,2 +1837,,T1021.005,VNC,[],[],,CM-6,mitigates,2 +1838,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,2 +1839,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,2 +1840,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,2 +1841,,T1036,Masquerading,[],[],,CM-6,mitigates,2 +1842,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,2 +1843,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,2 +1844,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,2 +1845,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,2 +1846,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,2 +1847,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,2 +1848,,T1037.004,RC Scripts,[],[],,CM-6,mitigates,2 +1849,,T1037.005,Startup Items,[],[],,CM-6,mitigates,2 +1850,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,2 +1851,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,2 +1852,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,2 +1853,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,2 +1854,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,2 +1855,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,2 +1856,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,2 +1857,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,2 +1858,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,2 +1859,,T1053.002,At (Windows),[],[],,CM-6,mitigates,2 +1860,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,2 +1861,,T1053.006,Systemd Timers,[],[],,CM-6,mitigates,2 +1862,,T1053.007,Container Orchestration Job,[],[],,CM-6,mitigates,2 +1863,,T1055,Process Injection,[],[],,CM-6,mitigates,2 +1864,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,2 +1865,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,2 +1866,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,2 +1867,,T1059.001,PowerShell,[],[],,CM-6,mitigates,2 +1868,,T1059.002,AppleScript,[],[],,CM-6,mitigates,2 +1869,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,2 +1870,,T1059.007,JavaScript,[],[],,CM-6,mitigates,2 +1871,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,2 +1872,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,2 +1873,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,2 +1874,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,2 +1875,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,2 +1876,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,2 +1877,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,2 +1878,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,2 +1879,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,2 +1880,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,2 +1881,,T1071.004,DNS,[],[],,CM-6,mitigates,2 +1882,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,2 +1883,,T1078,Valid Accounts,[],[],,CM-6,mitigates,2 +1884,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,2 +1885,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,2 +1886,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,2 +1887,,T1087,Account Discovery,[],[],,CM-6,mitigates,2 +1888,,T1087.001,Local Account,[],[],,CM-6,mitigates,2 +1889,,T1087.002,Domain Account,[],[],,CM-6,mitigates,2 +1890,,T1090,Proxy,[],[],,CM-6,mitigates,2 +1891,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,2 +1892,,T1090.002,External Proxy,[],[],,CM-6,mitigates,2 +1893,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,2 +1894,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,2 +1895,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,2 +1896,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,2 +1897,,T1098,Account Manipulation,[],[],,CM-6,mitigates,2 +1898,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,2 +1899,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,2 +1900,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,2 +1901,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,2 +1902,,T1102,Web Service,[],[],,CM-6,mitigates,2 +1903,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,2 +1904,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,2 +1905,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,2 +1906,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,2 +1907,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,2 +1908,,T1110,Brute Force,[],[],,CM-6,mitigates,2 +1909,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,2 +1910,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,2 +1911,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,2 +1912,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,2 +1913,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,2 +1914,,T1114,Email Collection,[],[],,CM-6,mitigates,2 +1915,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,2 +1916,,T1119,Automated Collection,[],[],,CM-6,mitigates,2 +1917,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,2 +1918,,T1127.001,MSBuild,[],[],,CM-6,mitigates,2 +1919,,T1132,Data Encoding,[],[],,CM-6,mitigates,2 +1920,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,2 +1921,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,2 +1922,,T1133,External Remote Services,[],[],,CM-6,mitigates,2 +1923,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,2 +1924,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,2 +1925,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,2 +1926,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,2 +1927,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,2 +1928,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,2 +1929,,T1136,Create Account,[],[],,CM-6,mitigates,2 +1930,,T1136.001,Local Account,[],[],,CM-6,mitigates,2 +1931,,T1136.002,Domain Account,[],[],,CM-6,mitigates,2 +1932,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,2 +1933,,T1137,Office Application Startup,[],[],,CM-6,mitigates,2 +1934,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,2 +1935,,T1176,Browser Extensions,[],[],,CM-6,mitigates,2 +1936,,T1187,Forced Authentication,[],[],,CM-6,mitigates,2 +1937,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,2 +1938,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,2 +1939,,T1197,BITS Jobs,[],[],,CM-6,mitigates,2 +1940,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,2 +1941,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,2 +1942,,T1204,User Execution,[],[],,CM-6,mitigates,2 +1943,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,2 +1944,,T1204.002,Malicious File,[],[],,CM-6,mitigates,2 +1945,,T1204.003,Malicious Image,[],[],,CM-6,mitigates,2 +1946,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,2 +1947,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,2 +1948,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,2 +1949,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,2 +1950,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,2 +1951,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,2 +1952,,T1213.001,Confluence,[],[],,CM-6,mitigates,2 +1953,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,2 +1954,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,2 +1955,,T1216.001,PubPrn,[],[],,CM-6,mitigates,2 +1956,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,2 +1957,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,2 +1958,,T1218.002,Control Panel,[],[],,CM-6,mitigates,2 +1959,,T1218.003,CMSTP,[],[],,CM-6,mitigates,2 +1960,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,2 +1961,,T1218.005,Mshta,[],[],,CM-6,mitigates,2 +1962,,T1218.007,Msiexec,[],[],,CM-6,mitigates,2 +1963,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,2 +1964,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,2 +1965,,T1218.012,Verclsid,[],[],,CM-6,mitigates,2 +1966,,T1219,Remote Access Software,[],[],,CM-6,mitigates,2 +1967,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,2 +1968,,T1221,Template Injection,[],[],,CM-6,mitigates,2 +1969,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,2 +1970,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,2 +1971,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,2 +1972,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,2 +1973,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,2 +1974,,T1489,Service Stop,[],[],,CM-6,mitigates,2 +1975,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,2 +1976,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,2 +1977,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,2 +1978,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,2 +1979,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,2 +1980,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,2 +1981,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,2 +1982,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,2 +1983,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,2 +1984,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,2 +1985,,T1505,Server Software Component,[],[],,CM-6,mitigates,2 +1986,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,2 +1987,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,2 +1988,,T1525,Implant Internal Image,[],[],,CM-6,mitigates,2 +1989,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,2 +1990,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,2 +1991,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,2 +1992,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,2 +1993,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,2 +1994,,T1542.001,System Firmware,[],[],,CM-6,mitigates,2 +1995,,T1542.003,Bootkit,[],[],,CM-6,mitigates,2 +1996,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,2 +1997,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,2 +1998,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,2 +1999,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,2 +2000,,T1543.003,Windows Service,[],[],,CM-6,mitigates,2 +2001,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,2 +2002,,T1546.002,Screensaver,[],[],,CM-6,mitigates,2 +2003,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,2 +2004,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-6,mitigates,2 +2005,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,2 +2006,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,2 +2007,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,2 +2008,,T1546.014,Emond,[],[],,CM-6,mitigates,2 +2009,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,2 +2010,,T1547.003,Time Providers,[],[],,CM-6,mitigates,2 +2011,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,2 +2012,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,2 +2013,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,2 +2014,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,2 +2015,,T1547.011,Plist Modification,[],[],,CM-6,mitigates,2 +2016,,T1547.013,XDG Autostart Entries,[],[],,CM-6,mitigates,2 +2017,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,2 +2018,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,2 +2019,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,2 +2020,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,2 +2021,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,2 +2022,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,2 +2023,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,2 +2024,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,2 +2025,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,2 +2026,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,2 +2027,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,2 +2028,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,2 +2029,,T1552.003,Bash History,[],[],,CM-6,mitigates,2 +2030,,T1552.004,Private Keys,[],[],,CM-6,mitigates,2 +2031,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,2 +2032,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,2 +2033,,T1552.007,Container API,[],[],,CM-6,mitigates,2 +2034,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,2 +2035,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,2 +2036,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,2 +2037,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,2 +2038,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-6,mitigates,2 +2039,,T1553.006,Code Signing Policy Modification,[],[],,CM-6,mitigates,2 +2040,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,2 +2041,,T1555.004,Windows Credential Manager,[],[],,CM-6,mitigates,2 +2042,,T1555.005,Password Managers,[],[],,CM-6,mitigates,2 +2043,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,2 +2044,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,2 +2045,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,2 +2046,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,2 +2047,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,2 +2048,,T1557,Man-in-the-Middle,[],[],,CM-6,mitigates,2 +2049,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,2 +2050,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,2 +2051,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,2 +2052,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,2 +2053,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,2 +2054,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,2 +2055,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,2 +2056,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,2 +2057,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,2 +2058,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,2 +2059,,T1562,Impair Defenses,[],[],,CM-6,mitigates,2 +2060,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,2 +2061,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,2 +2062,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,2 +2063,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,2 +2064,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,2 +2065,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,2 +2066,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,2 +2067,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,2 +2068,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,2 +2069,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,2 +2070,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,2 +2071,,T1565,Data Manipulation,[],[],,CM-6,mitigates,2 +2072,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,2 +2073,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,2 +2074,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,2 +2075,,T1566,Phishing,[],[],,CM-6,mitigates,2 +2076,,T1566.001,Spearphishing Attachment,[],[],,CM-6,mitigates,2 +2077,,T1566.002,Spearphishing Link,[],[],,CM-6,mitigates,2 +2078,,T1569,System Services,[],[],,CM-6,mitigates,2 +2079,,T1569.002,Service Execution,[],[],,CM-6,mitigates,2 +2080,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,2 +2081,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,2 +2082,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,2 +2083,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,2 +2084,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,2 +2085,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,2 +2086,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,2 +2087,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,2 +2088,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,2 +2089,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,2 +2090,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-6,mitigates,2 +2091,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,2 +2092,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,2 +2093,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,2 +2094,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,2 +2095,,T1598,Phishing for Information,[],[],,CM-6,mitigates,2 +2096,,T1598.002,Spearphishing Attachment,[],[],,CM-6,mitigates,2 +2097,,T1598.003,Spearphishing Link,[],[],,CM-6,mitigates,2 +2098,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,2 +2099,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,2 +2100,,T1601,Modify System Image,[],[],,CM-6,mitigates,2 +2101,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,2 +2102,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,2 +2103,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,2 +2104,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,2 +2105,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,2 +2106,,T1609,Container Administration Command,[],[],,CM-6,mitigates,2 +2107,,T1610,Deploy Container,[],[],,CM-6,mitigates,2 +2108,,T1611,Escape to Host,[],[],,CM-6,mitigates,2 +2109,,T1612,Build Image on Host,[],[],,CM-6,mitigates,2 +2110,,T1613,Container and Resource Discovery,[],[],,CM-6,mitigates,2 +2111,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,2 +2112,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,2 +2113,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,2 +2114,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,2 +2115,,T1008,Fallback Channels,[],[],,CM-7,mitigates,2 +2116,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,2 +2117,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,2 +2118,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,2 +2119,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,2 +2120,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,2 +2121,,T1021.005,VNC,[],[],,CM-7,mitigates,2 +2122,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,2 +2123,,T1036,Masquerading,[],[],,CM-7,mitigates,2 +2124,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,2 +2125,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,2 +2126,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,2 +2127,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,2 +2128,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,2 +2129,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,2 +2130,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,2 +2131,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,2 +2132,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,2 +2133,,T1053.002,At (Windows),[],[],,CM-7,mitigates,2 +2134,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,2 +2135,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,2 +2136,,T1059.002,AppleScript,[],[],,CM-7,mitigates,2 +2137,,T1059.003,Windows Command Shell,[],[],,CM-7,mitigates,2 +2138,,T1059.004,Unix Shell,[],[],,CM-7,mitigates,2 +2139,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,2 +2140,,T1059.006,Python,[],[],,CM-7,mitigates,2 +2141,,T1059.007,JavaScript,[],[],,CM-7,mitigates,2 +2142,,T1068,Exploitation for Privilege Escalation,[],[],,CM-7,mitigates,2 +2143,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,2 +2144,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,2 +2145,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,2 +2146,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,2 +2147,,T1071.004,DNS,[],[],,CM-7,mitigates,2 +2148,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,2 +2149,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,2 +2150,,T1087,Account Discovery,[],[],,CM-7,mitigates,2 +2151,,T1087.001,Local Account,[],[],,CM-7,mitigates,2 +2152,,T1087.002,Domain Account,[],[],,CM-7,mitigates,2 +2153,,T1090,Proxy,[],[],,CM-7,mitigates,2 +2154,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,2 +2155,,T1090.002,External Proxy,[],[],,CM-7,mitigates,2 +2156,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,2 +2157,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,2 +2158,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,2 +2159,,T1098,Account Manipulation,[],[],,CM-7,mitigates,2 +2160,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,2 +2161,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,2 +2162,,T1102,Web Service,[],[],,CM-7,mitigates,2 +2163,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,2 +2164,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,2 +2165,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,2 +2166,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,2 +2167,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,2 +2168,,T1106,Native API,[],[],,CM-7,mitigates,2 +2169,,T1112,Modify Registry,[],[],,CM-7,mitigates,2 +2170,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,2 +2171,,T1129,Shared Modules,[],[],,CM-7,mitigates,2 +2172,,T1133,External Remote Services,[],[],,CM-7,mitigates,2 +2173,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,2 +2174,,T1136,Create Account,[],[],,CM-7,mitigates,2 +2175,,T1136.002,Domain Account,[],[],,CM-7,mitigates,2 +2176,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,2 +2177,,T1176,Browser Extensions,[],[],,CM-7,mitigates,2 +2178,,T1187,Forced Authentication,[],[],,CM-7,mitigates,2 +2179,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,2 +2180,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,2 +2181,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,2 +2182,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,2 +2183,,T1197,BITS Jobs,[],[],,CM-7,mitigates,2 +2184,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,2 +2185,,T1204,User Execution,[],[],,CM-7,mitigates,2 +2186,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,2 +2187,,T1204.002,Malicious File,[],[],,CM-7,mitigates,2 +2188,,T1204.003,Malicious Image,[],[],,CM-7,mitigates,2 +2189,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,2 +2190,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,2 +2191,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,2 +2192,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,2 +2193,,T1213.001,Confluence,[],[],,CM-7,mitigates,2 +2194,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,2 +2195,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,2 +2196,,T1216.001,PubPrn,[],[],,CM-7,mitigates,2 +2197,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,2 +2198,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,2 +2199,,T1218.002,Control Panel,[],[],,CM-7,mitigates,2 +2200,,T1218.003,CMSTP,[],[],,CM-7,mitigates,2 +2201,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,2 +2202,,T1218.005,Mshta,[],[],,CM-7,mitigates,2 +2203,,T1218.007,Msiexec,[],[],,CM-7,mitigates,2 +2204,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,2 +2205,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,2 +2206,,T1218.012,Verclsid,[],[],,CM-7,mitigates,2 +2207,,T1219,Remote Access Software,[],[],,CM-7,mitigates,2 +2208,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,2 +2209,,T1221,Template Injection,[],[],,CM-7,mitigates,2 +2210,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,2 +2211,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,2 +2212,,T1489,Service Stop,[],[],,CM-7,mitigates,2 +2213,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,2 +2214,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,2 +2215,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,2 +2216,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,2 +2217,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,2 +2218,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,2 +2219,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,2 +2220,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,2 +2221,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,2 +2222,,T1525,Implant Internal Image,[],[],,CM-7,mitigates,2 +2223,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,2 +2224,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,2 +2225,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,2 +2226,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,2 +2227,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,2 +2228,,T1543.003,Windows Service,[],[],,CM-7,mitigates,2 +2229,,T1546.002,Screensaver,[],[],,CM-7,mitigates,2 +2230,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,2 +2231,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,2 +2232,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,2 +2233,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,2 +2234,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,2 +2235,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,2 +2236,,T1547.011,Plist Modification,[],[],,CM-7,mitigates,2 +2237,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,2 +2238,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,2 +2239,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,2 +2240,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,2 +2241,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,2 +2242,,T1552.003,Bash History,[],[],,CM-7,mitigates,2 +2243,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,2 +2244,,T1552.007,Container API,[],[],,CM-7,mitigates,2 +2245,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,2 +2246,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,2 +2247,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,2 +2248,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,2 +2249,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-7,mitigates,2 +2250,,T1553.006,Code Signing Policy Modification,[],[],,CM-7,mitigates,2 +2251,,T1555.004,Windows Credential Manager,[],[],,CM-7,mitigates,2 +2252,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,2 +2253,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,2 +2254,,T1557,Man-in-the-Middle,[],[],,CM-7,mitigates,2 +2255,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,2 +2256,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,2 +2257,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,2 +2258,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,2 +2259,,T1562,Impair Defenses,[],[],,CM-7,mitigates,2 +2260,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,2 +2261,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,2 +2262,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,2 +2263,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,2 +2264,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,2 +2265,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,2 +2266,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,2 +2267,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,2 +2268,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,2 +2269,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,2 +2270,,T1565,Data Manipulation,[],[],,CM-7,mitigates,2 +2271,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,2 +2272,,T1569,System Services,[],[],,CM-7,mitigates,2 +2273,,T1569.002,Service Execution,[],[],,CM-7,mitigates,2 +2274,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,2 +2275,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,2 +2276,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,2 +2277,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,2 +2278,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,2 +2279,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,2 +2280,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,2 +2281,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,2 +2282,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-7,mitigates,2 +2283,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,2 +2284,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,2 +2285,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,2 +2286,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,2 +2287,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,2 +2288,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,2 +2289,,T1601,Modify System Image,[],[],,CM-7,mitigates,2 +2290,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,2 +2291,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,2 +2292,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,2 +2293,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,2 +2294,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,2 +2295,,T1609,Container Administration Command,[],[],,CM-7,mitigates,2 +2296,,T1610,Deploy Container,[],[],,CM-7,mitigates,2 +2297,,T1611,Escape to Host,[],[],,CM-7,mitigates,2 +2298,,T1612,Build Image on Host,[],[],,CM-7,mitigates,2 +2299,,T1613,Container and Resource Discovery,[],[],,CM-7,mitigates,2 +2300,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,2 +2301,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,2 +2302,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,2 +2303,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,2 +2304,,T1021.004,SSH,[],[],,CM-8,mitigates,2 +2305,,T1021.005,VNC,[],[],,CM-8,mitigates,2 +2306,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,2 +2307,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,2 +2308,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,2 +2309,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,2 +2310,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,2 +2311,,T1053.002,At (Windows),[],[],,CM-8,mitigates,2 +2312,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,2 +2313,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,2 +2314,,T1059.001,PowerShell,[],[],,CM-8,mitigates,2 +2315,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,2 +2316,,T1059.007,JavaScript,[],[],,CM-8,mitigates,2 +2317,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,2 +2318,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,2 +2319,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,2 +2320,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,2 +2321,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,2 +2322,,T1119,Automated Collection,[],[],,CM-8,mitigates,2 +2323,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,2 +2324,,T1127.001,MSBuild,[],[],,CM-8,mitigates,2 +2325,,T1133,External Remote Services,[],[],,CM-8,mitigates,2 +2326,,T1137,Office Application Startup,[],[],,CM-8,mitigates,2 +2327,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,2 +2328,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,2 +2329,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,2 +2330,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,2 +2331,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,2 +2332,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,2 +2333,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,2 +2334,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,2 +2335,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,2 +2336,,T1213.001,Confluence,[],[],,CM-8,mitigates,2 +2337,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,2 +2338,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,2 +2339,,T1218.003,CMSTP,[],[],,CM-8,mitigates,2 +2340,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,2 +2341,,T1218.005,Mshta,[],[],,CM-8,mitigates,2 +2342,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,2 +2343,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,2 +2344,,T1218.012,Verclsid,[],[],,CM-8,mitigates,2 +2345,,T1221,Template Injection,[],[],,CM-8,mitigates,2 +2346,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,2 +2347,,T1505,Server Software Component,[],[],,CM-8,mitigates,2 +2348,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,2 +2349,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,2 +2350,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,2 +2351,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,2 +2352,,T1542.001,System Firmware,[],[],,CM-8,mitigates,2 +2353,,T1542.003,Bootkit,[],[],,CM-8,mitigates,2 +2354,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,2 +2355,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,2 +2356,,T1546.002,Screensaver,[],[],,CM-8,mitigates,2 +2357,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,2 +2358,,T1546.014,Emond,[],[],,CM-8,mitigates,2 +2359,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,2 +2360,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,2 +2361,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,2 +2362,,T1553,Subvert Trust Controls,[],[],,CM-8,mitigates,2 +2363,,T1553.006,Code Signing Policy Modification,[],[],,CM-8,mitigates,2 +2364,,T1557,Man-in-the-Middle,[],[],,CM-8,mitigates,2 +2365,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,2 +2366,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,2 +2367,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,2 +2368,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,2 +2369,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,2 +2370,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,2 +2371,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,2 +2372,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,2 +2373,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,2 +2374,,T1565,Data Manipulation,[],[],,CM-8,mitigates,2 +2375,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,2 +2376,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,2 +2377,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,2 +2378,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,2 +2379,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,2 +2380,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,2 +2381,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,2 +2382,,T1601,Modify System Image,[],[],,CM-8,mitigates,2 +2383,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,2 +2384,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,2 +2385,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,2 +2386,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,2 +2387,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,2 +2388,,T1485,Data Destruction,[],[],,CP-10,mitigates,2 +2389,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,2 +2390,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,2 +2391,,T1491,Defacement,[],[],,CP-10,mitigates,2 +2392,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,2 +2393,,T1491.002,External Defacement,[],[],,CP-10,mitigates,2 +2394,,T1561,Disk Wipe,[],[],,CP-10,mitigates,2 +2395,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,2 +2396,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,2 +2397,,T1565,Data Manipulation,[],[],,CP-10,mitigates,2 +2398,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,2 +2399,,T1485,Data Destruction,[],[],,CP-2,mitigates,2 +2400,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,2 +2401,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,2 +2402,,T1491,Defacement,[],[],,CP-2,mitigates,2 +2403,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,2 +2404,,T1491.002,External Defacement,[],[],,CP-2,mitigates,2 +2405,,T1561,Disk Wipe,[],[],,CP-2,mitigates,2 +2406,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,2 +2407,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,2 +2408,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,2 +2409,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,2 +2410,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,2 +2411,,T1119,Automated Collection,[],[],,CP-6,mitigates,2 +2412,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,2 +2413,,T1565,Data Manipulation,[],[],,CP-6,mitigates,2 +2414,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,2 +2415,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,2 +2416,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,2 +2417,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,2 +2418,,T1119,Automated Collection,[],[],,CP-7,mitigates,2 +2419,,T1485,Data Destruction,[],[],,CP-7,mitigates,2 +2420,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,2 +2421,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,2 +2422,,T1491,Defacement,[],[],,CP-7,mitigates,2 +2423,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,2 +2424,,T1491.002,External Defacement,[],[],,CP-7,mitigates,2 +2425,,T1561,Disk Wipe,[],[],,CP-7,mitigates,2 +2426,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,2 +2427,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,2 +2428,,T1565,Data Manipulation,[],[],,CP-7,mitigates,2 +2429,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,2 +2430,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,2 +2431,,T1003.003,NTDS,[],[],,CP-9,mitigates,2 +2432,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,2 +2433,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,2 +2434,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,2 +2435,,T1119,Automated Collection,[],[],,CP-9,mitigates,2 +2436,,T1485,Data Destruction,[],[],,CP-9,mitigates,2 +2437,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,2 +2438,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,2 +2439,,T1491,Defacement,[],[],,CP-9,mitigates,2 +2440,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,2 +2441,,T1491.002,External Defacement,[],[],,CP-9,mitigates,2 +2442,,T1561,Disk Wipe,[],[],,CP-9,mitigates,2 +2443,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,2 +2444,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,2 +2445,,T1565,Data Manipulation,[],[],,CP-9,mitigates,2 +2446,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,2 +2447,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,2 +2448,,T1110,Brute Force,[],[],,IA-11,mitigates,2 +2449,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,2 +2450,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,2 +2451,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,2 +2452,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,2 +2453,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,2 +2454,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,2 +2455,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,2 +2456,,T1003.003,NTDS,[],[],,IA-2,mitigates,2 +2457,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,2 +2458,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,2 +2459,,T1003.006,DCSync,[],[],,IA-2,mitigates,2 +2460,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,2 +2461,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,2 +2462,,T1021,Remote Services,[],[],,IA-2,mitigates,2 +2463,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,2 +2464,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,2 +2465,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,2 +2466,,T1021.004,SSH,[],[],,IA-2,mitigates,2 +2467,,T1021.005,VNC,[],[],,IA-2,mitigates,2 +2468,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,2 +2469,,T1040,Network Sniffing,[],[],,IA-2,mitigates,2 +2470,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,2 +2471,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,2 +2472,,T1053.001,At (Linux),[],[],,IA-2,mitigates,2 +2473,,T1053.002,At (Windows),[],[],,IA-2,mitigates,2 +2474,,T1053.003,Cron,[],[],,IA-2,mitigates,2 +2475,,T1053.004,Launchd,[],[],,IA-2,mitigates,2 +2476,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,2 +2477,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,2 +2478,,T1053.007,Container Orchestration Job,[],[],,IA-2,mitigates,2 +2479,,T1055,Process Injection,[],[],,IA-2,mitigates,2 +2480,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,2 +2481,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,2 +2482,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,2 +2483,,T1059.001,PowerShell,[],[],,IA-2,mitigates,2 +2484,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,2 +2485,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,2 +2486,,T1078,Valid Accounts,[],[],,IA-2,mitigates,2 +2487,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,2 +2488,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,2 +2489,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,2 +2490,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,2 +2491,,T1098,Account Manipulation,[],[],,IA-2,mitigates,2 +2492,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,2 +2493,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,2 +2494,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,2 +2495,,T1110,Brute Force,[],[],,IA-2,mitigates,2 +2496,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,2 +2497,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,2 +2498,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,2 +2499,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,2 +2500,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,2 +2501,,T1114,Email Collection,[],[],,IA-2,mitigates,2 +2502,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,2 +2503,,T1133,External Remote Services,[],[],,IA-2,mitigates,2 +2504,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,2 +2505,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,2 +2506,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,2 +2507,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,2 +2508,,T1136,Create Account,[],[],,IA-2,mitigates,2 +2509,,T1136.001,Local Account,[],[],,IA-2,mitigates,2 +2510,,T1136.002,Domain Account,[],[],,IA-2,mitigates,2 +2511,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,2 +2512,,T1185,Man in the Browser,[],[],,IA-2,mitigates,2 +2513,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,2 +2514,,T1197,BITS Jobs,[],[],,IA-2,mitigates,2 +2515,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,2 +2516,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,2 +2517,,T1213.001,Confluence,[],[],,IA-2,mitigates,2 +2518,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,2 +2519,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,2 +2520,,T1218.007,Msiexec,[],[],,IA-2,mitigates,2 +2521,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,2 +2522,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,2 +2523,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,2 +2524,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,2 +2525,,T1489,Service Stop,[],[],,IA-2,mitigates,2 +2526,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,2 +2527,,T1505,Server Software Component,[],[],,IA-2,mitigates,2 +2528,,T1505.001,SQL Stored Procedures,[],[],,IA-2,mitigates,2 +2529,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,2 +2530,,T1525,Implant Internal Image,[],[],,IA-2,mitigates,2 +2531,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,2 +2532,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,2 +2533,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,2 +2534,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,2 +2535,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,2 +2536,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,2 +2537,,T1542.001,System Firmware,[],[],,IA-2,mitigates,2 +2538,,T1542.003,Bootkit,[],[],,IA-2,mitigates,2 +2539,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,2 +2540,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,2 +2541,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,2 +2542,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,2 +2543,,T1543.003,Windows Service,[],[],,IA-2,mitigates,2 +2544,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,2 +2545,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,2 +2546,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,2 +2547,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,2 +2548,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,2 +2549,,T1547.012,Print Processors,[],[],,IA-2,mitigates,2 +2550,,T1547.013,XDG Autostart Entries,[],[],,IA-2,mitigates,2 +2551,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,2 +2552,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,2 +2553,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,2 +2554,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,2 +2555,,T1550.001,Application Access Token,[],[],,IA-2,mitigates,2 +2556,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,2 +2557,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,2 +2558,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,2 +2559,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,2 +2560,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,2 +2561,,T1552.004,Private Keys,[],[],,IA-2,mitigates,2 +2562,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,2 +2563,,T1552.007,Container API,[],[],,IA-2,mitigates,2 +2564,,T1553,Subvert Trust Controls,[],[],,IA-2,mitigates,2 +2565,,T1553.006,Code Signing Policy Modification,[],[],,IA-2,mitigates,2 +2566,,T1555.005,Password Managers,[],[],,IA-2,mitigates,2 +2567,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,2 +2568,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,2 +2569,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,2 +2570,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,2 +2571,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,2 +2572,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,2 +2573,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,2 +2574,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,2 +2575,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,2 +2576,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,2 +2577,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,2 +2578,,T1562,Impair Defenses,[],[],,IA-2,mitigates,2 +2579,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,2 +2580,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,2 +2581,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,2 +2582,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,2 +2583,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,2 +2584,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,2 +2585,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,2 +2586,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,2 +2587,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,2 +2588,,T1569,System Services,[],[],,IA-2,mitigates,2 +2589,,T1569.001,Launchctl,[],[],,IA-2,mitigates,2 +2590,,T1569.002,Service Execution,[],[],,IA-2,mitigates,2 +2591,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,2 +2592,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,2 +2593,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,2 +2594,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,2 +2595,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,2 +2596,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,2 +2597,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,2 +2598,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,2 +2599,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,2 +2600,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,2 +2601,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,2 +2602,,T1601,Modify System Image,[],[],,IA-2,mitigates,2 +2603,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,2 +2604,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,2 +2605,,T1610,Deploy Container,[],[],,IA-2,mitigates,2 +2606,,T1611,Escape to Host,[],[],,IA-2,mitigates,2 +2607,,T1613,Container and Resource Discovery,[],[],,IA-2,mitigates,2 +2608,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,2 +2609,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,2 +2610,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,2 +2611,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,2 +2612,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,2 +2613,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,2 +2614,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,2 +2615,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,2 +2616,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,2 +2617,,T1003.006,DCSync,[],[],,IA-4,mitigates,2 +2618,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,2 +2619,,T1021.005,VNC,[],[],,IA-4,mitigates,2 +2620,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,2 +2621,,T1053.002,At (Windows),[],[],,IA-4,mitigates,2 +2622,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,2 +2623,,T1110,Brute Force,[],[],,IA-4,mitigates,2 +2624,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,2 +2625,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,2 +2626,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,2 +2627,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,2 +2628,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,2 +2629,,T1213.001,Confluence,[],[],,IA-4,mitigates,2 +2630,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,2 +2631,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,2 +2632,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,2 +2633,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,2 +2634,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,2 +2635,,T1543.003,Windows Service,[],[],,IA-4,mitigates,2 +2636,,T1550.001,Application Access Token,[],[],,IA-4,mitigates,2 +2637,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,2 +2638,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,2 +2639,,T1562,Impair Defenses,[],[],,IA-4,mitigates,2 +2640,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,2 +2641,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,2 +2642,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,2 +2643,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,2 +2644,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,2 +2645,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,2 +2646,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,2 +2647,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,2 +2648,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,2 +2649,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,2 +2650,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,2 +2651,,T1003.003,NTDS,[],[],,IA-5,mitigates,2 +2652,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,2 +2653,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,2 +2654,,T1003.006,DCSync,[],[],,IA-5,mitigates,2 +2655,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,2 +2656,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,2 +2657,,T1021,Remote Services,[],[],,IA-5,mitigates,2 +2658,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,2 +2659,,T1021.004,SSH,[],[],,IA-5,mitigates,2 +2660,,T1040,Network Sniffing,[],[],,IA-5,mitigates,2 +2661,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,2 +2662,,T1078,Valid Accounts,[],[],,IA-5,mitigates,2 +2663,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,2 +2664,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,2 +2665,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,2 +2666,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,2 +2667,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,2 +2668,,T1110,Brute Force,[],[],,IA-5,mitigates,2 +2669,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,2 +2670,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,2 +2671,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,2 +2672,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,2 +2673,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,2 +2674,,T1114,Email Collection,[],[],,IA-5,mitigates,2 +2675,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,2 +2676,,T1133,External Remote Services,[],[],,IA-5,mitigates,2 +2677,,T1136,Create Account,[],[],,IA-5,mitigates,2 +2678,,T1136.001,Local Account,[],[],,IA-5,mitigates,2 +2679,,T1136.002,Domain Account,[],[],,IA-5,mitigates,2 +2680,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,2 +2681,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,2 +2682,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,2 +2683,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,2 +2684,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,2 +2685,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,2 +2686,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,2 +2687,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,2 +2688,,T1552.004,Private Keys,[],[],,IA-5,mitigates,2 +2689,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,2 +2690,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,2 +2691,,T1555.001,Keychain,[],[],,IA-5,mitigates,2 +2692,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,2 +2693,,T1555.004,Windows Credential Manager,[],[],,IA-5,mitigates,2 +2694,,T1555.005,Password Managers,[],[],,IA-5,mitigates,2 +2695,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,2 +2696,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,2 +2697,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,2 +2698,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,2 +2699,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,2 +2700,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,2 +2701,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,2 +2702,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,2 +2703,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,2 +2704,,T1559,Inter-Process Communication,[],[],,IA-5,mitigates,2 +2705,,T1559.001,Component Object Model,[],[],,IA-5,mitigates,2 +2706,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,2 +2707,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,2 +2708,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,2 +2709,,T1601,Modify System Image,[],[],,IA-5,mitigates,2 +2710,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,2 +2711,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,2 +2712,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,2 +2713,,T1021.005,VNC,[],[],,IA-6,mitigates,2 +2714,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,2 +2715,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,2 +2716,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,2 +2717,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,2 +2718,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,2 +2719,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,2 +2720,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,2 +2721,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,2 +2722,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,2 +2723,,T1542.001,System Firmware,[],[],,IA-7,mitigates,2 +2724,,T1542.003,Bootkit,[],[],,IA-7,mitigates,2 +2725,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,2 +2726,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,2 +2727,,T1553,Subvert Trust Controls,[],[],,IA-7,mitigates,2 +2728,,T1553.006,Code Signing Policy Modification,[],[],,IA-7,mitigates,2 +2729,,T1601,Modify System Image,[],[],,IA-7,mitigates,2 +2730,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,2 +2731,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,2 +2732,,T1053,Scheduled Task/Job,[],[],,IA-8,mitigates,2 +2733,,T1053.007,Container Orchestration Job,[],[],,IA-8,mitigates,2 +2734,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,2 +2735,,T1059.001,PowerShell,[],[],,IA-8,mitigates,2 +2736,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,2 +2737,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,2 +2738,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,2 +2739,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,2 +2740,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,2 +2741,,T1213.001,Confluence,[],[],,IA-8,mitigates,2 +2742,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,2 +2743,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,2 +2744,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,2 +2745,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,2 +2746,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,2 +2747,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,2 +2748,,T1542.001,System Firmware,[],[],,IA-8,mitigates,2 +2749,,T1542.003,Bootkit,[],[],,IA-8,mitigates,2 +2750,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,2 +2751,,T1036,Masquerading,[],[],,IA-9,mitigates,2 +2752,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,2 +2753,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,2 +2754,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,2 +2755,,T1059.001,PowerShell,[],[],,IA-9,mitigates,2 +2756,,T1059.002,AppleScript,[],[],,IA-9,mitigates,2 +2757,,T1505,Server Software Component,[],[],,IA-9,mitigates,2 +2758,,T1505.001,SQL Stored Procedures,[],[],,IA-9,mitigates,2 +2759,,T1505.002,Transport Agent,[],[],,IA-9,mitigates,2 +2760,,T1525,Implant Internal Image,[],[],,IA-9,mitigates,2 +2761,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,2 +2762,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,2 +2763,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,2 +2764,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,2 +2765,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,2 +2766,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,2 +2767,,T1566,Phishing,[],[],,IA-9,mitigates,2 +2768,,T1566.001,Spearphishing Attachment,[],[],,IA-9,mitigates,2 +2769,,T1566.002,Spearphishing Link,[],[],,IA-9,mitigates,2 +2770,,T1598,Phishing for Information,[],[],,IA-9,mitigates,2 +2771,,T1598.002,Spearphishing Attachment,[],[],,IA-9,mitigates,2 +2772,,T1598.003,Spearphishing Link,[],[],,IA-9,mitigates,2 +2773,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,2 +2774,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,2 +2775,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,2 +2776,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,2 +2777,,T1200,Hardware Additions,[],[],,MP-7,mitigates,2 +2778,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,2 +2779,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,2 +2780,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,2 +2781,,T1021.004,SSH,[],[],,RA-5,mitigates,2 +2782,,T1021.005,VNC,[],[],,RA-5,mitigates,2 +2783,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,2 +2784,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,2 +2785,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,2 +2786,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,2 +2787,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,2 +2788,,T1053.001,At (Linux),[],[],,RA-5,mitigates,2 +2789,,T1053.002,At (Windows),[],[],,RA-5,mitigates,2 +2790,,T1053.003,Cron,[],[],,RA-5,mitigates,2 +2791,,T1053.004,Launchd,[],[],,RA-5,mitigates,2 +2792,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,2 +2793,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,2 +2794,,T1059.001,PowerShell,[],[],,RA-5,mitigates,2 +2795,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,2 +2796,,T1059.007,JavaScript,[],[],,RA-5,mitigates,2 +2797,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,2 +2798,,T1078,Valid Accounts,[],[],,RA-5,mitigates,2 +2799,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,2 +2800,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,2 +2801,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,2 +2802,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,2 +2803,,T1127.001,MSBuild,[],[],,RA-5,mitigates,2 +2804,,T1133,External Remote Services,[],[],,RA-5,mitigates,2 +2805,,T1137,Office Application Startup,[],[],,RA-5,mitigates,2 +2806,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,2 +2807,,T1176,Browser Extensions,[],[],,RA-5,mitigates,2 +2808,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,2 +2809,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,2 +2810,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,2 +2811,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,2 +2812,,T1204.003,Malicious Image,[],[],,RA-5,mitigates,2 +2813,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,2 +2814,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,2 +2815,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,2 +2816,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,2 +2817,,T1213.001,Confluence,[],[],,RA-5,mitigates,2 +2818,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,2 +2819,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,2 +2820,,T1218.003,CMSTP,[],[],,RA-5,mitigates,2 +2821,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,2 +2822,,T1218.005,Mshta,[],[],,RA-5,mitigates,2 +2823,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,2 +2824,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,2 +2825,,T1218.012,Verclsid,[],[],,RA-5,mitigates,2 +2826,,T1221,Template Injection,[],[],,RA-5,mitigates,2 +2827,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,2 +2828,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,2 +2829,,T1505,Server Software Component,[],[],,RA-5,mitigates,2 +2830,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,2 +2831,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,2 +2832,,T1525,Implant Internal Image,[],[],,RA-5,mitigates,2 +2833,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,2 +2834,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,2 +2835,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,2 +2836,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,2 +2837,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,2 +2838,,T1543.003,Windows Service,[],[],,RA-5,mitigates,2 +2839,,T1546.002,Screensaver,[],[],,RA-5,mitigates,2 +2840,,T1546.014,Emond,[],[],,RA-5,mitigates,2 +2841,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,2 +2842,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,2 +2843,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,2 +2844,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,2 +2845,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,2 +2846,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,2 +2847,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,2 +2848,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,2 +2849,,T1552.004,Private Keys,[],[],,RA-5,mitigates,2 +2850,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,2 +2851,,T1557,Man-in-the-Middle,[],[],,RA-5,mitigates,2 +2852,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,RA-5,mitigates,2 +2853,,T1557.002,ARP Cache Poisoning,[],[],,RA-5,mitigates,2 +2854,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,2 +2855,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,2 +2856,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,2 +2857,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,2 +2858,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,2 +2859,,T1562,Impair Defenses,[],[],,RA-5,mitigates,2 +2860,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,2 +2861,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,2 +2862,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,2 +2863,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,2 +2864,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,2 +2865,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,2 +2866,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,2 +2867,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,2 +2868,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,2 +2869,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,2 +2870,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,2 +2871,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,2 +2872,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,2 +2873,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,2 +2874,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,2 +2875,,T1612,Build Image on Host,[],[],,RA-5,mitigates,2 +2876,,T1078,Valid Accounts,[],[],,SA-10,mitigates,2 +2877,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,2 +2878,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,2 +2879,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,2 +2880,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,2 +2881,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,2 +2882,,T1505,Server Software Component,[],[],,SA-10,mitigates,2 +2883,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,2 +2884,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,2 +2885,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,2 +2886,,T1542.001,System Firmware,[],[],,SA-10,mitigates,2 +2887,,T1542.003,Bootkit,[],[],,SA-10,mitigates,2 +2888,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,2 +2889,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,2 +2890,,T1553,Subvert Trust Controls,[],[],,SA-10,mitigates,2 +2891,,T1553.006,Code Signing Policy Modification,[],[],,SA-10,mitigates,2 +2892,,T1574.002,DLL Side-Loading,[],[],,SA-10,mitigates,2 +2893,,T1601,Modify System Image,[],[],,SA-10,mitigates,2 +2894,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,2 +2895,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,2 +2896,,T1078,Valid Accounts,[],[],,SA-11,mitigates,2 +2897,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,2 +2898,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,2 +2899,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,2 +2900,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,2 +2901,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,2 +2902,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,2 +2903,,T1505,Server Software Component,[],[],,SA-11,mitigates,2 +2904,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,2 +2905,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,2 +2906,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,2 +2907,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,2 +2908,,T1542.001,System Firmware,[],[],,SA-11,mitigates,2 +2909,,T1542.003,Bootkit,[],[],,SA-11,mitigates,2 +2910,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,2 +2911,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,2 +2912,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,2 +2913,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,2 +2914,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,2 +2915,,T1552.004,Private Keys,[],[],,SA-11,mitigates,2 +2916,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,2 +2917,,T1553,Subvert Trust Controls,[],[],,SA-11,mitigates,2 +2918,,T1553.006,Code Signing Policy Modification,[],[],,SA-11,mitigates,2 +2919,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,2 +2920,,T1574.002,DLL Side-Loading,[],[],,SA-11,mitigates,2 +2921,,T1601,Modify System Image,[],[],,SA-11,mitigates,2 +2922,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,2 +2923,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,2 +2924,,T1612,Build Image on Host,[],[],,SA-11,mitigates,2 +2925,,T1059.002,AppleScript,[],[],,SA-12,mitigates,2 +2926,,T1204.003,Malicious Image,[],[],,SA-12,mitigates,2 +2927,,T1505,Server Software Component,[],[],,SA-12,mitigates,2 +2928,,T1505.001,SQL Stored Procedures,[],[],,SA-12,mitigates,2 +2929,,T1505.002,Transport Agent,[],[],,SA-12,mitigates,2 +2930,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SA-12,mitigates,2 +2931,,T1554,Compromise Client Software Binary,[],[],,SA-12,mitigates,2 +2932,,T1601,Modify System Image,[],[],,SA-12,mitigates,2 +2933,,T1601.001,Patch System Image,[],[],,SA-12,mitigates,2 +2934,,T1601.002,Downgrade System Image,[],[],,SA-12,mitigates,2 +2935,,T1482,Domain Trust Discovery,[],[],,SA-13,mitigates,2 +2936,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-14,mitigates,2 +2937,,T1495,Firmware Corruption,[],[],,SA-14,mitigates,2 +2938,,T1542,Pre-OS Boot,[],[],,SA-14,mitigates,2 +2939,,T1542.001,System Firmware,[],[],,SA-14,mitigates,2 +2940,,T1542.003,Bootkit,[],[],,SA-14,mitigates,2 +2941,,T1542.004,ROMMONkit,[],[],,SA-14,mitigates,2 +2942,,T1542.005,TFTP Boot,[],[],,SA-14,mitigates,2 +2943,,T1553,Subvert Trust Controls,[],[],,SA-14,mitigates,2 +2944,,T1553.006,Code Signing Policy Modification,[],[],,SA-14,mitigates,2 +2945,,T1601,Modify System Image,[],[],,SA-14,mitigates,2 +2946,,T1601.001,Patch System Image,[],[],,SA-14,mitigates,2 +2947,,T1601.002,Downgrade System Image,[],[],,SA-14,mitigates,2 +2948,,T1078,Valid Accounts,[],[],,SA-15,mitigates,2 +2949,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,2 +2950,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,2 +2951,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,2 +2952,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,2 +2953,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,2 +2954,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,2 +2955,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,2 +2956,,T1552.004,Private Keys,[],[],,SA-15,mitigates,2 +2957,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,2 +2958,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,2 +2959,,T1574.002,DLL Side-Loading,[],[],,SA-15,mitigates,2 +2960,,T1078,Valid Accounts,[],[],,SA-16,mitigates,2 +2961,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,2 +2962,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,2 +2963,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,2 +2964,,T1574.002,DLL Side-Loading,[],[],,SA-16,mitigates,2 +2965,,T1078,Valid Accounts,[],[],,SA-17,mitigates,2 +2966,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,2 +2967,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,2 +2968,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,2 +2969,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,2 +2970,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,2 +2971,,T1574.002,DLL Side-Loading,[],[],,SA-17,mitigates,2 +2972,,T1554,Compromise Client Software Binary,[],[],,SA-19,mitigates,2 +2973,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,2 +2974,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,2 +2975,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,2 +2976,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,2 +2977,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,2 +2978,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,2 +2979,,T1078,Valid Accounts,[],[],,SA-3,mitigates,2 +2980,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,2 +2981,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,2 +2982,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,2 +2983,,T1574.002,DLL Side-Loading,[],[],,SA-3,mitigates,2 +2984,,T1078,Valid Accounts,[],[],,SA-4,mitigates,2 +2985,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,2 +2986,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,2 +2987,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,2 +2988,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,2 +2989,,T1574.002,DLL Side-Loading,[],[],,SA-4,mitigates,2 +2990,,T1078,Valid Accounts,[],[],,SA-8,mitigates,2 +2991,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,2 +2992,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,2 +2993,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,2 +2994,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,2 +2995,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,2 +2996,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,2 +2997,,T1574.002,DLL Side-Loading,[],[],,SA-8,mitigates,2 +2998,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,2 +2999,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,2 +3000,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,2 +3001,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,2 +3002,,T1071.004,DNS,[],[],,SC-10,mitigates,2 +3003,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,2 +3004,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,2 +3005,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,2 +3006,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,2 +3007,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,2 +3008,,T1552.004,Private Keys,[],[],,SC-12,mitigates,2 +3009,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,2 +3010,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,2 +3011,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,2 +3012,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,2 +3013,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,2 +3014,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,2 +3015,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,2 +3016,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,2 +3017,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,2 +3018,,T1055,Process Injection,[],[],,SC-18,mitigates,2 +3019,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,2 +3020,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,2 +3021,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,2 +3022,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,2 +3023,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,2 +3024,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,2 +3025,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,2 +3026,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,2 +3027,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,2 +3028,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,2 +3029,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,2 +3030,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,2 +3031,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,2 +3032,,T1059.007,JavaScript,[],[],,SC-18,mitigates,2 +3033,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,2 +3034,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,2 +3035,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,2 +3036,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,2 +3037,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,2 +3038,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,2 +3039,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,2 +3040,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,2 +3041,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,2 +3042,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,2 +3043,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,2 +3044,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,2 +3045,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,2 +3046,,T1611,Escape to Host,[],[],,SC-18,mitigates,2 +3047,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,2 +3048,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,2 +3049,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,2 +3050,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,2 +3051,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,2 +3052,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,2 +3053,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,2 +3054,,T1611,Escape to Host,[],[],,SC-2,mitigates,2 +3055,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,2 +3056,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,2 +3057,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,2 +3058,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,2 +3059,,T1071.004,DNS,[],[],,SC-20,mitigates,2 +3060,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,2 +3061,,T1566,Phishing,[],[],,SC-20,mitigates,2 +3062,,T1566.001,Spearphishing Attachment,[],[],,SC-20,mitigates,2 +3063,,T1566.002,Spearphishing Link,[],[],,SC-20,mitigates,2 +3064,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,2 +3065,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,2 +3066,,T1598,Phishing for Information,[],[],,SC-20,mitigates,2 +3067,,T1598.002,Spearphishing Attachment,[],[],,SC-20,mitigates,2 +3068,,T1598.003,Spearphishing Link,[],[],,SC-20,mitigates,2 +3069,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,2 +3070,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,2 +3071,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,2 +3072,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,2 +3073,,T1071.004,DNS,[],[],,SC-21,mitigates,2 +3074,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,2 +3075,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,2 +3076,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,2 +3077,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,2 +3078,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,2 +3079,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,2 +3080,,T1071.004,DNS,[],[],,SC-22,mitigates,2 +3081,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,2 +3082,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,2 +3083,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,2 +3084,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,2 +3085,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,2 +3086,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,2 +3087,,T1071.004,DNS,[],[],,SC-23,mitigates,2 +3088,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,2 +3089,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,2 +3090,,T1557,Man-in-the-Middle,[],[],,SC-23,mitigates,2 +3091,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,2 +3092,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,2 +3093,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,2 +3094,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,2 +3095,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,2 +3096,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,2 +3097,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,2 +3098,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,2 +3099,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,2 +3100,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,2 +3101,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,2 +3102,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,2 +3103,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,2 +3104,,T1003.003,NTDS,[],[],,SC-28,mitigates,2 +3105,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,2 +3106,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,2 +3107,,T1003.006,DCSync,[],[],,SC-28,mitigates,2 +3108,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,2 +3109,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,2 +3110,,T1078,Valid Accounts,[],[],,SC-28,mitigates,2 +3111,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,2 +3112,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,2 +3113,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,2 +3114,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,2 +3115,,T1213.001,Confluence,[],[],,SC-28,mitigates,2 +3116,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,2 +3117,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,2 +3118,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,2 +3119,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,2 +3120,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,2 +3121,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,2 +3122,,T1552.003,Bash History,[],[],,SC-28,mitigates,2 +3123,,T1552.004,Private Keys,[],[],,SC-28,mitigates,2 +3124,,T1565,Data Manipulation,[],[],,SC-28,mitigates,2 +3125,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,2 +3126,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,2 +3127,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,2 +3128,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,2 +3129,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,2 +3130,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,2 +3131,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,2 +3132,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,2 +3133,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,2 +3134,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,2 +3135,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,2 +3136,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,2 +3137,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,2 +3138,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,2 +3139,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,2 +3140,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,2 +3141,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,2 +3142,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,2 +3143,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,2 +3144,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,2 +3145,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,2 +3146,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,2 +3147,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,2 +3148,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,2 +3149,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,2 +3150,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,2 +3151,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,2 +3152,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,2 +3153,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,2 +3154,,T1611,Escape to Host,[],[],,SC-3,mitigates,2 +3155,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,2 +3156,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,2 +3157,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,2 +3158,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,2 +3159,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,2 +3160,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,2 +3161,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,2 +3162,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,2 +3163,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,2 +3164,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,2 +3165,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,2 +3166,,T1071.004,DNS,[],[],,SC-31,mitigates,2 +3167,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,2 +3168,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,2 +3169,,T1542.001,System Firmware,[],[],,SC-34,mitigates,2 +3170,,T1542.003,Bootkit,[],[],,SC-34,mitigates,2 +3171,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,2 +3172,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,2 +3173,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,2 +3174,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,2 +3175,,T1553,Subvert Trust Controls,[],[],,SC-34,mitigates,2 +3176,,T1553.006,Code Signing Policy Modification,[],[],,SC-34,mitigates,2 +3177,,T1601,Modify System Image,[],[],,SC-34,mitigates,2 +3178,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,2 +3179,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,2 +3180,,T1611,Escape to Host,[],[],,SC-34,mitigates,2 +3181,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,2 +3182,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,2 +3183,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,2 +3184,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,2 +3185,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,2 +3186,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,2 +3187,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,2 +3188,,T1119,Automated Collection,[],[],,SC-36,mitigates,2 +3189,,T1565,Data Manipulation,[],[],,SC-36,mitigates,2 +3190,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,2 +3191,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,2 +3192,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,2 +3193,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,2 +3194,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,2 +3195,,T1071.004,DNS,[],[],,SC-37,mitigates,2 +3196,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,2 +3197,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,2 +3198,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,2 +3199,,T1003.003,NTDS,[],[],,SC-39,mitigates,2 +3200,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,2 +3201,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,2 +3202,,T1003.006,DCSync,[],[],,SC-39,mitigates,2 +3203,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,2 +3204,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,2 +3205,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,2 +3206,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,2 +3207,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,2 +3208,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,2 +3209,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,2 +3210,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,2 +3211,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,2 +3212,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,2 +3213,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,2 +3214,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,2 +3215,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,2 +3216,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,2 +3217,,T1611,Escape to Host,[],[],,SC-39,mitigates,2 +3218,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,2 +3219,,T1040,Network Sniffing,[],[],,SC-4,mitigates,2 +3220,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,2 +3221,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,2 +3222,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,2 +3223,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,2 +3224,,T1119,Automated Collection,[],[],,SC-4,mitigates,2 +3225,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,2 +3226,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,2 +3227,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,2 +3228,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,2 +3229,,T1552.004,Private Keys,[],[],,SC-4,mitigates,2 +3230,,T1557,Man-in-the-Middle,[],[],,SC-4,mitigates,2 +3231,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,2 +3232,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,2 +3233,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,2 +3234,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,2 +3235,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,2 +3236,,T1565,Data Manipulation,[],[],,SC-4,mitigates,2 +3237,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,2 +3238,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,2 +3239,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,2 +3240,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,2 +3241,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,2 +3242,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,2 +3243,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,2 +3244,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,2 +3245,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,2 +3246,,T1200,Hardware Additions,[],[],,SC-41,mitigates,2 +3247,,T1204,User Execution,[],[],,SC-44,mitigates,2 +3248,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,2 +3249,,T1204.002,Malicious File,[],[],,SC-44,mitigates,2 +3250,,T1204.003,Malicious Image,[],[],,SC-44,mitigates,2 +3251,,T1221,Template Injection,[],[],,SC-44,mitigates,2 +3252,,T1566,Phishing,[],[],,SC-44,mitigates,2 +3253,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,2 +3254,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,2 +3255,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,2 +3256,,T1598,Phishing for Information,[],[],,SC-44,mitigates,2 +3257,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,2 +3258,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,2 +3259,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,2 +3260,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,2 +3261,,T1001.001,Junk Data,[],[],,SC-7,mitigates,2 +3262,,T1001.002,Steganography,[],[],,SC-7,mitigates,2 +3263,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,2 +3264,,T1008,Fallback Channels,[],[],,SC-7,mitigates,2 +3265,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,2 +3266,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,2 +3267,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,2 +3268,,T1021.005,VNC,[],[],,SC-7,mitigates,2 +3269,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,2 +3270,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,2 +3271,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,2 +3272,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,2 +3273,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,2 +3274,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,2 +3275,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,2 +3276,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,2 +3277,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,2 +3278,,T1055,Process Injection,[],[],,SC-7,mitigates,2 +3279,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,2 +3280,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,2 +3281,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,2 +3282,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,2 +3283,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,2 +3284,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,2 +3285,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,2 +3286,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,2 +3287,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,2 +3288,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,2 +3289,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,2 +3290,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,2 +3291,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,2 +3292,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,2 +3293,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,2 +3294,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,2 +3295,,T1071.004,DNS,[],[],,SC-7,mitigates,2 +3296,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,2 +3297,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,2 +3298,,T1090,Proxy,[],[],,SC-7,mitigates,2 +3299,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,2 +3300,,T1090.002,External Proxy,[],[],,SC-7,mitigates,2 +3301,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,2 +3302,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,2 +3303,,T1098,Account Manipulation,[],[],,SC-7,mitigates,2 +3304,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,2 +3305,,T1102,Web Service,[],[],,SC-7,mitigates,2 +3306,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,2 +3307,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,2 +3308,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,2 +3309,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,2 +3310,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,2 +3311,,T1114,Email Collection,[],[],,SC-7,mitigates,2 +3312,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,2 +3313,,T1132,Data Encoding,[],[],,SC-7,mitigates,2 +3314,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,2 +3315,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,2 +3316,,T1133,External Remote Services,[],[],,SC-7,mitigates,2 +3317,,T1136,Create Account,[],[],,SC-7,mitigates,2 +3318,,T1136.002,Domain Account,[],[],,SC-7,mitigates,2 +3319,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,2 +3320,,T1176,Browser Extensions,[],[],,SC-7,mitigates,2 +3321,,T1187,Forced Authentication,[],[],,SC-7,mitigates,2 +3322,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,2 +3323,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,2 +3324,,T1197,BITS Jobs,[],[],,SC-7,mitigates,2 +3325,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,2 +3326,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,2 +3327,,T1204,User Execution,[],[],,SC-7,mitigates,2 +3328,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,2 +3329,,T1204.002,Malicious File,[],[],,SC-7,mitigates,2 +3330,,T1204.003,Malicious Image,[],[],,SC-7,mitigates,2 +3331,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,2 +3332,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,2 +3333,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,2 +3334,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,2 +3335,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,2 +3336,,T1218.012,Verclsid,[],[],,SC-7,mitigates,2 +3337,,T1219,Remote Access Software,[],[],,SC-7,mitigates,2 +3338,,T1221,Template Injection,[],[],,SC-7,mitigates,2 +3339,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,2 +3340,,T1489,Service Stop,[],[],,SC-7,mitigates,2 +3341,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,2 +3342,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,2 +3343,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,2 +3344,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,2 +3345,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,2 +3346,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,2 +3347,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,2 +3348,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,2 +3349,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,2 +3350,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,2 +3351,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,2 +3352,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,2 +3353,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,2 +3354,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,2 +3355,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,2 +3356,,T1552.004,Private Keys,[],[],,SC-7,mitigates,2 +3357,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,2 +3358,,T1552.007,Container API,[],[],,SC-7,mitigates,2 +3359,,T1557,Man-in-the-Middle,[],[],,SC-7,mitigates,2 +3360,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,2 +3361,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,2 +3362,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,2 +3363,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,2 +3364,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,2 +3365,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,2 +3366,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,2 +3367,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,2 +3368,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,2 +3369,,T1565,Data Manipulation,[],[],,SC-7,mitigates,2 +3370,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,2 +3371,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,2 +3372,,T1566,Phishing,[],[],,SC-7,mitigates,2 +3373,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,2 +3374,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,2 +3375,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,2 +3376,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,2 +3377,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,2 +3378,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,2 +3379,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,2 +3380,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,2 +3381,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,2 +3382,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,2 +3383,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,2 +3384,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,2 +3385,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,2 +3386,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,2 +3387,,T1598,Phishing for Information,[],[],,SC-7,mitigates,2 +3388,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,2 +3389,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,2 +3390,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,2 +3391,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,2 +3392,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,2 +3393,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,2 +3394,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,2 +3395,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,2 +3396,,T1609,Container Administration Command,[],[],,SC-7,mitigates,2 +3397,,T1610,Deploy Container,[],[],,SC-7,mitigates,2 +3398,,T1611,Escape to Host,[],[],,SC-7,mitigates,2 +3399,,T1612,Build Image on Host,[],[],,SC-7,mitigates,2 +3400,,T1613,Container and Resource Discovery,[],[],,SC-7,mitigates,2 +3401,,T1040,Network Sniffing,[],[],,SC-8,mitigates,2 +3402,,T1090,Proxy,[],[],,SC-8,mitigates,2 +3403,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,2 +3404,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,2 +3405,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,2 +3406,,T1552.007,Container API,[],[],,SC-8,mitigates,2 +3407,,T1557,Man-in-the-Middle,[],[],,SC-8,mitigates,2 +3408,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,2 +3409,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,2 +3410,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,2 +3411,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,2 +3412,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,2 +3413,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,2 +3414,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,2 +3415,,T1021.005,VNC,[],[],,SI-10,mitigates,2 +3416,,T1036,Masquerading,[],[],,SI-10,mitigates,2 +3417,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,2 +3418,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,2 +3419,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,2 +3420,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,2 +3421,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,2 +3422,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,2 +3423,,T1059.002,AppleScript,[],[],,SI-10,mitigates,2 +3424,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,2 +3425,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,2 +3426,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,2 +3427,,T1059.006,Python,[],[],,SI-10,mitigates,2 +3428,,T1059.007,JavaScript,[],[],,SI-10,mitigates,2 +3429,,T1071.004,DNS,[],[],,SI-10,mitigates,2 +3430,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,2 +3431,,T1090,Proxy,[],[],,SI-10,mitigates,2 +3432,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,2 +3433,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,2 +3434,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,2 +3435,,T1129,Shared Modules,[],[],,SI-10,mitigates,2 +3436,,T1176,Browser Extensions,[],[],,SI-10,mitigates,2 +3437,,T1187,Forced Authentication,[],[],,SI-10,mitigates,2 +3438,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,2 +3439,,T1197,BITS Jobs,[],[],,SI-10,mitigates,2 +3440,,T1204,User Execution,[],[],,SI-10,mitigates,2 +3441,,T1204.002,Malicious File,[],[],,SI-10,mitigates,2 +3442,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,2 +3443,,T1216.001,PubPrn,[],[],,SI-10,mitigates,2 +3444,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,2 +3445,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,2 +3446,,T1218.002,Control Panel,[],[],,SI-10,mitigates,2 +3447,,T1218.003,CMSTP,[],[],,SI-10,mitigates,2 +3448,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,2 +3449,,T1218.005,Mshta,[],[],,SI-10,mitigates,2 +3450,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,2 +3451,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,2 +3452,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,2 +3453,,T1218.011,Rundll32,[],[],,SI-10,mitigates,2 +3454,,T1218.012,Verclsid,[],[],,SI-10,mitigates,2 +3455,,T1219,Remote Access Software,[],[],,SI-10,mitigates,2 +3456,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,2 +3457,,T1221,Template Injection,[],[],,SI-10,mitigates,2 +3458,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,2 +3459,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,2 +3460,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,2 +3461,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,2 +3462,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,2 +3463,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,2 +3464,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,2 +3465,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,2 +3466,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,2 +3467,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,2 +3468,,T1546.002,Screensaver,[],[],,SI-10,mitigates,2 +3469,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,2 +3470,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,2 +3471,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,2 +3472,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,2 +3473,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,2 +3474,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,2 +3475,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,2 +3476,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,2 +3477,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,2 +3478,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,2 +3479,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-10,mitigates,2 +3480,,T1557,Man-in-the-Middle,[],[],,SI-10,mitigates,2 +3481,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,2 +3482,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,2 +3483,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,2 +3484,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,2 +3485,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,2 +3486,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,2 +3487,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,2 +3488,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,2 +3489,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-10,mitigates,2 +3490,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,2 +3491,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,2 +3492,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,2 +3493,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,2 +3494,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,2 +3495,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,2 +3496,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,2 +3497,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,2 +3498,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,2 +3499,,T1609,Container Administration Command,[],[],,SI-10,mitigates,2 +3500,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,2 +3501,,T1003.003,NTDS,[],[],,SI-12,mitigates,2 +3502,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,2 +3503,,T1040,Network Sniffing,[],[],,SI-12,mitigates,2 +3504,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,2 +3505,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,2 +3506,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,2 +3507,,T1114,Email Collection,[],[],,SI-12,mitigates,2 +3508,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,2 +3509,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,2 +3510,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,2 +3511,,T1119,Automated Collection,[],[],,SI-12,mitigates,2 +3512,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,2 +3513,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,2 +3514,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,2 +3515,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,2 +3516,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,2 +3517,,T1552.004,Private Keys,[],[],,SI-12,mitigates,2 +3518,,T1557,Man-in-the-Middle,[],[],,SI-12,mitigates,2 +3519,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,2 +3520,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,2 +3521,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,2 +3522,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,2 +3523,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,2 +3524,,T1565,Data Manipulation,[],[],,SI-12,mitigates,2 +3525,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,2 +3526,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,2 +3527,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,2 +3528,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,2 +3529,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,2 +3530,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,2 +3531,,T1021.005,VNC,[],[],,SI-15,mitigates,2 +3532,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,2 +3533,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,2 +3534,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,2 +3535,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,2 +3536,,T1071.004,DNS,[],[],,SI-15,mitigates,2 +3537,,T1090,Proxy,[],[],,SI-15,mitigates,2 +3538,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,2 +3539,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,2 +3540,,T1187,Forced Authentication,[],[],,SI-15,mitigates,2 +3541,,T1197,BITS Jobs,[],[],,SI-15,mitigates,2 +3542,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,2 +3543,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,2 +3544,,T1218.012,Verclsid,[],[],,SI-15,mitigates,2 +3545,,T1219,Remote Access Software,[],[],,SI-15,mitigates,2 +3546,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,2 +3547,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,2 +3548,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,2 +3549,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,2 +3550,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,2 +3551,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,2 +3552,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,2 +3553,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,2 +3554,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,2 +3555,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,2 +3556,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,2 +3557,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,2 +3558,,T1557,Man-in-the-Middle,[],[],,SI-15,mitigates,2 +3559,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,2 +3560,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,2 +3561,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,2 +3562,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,2 +3563,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,2 +3564,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,2 +3565,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,2 +3566,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,2 +3567,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,2 +3568,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,2 +3569,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,2 +3570,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,2 +3571,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-16,mitigates,2 +3572,,T1548.004,Elevated Execution with Prompt,[],[],,SI-16,mitigates,2 +3573,,T1565,Data Manipulation,[],[],,SI-16,mitigates,2 +3574,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,2 +3575,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,2 +3576,,T1611,Escape to Host,[],[],,SI-16,mitigates,2 +3577,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,2 +3578,,T1027.002,Software Packing,[],[],,SI-2,mitigates,2 +3579,,T1055,Process Injection,[],[],,SI-2,mitigates,2 +3580,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,2 +3581,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,2 +3582,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,2 +3583,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,2 +3584,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,2 +3585,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,2 +3586,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,2 +3587,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,2 +3588,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,2 +3589,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,2 +3590,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,2 +3591,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,2 +3592,,T1059.001,PowerShell,[],[],,SI-2,mitigates,2 +3593,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,2 +3594,,T1059.006,Python,[],[],,SI-2,mitigates,2 +3595,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,2 +3596,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,2 +3597,,T1137,Office Application Startup,[],[],,SI-2,mitigates,2 +3598,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,2 +3599,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,2 +3600,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,2 +3601,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,2 +3602,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,2 +3603,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,2 +3604,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,2 +3605,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,2 +3606,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,2 +3607,,T1204,User Execution,[],[],,SI-2,mitigates,2 +3608,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,2 +3609,,T1204.003,Malicious Image,[],[],,SI-2,mitigates,2 +3610,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,2 +3611,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,2 +3612,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,2 +3613,,T1221,Template Injection,[],[],,SI-2,mitigates,2 +3614,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,2 +3615,,T1525,Implant Internal Image,[],[],,SI-2,mitigates,2 +3616,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,2 +3617,,T1542.001,System Firmware,[],[],,SI-2,mitigates,2 +3618,,T1542.003,Bootkit,[],[],,SI-2,mitigates,2 +3619,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,2 +3620,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,2 +3621,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,2 +3622,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,2 +3623,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,2 +3624,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,2 +3625,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,2 +3626,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,2 +3627,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,2 +3628,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,2 +3629,,T1553,Subvert Trust Controls,[],[],,SI-2,mitigates,2 +3630,,T1553.006,Code Signing Policy Modification,[],[],,SI-2,mitigates,2 +3631,,T1555.005,Password Managers,[],[],,SI-2,mitigates,2 +3632,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,2 +3633,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,2 +3634,,T1566,Phishing,[],[],,SI-2,mitigates,2 +3635,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,2 +3636,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,2 +3637,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,2 +3638,,T1601,Modify System Image,[],[],,SI-2,mitigates,2 +3639,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,2 +3640,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,2 +3641,,T1611,Escape to Host,[],[],,SI-2,mitigates,2 +3642,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,2 +3643,,T1001.001,Junk Data,[],[],,SI-3,mitigates,2 +3644,,T1001.002,Steganography,[],[],,SI-3,mitigates,2 +3645,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,2 +3646,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,2 +3647,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,2 +3648,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,2 +3649,,T1003.003,NTDS,[],[],,SI-3,mitigates,2 +3650,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,2 +3651,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,2 +3652,,T1003.006,DCSync,[],[],,SI-3,mitigates,2 +3653,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,2 +3654,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,2 +3655,,T1008,Fallback Channels,[],[],,SI-3,mitigates,2 +3656,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,2 +3657,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,2 +3658,,T1021.005,VNC,[],[],,SI-3,mitigates,2 +3659,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,2 +3660,,T1027.002,Software Packing,[],[],,SI-3,mitigates,2 +3661,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,2 +3662,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,2 +3663,,T1036,Masquerading,[],[],,SI-3,mitigates,2 +3664,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,2 +3665,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,2 +3666,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,2 +3667,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,2 +3668,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,2 +3669,,T1037.004,RC Scripts,[],[],,SI-3,mitigates,2 +3670,,T1037.005,Startup Items,[],[],,SI-3,mitigates,2 +3671,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,2 +3672,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,2 +3673,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,2 +3674,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,2 +3675,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,2 +3676,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,2 +3677,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,2 +3678,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,2 +3679,,T1055,Process Injection,[],[],,SI-3,mitigates,2 +3680,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,2 +3681,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,2 +3682,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,2 +3683,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,2 +3684,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,2 +3685,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,2 +3686,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,2 +3687,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,2 +3688,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,2 +3689,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,2 +3690,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,2 +3691,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,2 +3692,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,2 +3693,,T1059.001,PowerShell,[],[],,SI-3,mitigates,2 +3694,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,2 +3695,,T1059.006,Python,[],[],,SI-3,mitigates,2 +3696,,T1059.007,JavaScript,[],[],,SI-3,mitigates,2 +3697,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,2 +3698,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,2 +3699,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,2 +3700,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,2 +3701,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,2 +3702,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,2 +3703,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,2 +3704,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,2 +3705,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,2 +3706,,T1071.004,DNS,[],[],,SI-3,mitigates,2 +3707,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,2 +3708,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,2 +3709,,T1090,Proxy,[],[],,SI-3,mitigates,2 +3710,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,2 +3711,,T1090.002,External Proxy,[],[],,SI-3,mitigates,2 +3712,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,2 +3713,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,2 +3714,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,2 +3715,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,2 +3716,,T1102,Web Service,[],[],,SI-3,mitigates,2 +3717,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,2 +3718,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,2 +3719,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,2 +3720,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,2 +3721,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,2 +3722,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,2 +3723,,T1132,Data Encoding,[],[],,SI-3,mitigates,2 +3724,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,2 +3725,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,2 +3726,,T1137,Office Application Startup,[],[],,SI-3,mitigates,2 +3727,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,2 +3728,,T1176,Browser Extensions,[],[],,SI-3,mitigates,2 +3729,,T1185,Man in the Browser,[],[],,SI-3,mitigates,2 +3730,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,2 +3731,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,2 +3732,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,2 +3733,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,2 +3734,,T1204,User Execution,[],[],,SI-3,mitigates,2 +3735,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,2 +3736,,T1204.002,Malicious File,[],[],,SI-3,mitigates,2 +3737,,T1204.003,Malicious Image,[],[],,SI-3,mitigates,2 +3738,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,2 +3739,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,2 +3740,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,2 +3741,,T1218.002,Control Panel,[],[],,SI-3,mitigates,2 +3742,,T1219,Remote Access Software,[],[],,SI-3,mitigates,2 +3743,,T1221,Template Injection,[],[],,SI-3,mitigates,2 +3744,,T1485,Data Destruction,[],[],,SI-3,mitigates,2 +3745,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,2 +3746,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,2 +3747,,T1491,Defacement,[],[],,SI-3,mitigates,2 +3748,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,2 +3749,,T1491.002,External Defacement,[],[],,SI-3,mitigates,2 +3750,,T1525,Implant Internal Image,[],[],,SI-3,mitigates,2 +3751,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,2 +3752,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,2 +3753,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,2 +3754,,T1546.002,Screensaver,[],[],,SI-3,mitigates,2 +3755,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-3,mitigates,2 +3756,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,2 +3757,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,2 +3758,,T1546.014,Emond,[],[],,SI-3,mitigates,2 +3759,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,2 +3760,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,2 +3761,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,2 +3762,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,2 +3763,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,2 +3764,,T1547.013,XDG Autostart Entries,[],[],,SI-3,mitigates,2 +3765,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,2 +3766,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,2 +3767,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,2 +3768,,T1557,Man-in-the-Middle,[],[],,SI-3,mitigates,2 +3769,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,2 +3770,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,2 +3771,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,2 +3772,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,2 +3773,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,2 +3774,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,2 +3775,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,2 +3776,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,2 +3777,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,2 +3778,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,2 +3779,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,2 +3780,,T1561,Disk Wipe,[],[],,SI-3,mitigates,2 +3781,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,2 +3782,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,2 +3783,,T1562,Impair Defenses,[],[],,SI-3,mitigates,2 +3784,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,2 +3785,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,2 +3786,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,2 +3787,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,2 +3788,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,2 +3789,,T1566,Phishing,[],[],,SI-3,mitigates,2 +3790,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,2 +3791,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,2 +3792,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,2 +3793,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,2 +3794,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,2 +3795,,T1569,System Services,[],[],,SI-3,mitigates,2 +3796,,T1569.002,Service Execution,[],[],,SI-3,mitigates,2 +3797,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,2 +3798,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,2 +3799,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,2 +3800,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,2 +3801,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,2 +3802,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,2 +3803,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,2 +3804,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,2 +3805,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,2 +3806,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,2 +3807,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,2 +3808,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,2 +3809,,T1598,Phishing for Information,[],[],,SI-3,mitigates,2 +3810,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,2 +3811,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,2 +3812,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,2 +3813,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,2 +3814,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,2 +3815,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,2 +3816,,T1611,Escape to Host,[],[],,SI-3,mitigates,2 +3817,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,2 +3818,,T1001.001,Junk Data,[],[],,SI-4,mitigates,2 +3819,,T1001.002,Steganography,[],[],,SI-4,mitigates,2 +3820,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,2 +3821,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,2 +3822,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,2 +3823,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,2 +3824,,T1003.003,NTDS,[],[],,SI-4,mitigates,2 +3825,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,2 +3826,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,2 +3827,,T1003.006,DCSync,[],[],,SI-4,mitigates,2 +3828,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,2 +3829,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,2 +3830,,T1008,Fallback Channels,[],[],,SI-4,mitigates,2 +3831,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,2 +3832,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,2 +3833,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,2 +3834,,T1021,Remote Services,[],[],,SI-4,mitigates,2 +3835,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,2 +3836,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,2 +3837,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,2 +3838,,T1021.004,SSH,[],[],,SI-4,mitigates,2 +3839,,T1021.005,VNC,[],[],,SI-4,mitigates,2 +3840,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,2 +3841,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,2 +3842,,T1027.002,Software Packing,[],[],,SI-4,mitigates,2 +3843,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,2 +3844,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,2 +3845,,T1036,Masquerading,[],[],,SI-4,mitigates,2 +3846,,T1036.001,Invalid Code Signature,[],[],,SI-4,mitigates,2 +3847,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,2 +3848,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,2 +3849,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,2 +3850,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,2 +3851,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,2 +3852,,T1037.004,RC Scripts,[],[],,SI-4,mitigates,2 +3853,,T1037.005,Startup Items,[],[],,SI-4,mitigates,2 +3854,,T1040,Network Sniffing,[],[],,SI-4,mitigates,2 +3855,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,2 +3856,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,2 +3857,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,2 +3858,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,2 +3859,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,2 +3860,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,2 +3861,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,2 +3862,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,2 +3863,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,2 +3864,,T1053.001,At (Linux),[],[],,SI-4,mitigates,2 +3865,,T1053.002,At (Windows),[],[],,SI-4,mitigates,2 +3866,,T1053.003,Cron,[],[],,SI-4,mitigates,2 +3867,,T1053.004,Launchd,[],[],,SI-4,mitigates,2 +3868,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,2 +3869,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,2 +3870,,T1055,Process Injection,[],[],,SI-4,mitigates,2 +3871,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,2 +3872,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,2 +3873,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,2 +3874,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,2 +3875,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,2 +3876,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,2 +3877,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,2 +3878,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,2 +3879,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,2 +3880,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,2 +3881,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,2 +3882,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,2 +3883,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,2 +3884,,T1059.001,PowerShell,[],[],,SI-4,mitigates,2 +3885,,T1059.002,AppleScript,[],[],,SI-4,mitigates,2 +3886,,T1059.003,Windows Command Shell,[],[],,SI-4,mitigates,2 +3887,,T1059.004,Unix Shell,[],[],,SI-4,mitigates,2 +3888,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,2 +3889,,T1059.006,Python,[],[],,SI-4,mitigates,2 +3890,,T1059.007,JavaScript,[],[],,SI-4,mitigates,2 +3891,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,2 +3892,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,2 +3893,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,2 +3894,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,2 +3895,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,2 +3896,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,2 +3897,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,2 +3898,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,2 +3899,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,2 +3900,,T1071.004,DNS,[],[],,SI-4,mitigates,2 +3901,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,2 +3902,,T1078,Valid Accounts,[],[],,SI-4,mitigates,2 +3903,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,2 +3904,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,2 +3905,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,2 +3906,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,2 +3907,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,2 +3908,,T1087,Account Discovery,[],[],,SI-4,mitigates,2 +3909,,T1087.001,Local Account,[],[],,SI-4,mitigates,2 +3910,,T1087.002,Domain Account,[],[],,SI-4,mitigates,2 +3911,,T1090,Proxy,[],[],,SI-4,mitigates,2 +3912,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,2 +3913,,T1090.002,External Proxy,[],[],,SI-4,mitigates,2 +3914,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,2 +3915,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,2 +3916,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,2 +3917,,T1098,Account Manipulation,[],[],,SI-4,mitigates,2 +3918,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,2 +3919,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,2 +3920,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,2 +3921,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,2 +3922,,T1102,Web Service,[],[],,SI-4,mitigates,2 +3923,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,2 +3924,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,2 +3925,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,2 +3926,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,2 +3927,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,2 +3928,,T1110,Brute Force,[],[],,SI-4,mitigates,2 +3929,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,2 +3930,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,2 +3931,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,2 +3932,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,2 +3933,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,2 +3934,,T1114,Email Collection,[],[],,SI-4,mitigates,2 +3935,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,2 +3936,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,2 +3937,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,2 +3938,,T1119,Automated Collection,[],[],,SI-4,mitigates,2 +3939,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,2 +3940,,T1127.001,MSBuild,[],[],,SI-4,mitigates,2 +3941,,T1129,Shared Modules,[],[],,SI-4,mitigates,2 +3942,,T1132,Data Encoding,[],[],,SI-4,mitigates,2 +3943,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,2 +3944,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,2 +3945,,T1133,External Remote Services,[],[],,SI-4,mitigates,2 +3946,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,2 +3947,,T1136,Create Account,[],[],,SI-4,mitigates,2 +3948,,T1136.001,Local Account,[],[],,SI-4,mitigates,2 +3949,,T1136.002,Domain Account,[],[],,SI-4,mitigates,2 +3950,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,2 +3951,,T1137,Office Application Startup,[],[],,SI-4,mitigates,2 +3952,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,2 +3953,,T1176,Browser Extensions,[],[],,SI-4,mitigates,2 +3954,,T1185,Man in the Browser,[],[],,SI-4,mitigates,2 +3955,,T1187,Forced Authentication,[],[],,SI-4,mitigates,2 +3956,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,2 +3957,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,2 +3958,,T1197,BITS Jobs,[],[],,SI-4,mitigates,2 +3959,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,2 +3960,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,2 +3961,,T1204,User Execution,[],[],,SI-4,mitigates,2 +3962,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,2 +3963,,T1204.002,Malicious File,[],[],,SI-4,mitigates,2 +3964,,T1204.003,Malicious Image,[],[],,SI-4,mitigates,2 +3965,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,2 +3966,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,2 +3967,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,2 +3968,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,2 +3969,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,2 +3970,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,2 +3971,,T1213.001,Confluence,[],[],,SI-4,mitigates,2 +3972,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,2 +3973,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,2 +3974,,T1216.001,PubPrn,[],[],,SI-4,mitigates,2 +3975,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,2 +3976,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,2 +3977,,T1218.002,Control Panel,[],[],,SI-4,mitigates,2 +3978,,T1218.003,CMSTP,[],[],,SI-4,mitigates,2 +3979,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,2 +3980,,T1218.005,Mshta,[],[],,SI-4,mitigates,2 +3981,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,2 +3982,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,2 +3983,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,2 +3984,,T1218.011,Rundll32,[],[],,SI-4,mitigates,2 +3985,,T1218.012,Verclsid,[],[],,SI-4,mitigates,2 +3986,,T1219,Remote Access Software,[],[],,SI-4,mitigates,2 +3987,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,2 +3988,,T1221,Template Injection,[],[],,SI-4,mitigates,2 +3989,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,2 +3990,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,2 +3991,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,2 +3992,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,2 +3993,,T1485,Data Destruction,[],[],,SI-4,mitigates,2 +3994,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,2 +3995,,T1489,Service Stop,[],[],,SI-4,mitigates,2 +3996,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,2 +3997,,T1491,Defacement,[],[],,SI-4,mitigates,2 +3998,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,2 +3999,,T1491.002,External Defacement,[],[],,SI-4,mitigates,2 +4000,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,2 +4001,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,2 +4002,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,2 +4003,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,2 +4004,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,2 +4005,,T1505,Server Software Component,[],[],,SI-4,mitigates,2 +4006,,T1505.001,SQL Stored Procedures,[],[],,SI-4,mitigates,2 +4007,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,2 +4008,,T1525,Implant Internal Image,[],[],,SI-4,mitigates,2 +4009,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,2 +4010,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,2 +4011,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,2 +4012,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,2 +4013,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,2 +4014,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,2 +4015,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,2 +4016,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,2 +4017,,T1543.003,Windows Service,[],[],,SI-4,mitigates,2 +4018,,T1546.002,Screensaver,[],[],,SI-4,mitigates,2 +4019,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-4,mitigates,2 +4020,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,2 +4021,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,2 +4022,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,2 +4023,,T1546.014,Emond,[],[],,SI-4,mitigates,2 +4024,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,2 +4025,,T1547.003,Time Providers,[],[],,SI-4,mitigates,2 +4026,,T1547.004,Winlogon Helper DLL,[],[],,SI-4,mitigates,2 +4027,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,2 +4028,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,2 +4029,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,2 +4030,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,2 +4031,,T1547.009,Shortcut Modification,[],[],,SI-4,mitigates,2 +4032,,T1547.011,Plist Modification,[],[],,SI-4,mitigates,2 +4033,,T1547.012,Print Processors,[],[],,SI-4,mitigates,2 +4034,,T1547.013,XDG Autostart Entries,[],[],,SI-4,mitigates,2 +4035,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,2 +4036,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,2 +4037,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,2 +4038,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,2 +4039,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,2 +4040,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,2 +4041,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,2 +4042,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,2 +4043,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,2 +4044,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,2 +4045,,T1552.003,Bash History,[],[],,SI-4,mitigates,2 +4046,,T1552.004,Private Keys,[],[],,SI-4,mitigates,2 +4047,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,2 +4048,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,2 +4049,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,2 +4050,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,2 +4051,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,2 +4052,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,2 +4053,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-4,mitigates,2 +4054,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,2 +4055,,T1555.001,Keychain,[],[],,SI-4,mitigates,2 +4056,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,2 +4057,,T1555.004,Windows Credential Manager,[],[],,SI-4,mitigates,2 +4058,,T1555.005,Password Managers,[],[],,SI-4,mitigates,2 +4059,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,2 +4060,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,2 +4061,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,2 +4062,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,2 +4063,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,2 +4064,,T1557,Man-in-the-Middle,[],[],,SI-4,mitigates,2 +4065,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,2 +4066,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,2 +4067,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,2 +4068,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,2 +4069,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,2 +4070,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,2 +4071,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,2 +4072,,T1559.001,Component Object Model,[],[],,SI-4,mitigates,2 +4073,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,2 +4074,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,2 +4075,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,2 +4076,,T1561,Disk Wipe,[],[],,SI-4,mitigates,2 +4077,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,2 +4078,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,2 +4079,,T1562,Impair Defenses,[],[],,SI-4,mitigates,2 +4080,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,2 +4081,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,2 +4082,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,2 +4083,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,2 +4084,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,2 +4085,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,2 +4086,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,2 +4087,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,2 +4088,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,2 +4089,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,2 +4090,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,2 +4091,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,2 +4092,,T1565,Data Manipulation,[],[],,SI-4,mitigates,2 +4093,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,2 +4094,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,2 +4095,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,2 +4096,,T1566,Phishing,[],[],,SI-4,mitigates,2 +4097,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,2 +4098,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,2 +4099,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,2 +4100,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,2 +4101,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,2 +4102,,T1569,System Services,[],[],,SI-4,mitigates,2 +4103,,T1569.002,Service Execution,[],[],,SI-4,mitigates,2 +4104,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,2 +4105,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,2 +4106,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,2 +4107,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,2 +4108,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,2 +4109,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,2 +4110,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,2 +4111,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,2 +4112,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,2 +4113,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,2 +4114,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,2 +4115,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,2 +4116,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,2 +4117,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,2 +4118,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,2 +4119,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,2 +4120,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,2 +4121,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,2 +4122,,T1598,Phishing for Information,[],[],,SI-4,mitigates,2 +4123,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,2 +4124,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,2 +4125,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,2 +4126,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,2 +4127,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,2 +4128,,T1601,Modify System Image,[],[],,SI-4,mitigates,2 +4129,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,2 +4130,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,2 +4131,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,2 +4132,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,2 +4133,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,2 +4134,,T1610,Deploy Container,[],[],,SI-4,mitigates,2 +4135,,T1611,Escape to Host,[],[],,SI-4,mitigates,2 +4136,,T1612,Build Image on Host,[],[],,SI-4,mitigates,2 +4137,,T1613,Container and Resource Discovery,[],[],,SI-4,mitigates,2 +4138,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,2 +4139,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,2 +4140,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,2 +4141,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,2 +4142,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,2 +4143,,T1003.003,NTDS,[],[],,SI-7,mitigates,2 +4144,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,2 +4145,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,2 +4146,,T1027.002,Software Packing,[],[],,SI-7,mitigates,2 +4147,,T1036,Masquerading,[],[],,SI-7,mitigates,2 +4148,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,2 +4149,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,2 +4150,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,2 +4151,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,2 +4152,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,2 +4153,,T1037.004,RC Scripts,[],[],,SI-7,mitigates,2 +4154,,T1037.005,Startup Items,[],[],,SI-7,mitigates,2 +4155,,T1040,Network Sniffing,[],[],,SI-7,mitigates,2 +4156,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,2 +4157,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,2 +4158,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,2 +4159,,T1059.001,PowerShell,[],[],,SI-7,mitigates,2 +4160,,T1059.002,AppleScript,[],[],,SI-7,mitigates,2 +4161,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,2 +4162,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,2 +4163,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,2 +4164,,T1059.006,Python,[],[],,SI-7,mitigates,2 +4165,,T1059.007,JavaScript,[],[],,SI-7,mitigates,2 +4166,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,2 +4167,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,2 +4168,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,2 +4169,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,2 +4170,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,2 +4171,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,2 +4172,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,2 +4173,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,2 +4174,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,2 +4175,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,2 +4176,,T1114,Email Collection,[],[],,SI-7,mitigates,2 +4177,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,2 +4178,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,2 +4179,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,2 +4180,,T1119,Automated Collection,[],[],,SI-7,mitigates,2 +4181,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,2 +4182,,T1129,Shared Modules,[],[],,SI-7,mitigates,2 +4183,,T1133,External Remote Services,[],[],,SI-7,mitigates,2 +4184,,T1136,Create Account,[],[],,SI-7,mitigates,2 +4185,,T1136.001,Local Account,[],[],,SI-7,mitigates,2 +4186,,T1136.002,Domain Account,[],[],,SI-7,mitigates,2 +4187,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,2 +4188,,T1176,Browser Extensions,[],[],,SI-7,mitigates,2 +4189,,T1185,Man in the Browser,[],[],,SI-7,mitigates,2 +4190,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,2 +4191,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,2 +4192,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,2 +4193,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,2 +4194,,T1204,User Execution,[],[],,SI-7,mitigates,2 +4195,,T1204.002,Malicious File,[],[],,SI-7,mitigates,2 +4196,,T1204.003,Malicious Image,[],[],,SI-7,mitigates,2 +4197,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,2 +4198,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,2 +4199,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,2 +4200,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,2 +4201,,T1213.001,Confluence,[],[],,SI-7,mitigates,2 +4202,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,2 +4203,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,2 +4204,,T1216.001,PubPrn,[],[],,SI-7,mitigates,2 +4205,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,2 +4206,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,2 +4207,,T1218.002,Control Panel,[],[],,SI-7,mitigates,2 +4208,,T1218.003,CMSTP,[],[],,SI-7,mitigates,2 +4209,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,2 +4210,,T1218.005,Mshta,[],[],,SI-7,mitigates,2 +4211,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,2 +4212,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,2 +4213,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,2 +4214,,T1218.011,Rundll32,[],[],,SI-7,mitigates,2 +4215,,T1218.012,Verclsid,[],[],,SI-7,mitigates,2 +4216,,T1219,Remote Access Software,[],[],,SI-7,mitigates,2 +4217,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,2 +4218,,T1221,Template Injection,[],[],,SI-7,mitigates,2 +4219,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,2 +4220,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,2 +4221,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,2 +4222,,T1485,Data Destruction,[],[],,SI-7,mitigates,2 +4223,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,2 +4224,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,2 +4225,,T1491,Defacement,[],[],,SI-7,mitigates,2 +4226,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,2 +4227,,T1491.002,External Defacement,[],[],,SI-7,mitigates,2 +4228,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,2 +4229,,T1505,Server Software Component,[],[],,SI-7,mitigates,2 +4230,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,2 +4231,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,2 +4232,,T1525,Implant Internal Image,[],[],,SI-7,mitigates,2 +4233,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,2 +4234,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,2 +4235,,T1542.001,System Firmware,[],[],,SI-7,mitigates,2 +4236,,T1542.003,Bootkit,[],[],,SI-7,mitigates,2 +4237,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,2 +4238,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,2 +4239,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,2 +4240,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,2 +4241,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,2 +4242,,T1546.002,Screensaver,[],[],,SI-7,mitigates,2 +4243,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-7,mitigates,2 +4244,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,2 +4245,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,2 +4246,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,2 +4247,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,2 +4248,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,2 +4249,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,2 +4250,,T1547.003,Time Providers,[],[],,SI-7,mitigates,2 +4251,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,2 +4252,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,2 +4253,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,2 +4254,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,2 +4255,,T1547.011,Plist Modification,[],[],,SI-7,mitigates,2 +4256,,T1547.013,XDG Autostart Entries,[],[],,SI-7,mitigates,2 +4257,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,2 +4258,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,2 +4259,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,2 +4260,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,2 +4261,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,2 +4262,,T1552.004,Private Keys,[],[],,SI-7,mitigates,2 +4263,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,2 +4264,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,2 +4265,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,2 +4266,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-7,mitigates,2 +4267,,T1553.006,Code Signing Policy Modification,[],[],,SI-7,mitigates,2 +4268,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,2 +4269,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,2 +4270,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,2 +4271,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,2 +4272,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,2 +4273,,T1557,Man-in-the-Middle,[],[],,SI-7,mitigates,2 +4274,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,2 +4275,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,2 +4276,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,2 +4277,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,2 +4278,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,2 +4279,,T1559,Inter-Process Communication,[],[],,SI-7,mitigates,2 +4280,,T1559.001,Component Object Model,[],[],,SI-7,mitigates,2 +4281,,T1561,Disk Wipe,[],[],,SI-7,mitigates,2 +4282,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,2 +4283,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,2 +4284,,T1562,Impair Defenses,[],[],,SI-7,mitigates,2 +4285,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,2 +4286,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,2 +4287,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,2 +4288,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,2 +4289,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,2 +4290,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,2 +4291,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,2 +4292,,T1565,Data Manipulation,[],[],,SI-7,mitigates,2 +4293,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,2 +4294,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,2 +4295,,T1569,System Services,[],[],,SI-7,mitigates,2 +4296,,T1569.002,Service Execution,[],[],,SI-7,mitigates,2 +4297,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,2 +4298,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,2 +4299,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,2 +4300,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-7,mitigates,2 +4301,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,2 +4302,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,2 +4303,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,2 +4304,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,2 +4305,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,2 +4306,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,2 +4307,,T1601,Modify System Image,[],[],,SI-7,mitigates,2 +4308,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,2 +4309,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,2 +4310,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,2 +4311,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,2 +4312,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,2 +4313,,T1609,Container Administration Command,[],[],,SI-7,mitigates,2 +4314,,T1611,Escape to Host,[],[],,SI-7,mitigates,2 +4315,,T1204,User Execution,[],[],,SI-8,mitigates,2 +4316,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,2 +4317,,T1204.002,Malicious File,[],[],,SI-8,mitigates,2 +4318,,T1204.003,Malicious Image,[],[],,SI-8,mitigates,2 +4319,,T1221,Template Injection,[],[],,SI-8,mitigates,2 +4320,,T1566,Phishing,[],[],,SI-8,mitigates,2 +4321,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,2 +4322,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,2 +4323,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,2 +4324,,T1598,Phishing for Information,[],[],,SI-8,mitigates,2 +4325,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,2 +4326,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,2 +4327,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,2 diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata.csv new file mode 100644 index 00000000..288fcf09 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,9.0,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,2 diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata_object.csv new file mode 100644 index 00000000..288fcf09 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r4,9.0,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,2 diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_navigator_layer.json index 83363fc3..4a510d05 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r4/parsed_nist800-53-r4-9.0_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "9.0"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to Concurrent Session Control, Remote Access, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification Or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions For Change"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information System Monitoring"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to Session Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to Session Termination, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Key Establishment And Management, Public Key Infrastructure Certificates, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Backup, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Backup, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Information Flow Enforcement, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Alternate Storage Site, Alternate Processing Site, Information System Backup, Distributed Processing And Storage, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security Attributes, Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Identification And Authentication (Non-Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.011", "score": 12, "comment": "Related to Security Attributes, Remote Access, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security Attributes, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to Security Attributes, Remote Access, Access Control For Mobile Devices, Use Of External Information Systems, Penetration Testing, Software Usage Restrictions, User-Installed Software, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Protection Of Information At Rest, Transmission Confidentiality And Integrity, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Device Identification And Authentication, Identifier Management, Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Input Validation, Information Handling And Retention, Information Output Filtering, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Use Of External Information Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security Attributes, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification And Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Information In Shared Resources, Information Handling And Retention, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Recovery And Reconstitution, Alternate Storage Site, Alternate Processing Site, Information System Backup, Protection Of Information At Rest, Distributed Processing And Storage, Information In Shared Resources, Boundary Protection, Information Handling And Retention, Memory Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Baseline Configuration, Configuration Settings, Information System Component Inventory, Information In Shared Resources, Information Handling And Retention, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security Attributes, Remote Access, Wireless Access, Access Control For Mobile Devices, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Device Identification And Authentication, Identifier Management, Protection Of Information At Rest, Security Function Isolation, Information In Shared Resources, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Handling And Retention, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to Remote Access, Use Of External Information Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.004", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users), Information System Monitoring"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Information System Monitoring"}, {"techniqueID": "T1552.007", "score": 13, "comment": "Related to Remote Access, Account Management, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Transmission Confidentiality And Integrity"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Cryptographic Key Establishment And Management, Session Authenticity, Information System Monitoring"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Scanning, Developer Security Testing And Evaluation, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1613", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Process Isolation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.002", "score": 20, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.005", "score": 20, "comment": "Related to Account Management, Use Of External Information Systems, Information Sharing, Publicly Accessible Content, Data Mining Protection, Access Control Decisions, Reference Monitor, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1053.007", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.008", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1078", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-Authentication, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Boundary Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Security Engineering Principles, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Security Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1505.002", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Service Identification And Authentication, Vulnerability Scanning, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users), Identification And Authentication (Non-Organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Identification And Authentication (Non-Organizational Users), Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Cryptographic Key Establishment And Management, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Information System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1553", "score": 23, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Software Usage Restrictions, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Service Identification And Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Information Input Validation, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.006", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Process Isolation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use Of External Information Systems, Access Enforcement, Separation Of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Identifier Management, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Transmission Confidentiality And Integrity, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, User-Installed Software, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, User-Installed Software, Access Restrictions For Change, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Identification And Authentication (Organizational Users), Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Least Functionality, Identification And Authentication (Organizational Users), Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Access Restrictions For Change, Identification And Authentication (Organizational Users), Identifier Management, Authenticator Feedback, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation Of Duties, Least Privilege, Identification And Authentication (Organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Authenticator Management, Protection Of Information At Rest, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Identification And Authentication (Organizational Users), Authenticator Management, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Supply Chain Protection, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Access Restrictions For Change, Configuration Settings, Least Functionality, Identification And Authentication (Organizational Users), Mobile Code, Application Partitioning, Security Function Isolation, Non-Modifiable Executable Programs, Process Isolation, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use Of External Information Systems, Access Enforcement, Information Flow Enforcement, Separation Of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Security Testing And Evaluation, Developer Security Architecture And Design, Acquisition Process, Security Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Media Use, Port And I/O Device Access"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use Of External Information Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use Of External Information Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1048", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.002", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1048.003", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information In Shared Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Information System Component Inventory, Media Use, Vulnerability Scanning, Port And I/O Device Access, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to Access Enforcement, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Cryptographic Key Establishment And Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Boundary Protection"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Information System Monitoring"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Information System Component Inventory, Cryptographic Module Authentication, Vulnerability Scanning, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Boundary Protection, Flaw Remediation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Session Authenticity, Boundary Protection, Transmission Confidentiality And Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Information System Recovery And Reconstitution, Contingency Plan, Alternate Processing Site, Information System Backup, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1565.003", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Information System Backup, Protection Of Information At Rest, Information In Shared Resources, Boundary Protection, Memory Protection, Information System Monitoring"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-Of-Band Channels, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Information System Component Inventory, Unsupported System Components, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Information System Component Inventory, Mobile Code, Application Partitioning, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Process Isolation, Boundary Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1204.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Supply Chain Protection, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Application Partitioning, Honeypots, Heterogeneity, Security Function Isolation, Concealment And Misdirection, Honeyclients, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts, Advisories, And Directives, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Scanning, Trustworthiness, Developer Security Architecture And Design, Security Engineering Principles, Boundary Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name / Address Resolution Service (Authoritative Source), Secure Name / Address Resolution Service (Recursive Or Caching Resolver), Architecture And Provisioning For Name / Address Resolution Service, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment And Management, Transmission Of Security Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, Information System Monitoring, Spam Protection"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to Least Privilege, User-Installed Software, Configuration Change Control, Access Restrictions For Change, Least Functionality, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-Installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions For Change, Configuration Settings, Least Functionality, Vulnerability Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions For Change"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to Security Assessments, Continuous Monitoring, User-Installed Software, Least Functionality, Vulnerability Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity, Spam Protection"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions For Change, Information System Component Inventory, Cryptographic Module Authentication, Developer Configuration Management, Developer Security Testing And Evaluation, Criticality Analysis, Non-Modifiable Executable Programs, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification And Authentication, Supply Chain Protection, Component Authenticity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Scanning, Boundary Protection, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification And Authentication, Secure Name / Address Resolution Service (Authoritative Source), Information System Monitoring"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.002", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Mobile Code, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Media Use, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Information System Monitoring"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification And Authentication, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Vulnerability Scanning, Information Input Validation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Service Identification And Authentication, Supply Chain Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to Baseline Configuration, Flaw Remediation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Vulnerability Scanning, Malicious Code Protection, Information System Monitoring"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Scanning, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Mobile Code, Non-Modifiable Executable Programs, Information Handling And Retention, Memory Protection, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Authenticator Management, Information System Monitoring"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Identification And Authentication (Organizational Users), Authenticator Management, Flaw Remediation, Information System Monitoring"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information System Component Inventory, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Information System Component Inventory, Information System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection Of Information At Rest, Information System Monitoring"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, Information System Monitoring"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.003", "score": 4, "comment": "Related to Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1059.004", "score": 4, "comment": "Related to Least Functionality, Information Input Validation, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to Least Functionality"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to Developer Configuration Management, Developer Security Testing And Evaluation, Development Process, Standards, And Tools, Developer-Provided Training, Developer Security Architecture And Design, System Development Life Cycle, Acquisition Process, Security Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality And Integrity, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality And Integrity"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, Information System Monitoring, Software, Firmware, And Information Integrity"}, {"techniqueID": "T1137.003", "score": 1, "comment": "Related to Flaw Remediation"}, {"techniqueID": "T1137.004", "score": 1, "comment": "Related to Flaw Remediation"}, {"techniqueID": "T1137.005", "score": 1, "comment": "Related to Flaw Remediation"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "9.0"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to AC-10, AC-17, CM-2, CM-6, CM-8, RA-5, SI-2, SI-3, SI-4"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 23, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 17, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 22, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1070", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.002", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 16, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.011", "score": 12, "comment": "Related to AC-16, AC-17, AC-3, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CA-8, CM-10, CM-11, CM-2, CM-6, IA-2, IA-4, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1557", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1133", "score": 17, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1547.004", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1552.007", "score": 13, "comment": "Related to AC-17, AC-2, AC-23, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SC-8"}, {"techniqueID": "T1563", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, SC-7, SI-10, SI-7"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-8, CM-6, CM-7, RA-5, SA-11, SC-7, SI-4"}, {"techniqueID": "T1613", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 21, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 20, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 20, "comment": "Related to AC-2, AC-20, AC-21, AC-22, AC-23, AC-24, AC-25, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.006", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1053.007", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-8, IA-2, IA-8, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8"}, {"techniqueID": "T1068", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.004", "score": 21, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1098", "score": 11, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-7, SI-4, SI-7"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 27, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 30, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 23, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SI-2, SI-7"}, {"techniqueID": "T1505", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-4, SI-7"}, {"techniqueID": "T1505.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-4, SI-7"}, {"techniqueID": "T1505.002", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SA-12, SI-4, SI-7"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1553", "score": 23, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-10, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-9, SA-10, SA-11, SA-14, SC-34, SI-10, SI-2, SI-4, SI-7"}, {"techniqueID": "T1553.006", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559", "score": 21, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1559.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5, SC-18, SC-3, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.001", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1601.002", "score": 23, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, SA-10, SA-11, SA-12, SA-14, SC-34, SI-2, SI-4, SI-7"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-18, SC-2, SC-3, SC-34, SC-39, SC-7, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.001", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.002", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.003", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to AC-3, CM-2, CM-6, CM-7, CM-8, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1199", "score": 7, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-7"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to AC-3, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, SA-10, SA-11, SA-14, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565.003", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-7, SI-16, SI-4"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to AC-4, CA-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1046", "score": 10, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.003", "score": 15, "comment": "Related to AC-4, CA-7, CA-8, CM-2, CM-6, CM-7, RA-5, SA-12, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1211", "score": 22, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to AC-4, CA-8, CM-6, CM-7, RA-5, SA-13, SA-17, SA-8, SC-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to AC-6, CM-11, CM-3, CM-5, CM-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1195", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 7, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-5, SA-22, SI-2"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, SA-10, SA-11, SA-14, SC-34, SI-2, SI-7"}, {"techniqueID": "T1554", "score": 7, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SA-12, SA-19, SI-7"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to CM-2, CM-6, IA-9, SI-4, SI-7"}, {"techniqueID": "T1059.002", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, IA-9, SA-12, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, SC-18, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SA-12, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.010", "score": 3, "comment": "Related to CM-2, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to CM-2, CM-6, CM-7, IA-5, SI-4"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to CM-2, CM-6, IA-2, IA-5, SI-2, SI-4"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to CM-6, CM-7, SI-10, SI-7"}, {"techniqueID": "T1059.003", "score": 4, "comment": "Related to CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.004", "score": 4, "comment": "Related to CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to CM-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SI-2"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1137.003", "score": 1, "comment": "Related to SI-2"}, {"techniqueID": "T1137.004", "score": 1, "comment": "Related to SI-2"}, {"techniqueID": "T1137.005", "score": 1, "comment": "Related to SI-2"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings.yaml b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings.yaml index fac74048..78f3984d 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings.yaml @@ -1,7 +1,7 @@ attack-objects: - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -9,7 +9,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -17,7 +17,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Concurrent Session Control + capability-id: AC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -25,7 +25,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -33,7 +33,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Device Lock + capability-id: AC-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -41,7 +41,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -49,7 +49,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -57,7 +57,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Session Termination + capability-id: AC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -65,7 +65,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Permitted Actions Without Identification or Authentication + capability-id: AC-14 comments: '' mapping-description: '' mapping-type: mitigates @@ -73,7 +73,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -81,7 +81,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -89,7 +89,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -97,7 +97,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -105,7 +105,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -113,7 +113,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -121,7 +121,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -129,7 +129,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -137,7 +137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -145,7 +145,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -153,7 +153,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -161,7 +161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -169,7 +169,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -177,7 +177,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -185,7 +185,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -193,7 +193,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -201,7 +201,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -209,7 +209,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -217,7 +217,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -225,7 +225,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -233,7 +233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -241,7 +241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -249,7 +249,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -257,7 +257,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -265,7 +265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -273,7 +273,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -281,7 +281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -289,7 +289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -297,7 +297,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -305,7 +305,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -313,7 +313,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -321,7 +321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -329,7 +329,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -337,7 +337,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -345,7 +345,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -353,7 +353,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -361,7 +361,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -369,7 +369,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -377,7 +377,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -385,7 +385,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -393,7 +393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security and Privacy Attributes + capability-id: AC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -401,7 +401,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -409,7 +409,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -417,7 +417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -425,7 +425,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -433,7 +433,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -441,7 +441,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -449,7 +449,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -457,7 +457,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -465,7 +465,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -473,7 +473,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -481,7 +481,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -489,7 +489,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -497,7 +497,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -505,7 +505,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -513,7 +513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -521,7 +521,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -529,7 +529,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -537,7 +537,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -545,7 +545,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -553,7 +553,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -561,7 +561,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -569,7 +569,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -577,7 +577,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -585,7 +585,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -593,7 +593,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -601,7 +601,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -609,7 +609,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -617,7 +617,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -625,7 +625,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -633,7 +633,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -641,7 +641,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -649,7 +649,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -657,7 +657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -665,7 +665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -673,7 +673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -681,7 +681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -689,7 +689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -697,7 +697,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -705,7 +705,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -713,7 +713,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -721,7 +721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -729,7 +729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -737,7 +737,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -745,7 +745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -753,7 +753,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -761,7 +761,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -769,7 +769,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -777,7 +777,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -785,7 +785,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -793,7 +793,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -801,7 +801,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -809,7 +809,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -817,7 +817,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -825,7 +825,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -833,7 +833,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -841,7 +841,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -849,7 +849,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -857,7 +857,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -865,7 +865,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -873,7 +873,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -881,7 +881,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Remote Access + capability-id: AC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -889,7 +889,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -897,7 +897,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -905,7 +905,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -913,7 +913,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -921,7 +921,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -929,7 +929,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -937,7 +937,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -945,7 +945,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -953,7 +953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -961,7 +961,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -969,7 +969,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -977,7 +977,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -985,7 +985,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -993,7 +993,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1001,7 +1001,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1009,7 +1009,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1017,7 +1017,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1025,7 +1025,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1033,7 +1033,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1041,7 +1041,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1049,7 +1049,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1057,7 +1057,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1065,7 +1065,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Wireless Access + capability-id: AC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -1073,7 +1073,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1081,7 +1081,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1089,7 +1089,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1097,7 +1097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1105,7 +1105,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1113,7 +1113,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1121,7 +1121,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1129,7 +1129,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1137,7 +1137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1145,7 +1145,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1153,7 +1153,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1161,7 +1161,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1169,7 +1169,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1177,7 +1177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1185,7 +1185,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1193,7 +1193,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1201,7 +1201,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1209,7 +1209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1217,7 +1217,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1225,7 +1225,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1233,7 +1233,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1241,7 +1241,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1249,7 +1249,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1257,7 +1257,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1265,7 +1265,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1273,7 +1273,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Control for Mobile Devices + capability-id: AC-19 comments: '' mapping-description: '' mapping-type: mitigates @@ -1281,7 +1281,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1289,7 +1289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1297,7 +1297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1305,7 +1305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1313,7 +1313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1321,7 +1321,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1329,7 +1329,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1337,7 +1337,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1345,7 +1345,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1353,7 +1353,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1361,7 +1361,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1369,7 +1369,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1377,7 +1377,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1385,7 +1385,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1393,7 +1393,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1401,7 +1401,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1409,7 +1409,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1417,7 +1417,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1425,7 +1425,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1433,7 +1433,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1441,7 +1441,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1449,7 +1449,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1457,7 +1457,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1465,7 +1465,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1473,7 +1473,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1481,7 +1481,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1489,7 +1489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1497,7 +1497,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1505,7 +1505,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1513,7 +1513,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1521,7 +1521,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1529,7 +1529,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1537,7 +1537,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1545,7 +1545,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1553,7 +1553,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1561,7 +1561,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1569,7 +1569,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1577,7 +1577,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1585,7 +1585,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1593,7 +1593,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1601,7 +1601,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1609,7 +1609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1617,7 +1617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1625,7 +1625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1633,7 +1633,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1641,7 +1641,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1649,7 +1649,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1657,7 +1657,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1665,7 +1665,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1673,7 +1673,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1681,7 +1681,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1689,7 +1689,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1697,7 +1697,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1705,7 +1705,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1713,7 +1713,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1721,7 +1721,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1729,7 +1729,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1737,7 +1737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1745,7 +1745,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1753,7 +1753,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1761,7 +1761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1769,7 +1769,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1777,7 +1777,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1785,7 +1785,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1793,7 +1793,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1801,7 +1801,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1809,7 +1809,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1817,7 +1817,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1825,7 +1825,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1833,7 +1833,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1841,7 +1841,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1849,7 +1849,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1857,7 +1857,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1865,7 +1865,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1873,7 +1873,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1881,7 +1881,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1889,7 +1889,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1897,7 +1897,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1905,7 +1905,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1913,7 +1913,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1921,7 +1921,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1929,7 +1929,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1937,7 +1937,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1945,7 +1945,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1953,7 +1953,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1961,7 +1961,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1969,7 +1969,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1977,7 +1977,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1985,7 +1985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -1993,7 +1993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2001,7 +2001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2009,7 +2009,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2017,7 +2017,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2025,7 +2025,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2033,7 +2033,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2041,7 +2041,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2049,7 +2049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2057,7 +2057,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2065,7 +2065,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2073,7 +2073,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2081,7 +2081,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2089,7 +2089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2097,7 +2097,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2105,7 +2105,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2113,7 +2113,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2121,7 +2121,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2129,7 +2129,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2137,7 +2137,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2145,7 +2145,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2153,7 +2153,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2161,7 +2161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2169,7 +2169,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2177,7 +2177,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2185,7 +2185,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2193,7 +2193,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2201,7 +2201,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2209,7 +2209,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2217,7 +2217,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2225,7 +2225,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2233,7 +2233,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2241,7 +2241,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2249,7 +2249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2257,7 +2257,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2265,7 +2265,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2273,7 +2273,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2281,7 +2281,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2289,7 +2289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2297,7 +2297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2305,7 +2305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2313,7 +2313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2321,7 +2321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2329,7 +2329,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2337,7 +2337,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2345,7 +2345,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2353,7 +2353,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2361,7 +2361,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2369,7 +2369,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2377,7 +2377,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2385,7 +2385,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2393,7 +2393,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2401,7 +2401,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2409,7 +2409,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2417,7 +2417,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2425,7 +2425,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2433,7 +2433,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2441,7 +2441,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2449,7 +2449,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2457,7 +2457,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2465,7 +2465,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2473,7 +2473,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2481,7 +2481,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2489,7 +2489,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2497,7 +2497,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2505,7 +2505,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2513,7 +2513,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2521,7 +2521,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2529,7 +2529,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2537,7 +2537,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2545,7 +2545,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2553,7 +2553,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2561,7 +2561,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Account Management + capability-id: AC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -2569,7 +2569,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2577,7 +2577,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2585,7 +2585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2593,7 +2593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2601,7 +2601,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2609,7 +2609,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2617,7 +2617,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2625,7 +2625,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2633,7 +2633,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2641,7 +2641,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2649,7 +2649,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2657,7 +2657,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2665,7 +2665,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2673,7 +2673,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2681,7 +2681,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2689,7 +2689,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2697,7 +2697,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2705,7 +2705,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2713,7 +2713,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2721,7 +2721,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2729,7 +2729,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2737,7 +2737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2745,7 +2745,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2753,7 +2753,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2761,7 +2761,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2769,7 +2769,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2777,7 +2777,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2785,7 +2785,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2793,7 +2793,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2801,7 +2801,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2809,7 +2809,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2817,7 +2817,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2825,7 +2825,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2833,7 +2833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2841,7 +2841,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2849,7 +2849,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2857,7 +2857,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2865,7 +2865,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2873,7 +2873,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2881,7 +2881,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2889,7 +2889,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2897,7 +2897,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2905,7 +2905,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2913,7 +2913,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2921,7 +2921,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2929,7 +2929,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2937,7 +2937,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2945,7 +2945,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2953,7 +2953,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Use of External Systems + capability-id: AC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -2961,7 +2961,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2969,7 +2969,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2977,7 +2977,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Sharing + capability-id: AC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -2985,7 +2985,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -2993,7 +2993,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3001,7 +3001,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3009,7 +3009,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3017,7 +3017,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Data Mining Protection + capability-id: AC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -3025,7 +3025,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3033,7 +3033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3041,7 +3041,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3049,7 +3049,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3057,7 +3057,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3065,7 +3065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3073,7 +3073,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3081,7 +3081,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3089,7 +3089,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3097,7 +3097,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3105,7 +3105,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3113,7 +3113,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3121,7 +3121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3129,7 +3129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3137,7 +3137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3145,7 +3145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3153,7 +3153,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3161,7 +3161,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3169,7 +3169,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3177,7 +3177,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3185,7 +3185,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3193,7 +3193,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3201,7 +3201,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3209,7 +3209,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3217,7 +3217,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3225,7 +3225,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3233,7 +3233,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3241,7 +3241,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3249,7 +3249,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3257,7 +3257,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3265,7 +3265,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3273,7 +3273,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3281,7 +3281,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3289,7 +3289,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3297,7 +3297,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3305,7 +3305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3313,7 +3313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3321,7 +3321,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3329,7 +3329,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3337,7 +3337,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3345,7 +3345,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3353,7 +3353,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3361,7 +3361,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3369,7 +3369,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3377,7 +3377,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3385,7 +3385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3393,7 +3393,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3401,7 +3401,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3409,7 +3409,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3417,7 +3417,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3425,7 +3425,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3433,7 +3433,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3441,7 +3441,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3449,7 +3449,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3457,7 +3457,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3465,7 +3465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3473,7 +3473,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3481,7 +3481,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3489,7 +3489,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3497,7 +3497,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3505,7 +3505,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3513,7 +3513,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3521,7 +3521,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3529,7 +3529,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3537,7 +3537,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3545,7 +3545,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3553,7 +3553,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3561,7 +3561,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3569,7 +3569,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3577,7 +3577,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3585,7 +3585,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3593,7 +3593,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3601,7 +3601,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3609,7 +3609,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3617,7 +3617,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3625,7 +3625,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3633,7 +3633,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3641,7 +3641,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3649,7 +3649,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3657,7 +3657,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3665,7 +3665,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3673,7 +3673,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3681,7 +3681,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3689,7 +3689,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3697,7 +3697,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3705,7 +3705,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3713,7 +3713,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3721,7 +3721,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3729,7 +3729,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3737,7 +3737,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3745,7 +3745,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3753,7 +3753,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3761,7 +3761,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3769,7 +3769,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3777,7 +3777,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3785,7 +3785,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3793,7 +3793,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3801,7 +3801,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3809,7 +3809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3817,7 +3817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3825,7 +3825,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3833,7 +3833,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3841,7 +3841,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3849,7 +3849,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3857,7 +3857,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3865,7 +3865,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3873,7 +3873,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3881,7 +3881,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3889,7 +3889,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3897,7 +3897,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3905,7 +3905,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3913,7 +3913,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3921,7 +3921,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3929,7 +3929,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3937,7 +3937,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3945,7 +3945,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3953,7 +3953,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3961,7 +3961,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3969,7 +3969,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3977,7 +3977,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3985,7 +3985,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -3993,7 +3993,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4001,7 +4001,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4009,7 +4009,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4017,7 +4017,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4025,7 +4025,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4033,7 +4033,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4041,7 +4041,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4049,7 +4049,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4057,7 +4057,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4065,7 +4065,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4073,7 +4073,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4081,7 +4081,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4089,7 +4089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4097,7 +4097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4105,7 +4105,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4113,7 +4113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4121,7 +4121,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4129,7 +4129,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4137,7 +4137,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4145,7 +4145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4153,7 +4153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4161,7 +4161,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4169,7 +4169,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4177,7 +4177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4185,7 +4185,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4193,7 +4193,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4201,7 +4201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4209,7 +4209,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4217,7 +4217,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4225,7 +4225,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4233,7 +4233,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4241,7 +4241,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4249,7 +4249,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4257,7 +4257,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4265,7 +4265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4273,7 +4273,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4281,7 +4281,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4289,7 +4289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4297,7 +4297,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4305,7 +4305,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4313,7 +4313,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4321,7 +4321,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4329,7 +4329,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4337,7 +4337,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4345,7 +4345,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4353,7 +4353,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4361,7 +4361,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4369,7 +4369,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4377,7 +4377,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4385,7 +4385,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4393,7 +4393,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4401,7 +4401,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4409,7 +4409,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4417,7 +4417,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4425,7 +4425,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4433,7 +4433,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4441,7 +4441,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4449,7 +4449,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4457,7 +4457,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4465,7 +4465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4473,7 +4473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4481,7 +4481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4489,7 +4489,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4497,7 +4497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4505,7 +4505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4513,7 +4513,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4521,7 +4521,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4529,7 +4529,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4537,7 +4537,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4545,7 +4545,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4553,7 +4553,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4561,7 +4561,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4569,7 +4569,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4577,7 +4577,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4585,7 +4585,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4593,7 +4593,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4601,7 +4601,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4609,7 +4609,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4617,7 +4617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4625,7 +4625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4633,7 +4633,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4641,7 +4641,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4649,7 +4649,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4657,7 +4657,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4665,7 +4665,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4673,7 +4673,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4681,7 +4681,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4689,7 +4689,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4697,7 +4697,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4705,7 +4705,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4713,7 +4713,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4721,7 +4721,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4729,7 +4729,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4737,7 +4737,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4745,7 +4745,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4753,7 +4753,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4761,7 +4761,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4769,7 +4769,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4777,7 +4777,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4785,7 +4785,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4793,7 +4793,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4801,7 +4801,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4809,7 +4809,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Access Enforcement + capability-id: AC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -4817,7 +4817,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4825,7 +4825,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4833,7 +4833,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4841,7 +4841,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4849,7 +4849,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4857,7 +4857,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4865,7 +4865,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4873,7 +4873,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4881,7 +4881,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4889,7 +4889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4897,7 +4897,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4905,7 +4905,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4913,7 +4913,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4921,7 +4921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4929,7 +4929,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4937,7 +4937,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4945,7 +4945,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4953,7 +4953,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4961,7 +4961,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4969,7 +4969,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4977,7 +4977,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4985,7 +4985,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -4993,7 +4993,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5001,7 +5001,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5009,7 +5009,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5017,7 +5017,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5025,7 +5025,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5033,7 +5033,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5041,7 +5041,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5049,7 +5049,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5057,7 +5057,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5065,7 +5065,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5073,7 +5073,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5081,7 +5081,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5089,7 +5089,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5097,7 +5097,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5105,7 +5105,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5113,7 +5113,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5121,7 +5121,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5129,7 +5129,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5137,7 +5137,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5145,7 +5145,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5153,7 +5153,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5161,7 +5161,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5169,7 +5169,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5177,7 +5177,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5185,7 +5185,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5193,7 +5193,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5201,7 +5201,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5209,7 +5209,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5217,7 +5217,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5225,7 +5225,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5233,7 +5233,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5241,7 +5241,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5249,7 +5249,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5257,7 +5257,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5265,7 +5265,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5273,7 +5273,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5281,7 +5281,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5289,7 +5289,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5297,7 +5297,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5305,7 +5305,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5313,7 +5313,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5321,7 +5321,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5329,7 +5329,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5337,7 +5337,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5345,7 +5345,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5353,7 +5353,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5361,7 +5361,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5369,7 +5369,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5377,7 +5377,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5385,7 +5385,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5393,7 +5393,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5401,7 +5401,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5409,7 +5409,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5417,7 +5417,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5425,7 +5425,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5433,7 +5433,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5441,7 +5441,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5449,7 +5449,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5457,7 +5457,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5465,7 +5465,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5473,7 +5473,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5481,7 +5481,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5489,7 +5489,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5497,7 +5497,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5505,7 +5505,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5513,7 +5513,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5521,7 +5521,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5529,7 +5529,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5537,7 +5537,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5545,7 +5545,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5553,7 +5553,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5561,7 +5561,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5569,7 +5569,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5577,7 +5577,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5585,7 +5585,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5593,7 +5593,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5601,7 +5601,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5609,7 +5609,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5617,7 +5617,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5625,7 +5625,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5633,7 +5633,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5641,7 +5641,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5649,7 +5649,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5657,7 +5657,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5665,7 +5665,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5673,7 +5673,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5681,7 +5681,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5689,7 +5689,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5697,7 +5697,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5705,7 +5705,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5713,7 +5713,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5721,7 +5721,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5729,7 +5729,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5737,7 +5737,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5745,7 +5745,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5753,7 +5753,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5761,7 +5761,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5769,7 +5769,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5777,7 +5777,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5785,7 +5785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5793,7 +5793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5801,7 +5801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5809,7 +5809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5817,7 +5817,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5825,7 +5825,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5833,7 +5833,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5841,7 +5841,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5849,7 +5849,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5857,7 +5857,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5865,7 +5865,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5873,7 +5873,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5881,7 +5881,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5889,7 +5889,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5897,7 +5897,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5905,7 +5905,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5913,7 +5913,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Information Flow Enforcement + capability-id: AC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -5921,7 +5921,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5929,7 +5929,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5937,7 +5937,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5945,7 +5945,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5953,7 +5953,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5961,7 +5961,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5969,7 +5969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5977,7 +5977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5985,7 +5985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -5993,7 +5993,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6001,7 +6001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6009,7 +6009,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6017,7 +6017,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6025,7 +6025,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6033,7 +6033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6041,7 +6041,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6049,7 +6049,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6057,7 +6057,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6065,7 +6065,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6073,7 +6073,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6081,7 +6081,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6089,7 +6089,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6097,7 +6097,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6105,7 +6105,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6113,7 +6113,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6121,7 +6121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6129,7 +6129,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6137,7 +6137,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6145,7 +6145,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6153,7 +6153,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6161,7 +6161,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6169,7 +6169,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6177,7 +6177,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6185,7 +6185,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6193,7 +6193,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6201,7 +6201,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6209,7 +6209,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6217,7 +6217,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6225,7 +6225,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6233,7 +6233,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6241,7 +6241,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6249,7 +6249,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6257,7 +6257,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6265,7 +6265,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6273,7 +6273,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6281,7 +6281,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6289,7 +6289,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6297,7 +6297,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6305,7 +6305,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6313,7 +6313,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6321,7 +6321,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6329,7 +6329,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6337,7 +6337,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6345,7 +6345,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6353,7 +6353,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6361,7 +6361,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6369,7 +6369,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6377,7 +6377,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6385,7 +6385,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6393,7 +6393,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6401,7 +6401,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6409,7 +6409,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6417,7 +6417,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6425,7 +6425,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6433,7 +6433,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6441,7 +6441,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6449,7 +6449,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6457,7 +6457,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6465,7 +6465,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6473,7 +6473,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6481,7 +6481,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6489,7 +6489,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6497,7 +6497,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6505,7 +6505,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6513,7 +6513,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6521,7 +6521,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6529,7 +6529,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6537,7 +6537,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6545,7 +6545,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6553,7 +6553,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6561,7 +6561,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6569,7 +6569,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6577,7 +6577,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6585,7 +6585,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6593,7 +6593,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6601,7 +6601,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6609,7 +6609,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6617,7 +6617,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6625,7 +6625,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6633,7 +6633,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6641,7 +6641,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6649,7 +6649,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6657,7 +6657,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6665,7 +6665,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6673,7 +6673,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6681,7 +6681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6689,7 +6689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6697,7 +6697,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6705,7 +6705,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6713,7 +6713,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6721,7 +6721,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6729,7 +6729,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6737,7 +6737,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6745,7 +6745,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6753,7 +6753,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6761,7 +6761,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6769,7 +6769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6777,7 +6777,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6785,7 +6785,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6793,7 +6793,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6801,7 +6801,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6809,7 +6809,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6817,7 +6817,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6825,7 +6825,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6833,7 +6833,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6841,7 +6841,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6849,7 +6849,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6857,7 +6857,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6865,7 +6865,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6873,7 +6873,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6881,7 +6881,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6889,7 +6889,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6897,7 +6897,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6905,7 +6905,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6913,7 +6913,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6921,7 +6921,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6929,7 +6929,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6937,7 +6937,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6945,7 +6945,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6953,7 +6953,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6961,7 +6961,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6969,7 +6969,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6977,7 +6977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6985,7 +6985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -6993,7 +6993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7001,7 +7001,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7009,7 +7009,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7017,7 +7017,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7025,7 +7025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7033,7 +7033,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7041,7 +7041,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7049,7 +7049,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7057,7 +7057,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7065,7 +7065,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7073,7 +7073,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7081,7 +7081,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7089,7 +7089,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7097,7 +7097,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7105,7 +7105,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7113,7 +7113,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation of Duties + capability-id: AC-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -7121,7 +7121,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7129,7 +7129,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7137,7 +7137,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7145,7 +7145,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7153,7 +7153,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7161,7 +7161,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7169,7 +7169,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7177,7 +7177,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7185,7 +7185,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7193,7 +7193,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7201,7 +7201,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7209,7 +7209,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7217,7 +7217,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7225,7 +7225,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7233,7 +7233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7241,7 +7241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7249,7 +7249,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7257,7 +7257,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7265,7 +7265,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7273,7 +7273,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7281,7 +7281,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7289,7 +7289,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7297,7 +7297,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7305,7 +7305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7313,7 +7313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7321,7 +7321,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7329,7 +7329,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7337,7 +7337,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7345,7 +7345,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7353,7 +7353,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7361,7 +7361,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7369,7 +7369,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7377,7 +7377,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7385,7 +7385,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7393,7 +7393,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7401,7 +7401,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7409,7 +7409,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7417,7 +7417,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7425,7 +7425,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7433,7 +7433,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7441,7 +7441,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7449,7 +7449,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7457,7 +7457,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7465,7 +7465,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7473,7 +7473,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7481,7 +7481,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7489,7 +7489,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7497,7 +7497,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7505,7 +7505,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7513,7 +7513,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7521,7 +7521,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7529,7 +7529,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7537,7 +7537,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7545,7 +7545,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7553,7 +7553,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7561,7 +7561,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7569,7 +7569,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7577,7 +7577,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7585,7 +7585,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7593,7 +7593,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7601,7 +7601,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7609,7 +7609,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7617,7 +7617,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7625,7 +7625,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7633,7 +7633,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7641,7 +7641,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7649,7 +7649,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7657,7 +7657,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7665,7 +7665,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7673,7 +7673,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7681,7 +7681,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7689,7 +7689,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7697,7 +7697,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7705,7 +7705,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7713,7 +7713,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7721,7 +7721,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7729,7 +7729,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7737,7 +7737,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7745,7 +7745,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7753,7 +7753,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7761,7 +7761,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7769,7 +7769,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7777,7 +7777,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7785,7 +7785,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7793,7 +7793,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7801,7 +7801,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7809,7 +7809,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7817,7 +7817,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7825,7 +7825,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7833,7 +7833,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7841,7 +7841,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7849,7 +7849,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7857,7 +7857,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7865,7 +7865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7873,7 +7873,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7881,7 +7881,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7889,7 +7889,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7897,7 +7897,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7905,7 +7905,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7913,7 +7913,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7921,7 +7921,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7929,7 +7929,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7937,7 +7937,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7945,7 +7945,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7953,7 +7953,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7961,7 +7961,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7969,7 +7969,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7977,7 +7977,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7985,7 +7985,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -7993,7 +7993,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8001,7 +8001,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8009,7 +8009,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8017,7 +8017,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8025,7 +8025,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8033,7 +8033,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8041,7 +8041,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8049,7 +8049,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8057,7 +8057,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8065,7 +8065,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8073,7 +8073,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8081,7 +8081,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8089,7 +8089,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8097,7 +8097,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8105,7 +8105,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8113,7 +8113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8121,7 +8121,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8129,7 +8129,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8137,7 +8137,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8145,7 +8145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8153,7 +8153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8161,7 +8161,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8169,7 +8169,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8177,7 +8177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8185,7 +8185,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8193,7 +8193,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8201,7 +8201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8209,7 +8209,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8217,7 +8217,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8225,7 +8225,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8233,7 +8233,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8241,7 +8241,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8249,7 +8249,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8257,7 +8257,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8265,7 +8265,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8273,7 +8273,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8281,7 +8281,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8289,7 +8289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8297,7 +8297,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8305,7 +8305,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8313,7 +8313,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8321,7 +8321,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8329,7 +8329,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8337,7 +8337,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8345,7 +8345,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8353,7 +8353,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8361,7 +8361,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8369,7 +8369,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8377,7 +8377,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8385,7 +8385,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8393,7 +8393,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8401,7 +8401,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8409,7 +8409,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8417,7 +8417,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8425,7 +8425,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8433,7 +8433,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8441,7 +8441,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8449,7 +8449,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8457,7 +8457,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8465,7 +8465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8473,7 +8473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8481,7 +8481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8489,7 +8489,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8497,7 +8497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8505,7 +8505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8513,7 +8513,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8521,7 +8521,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8529,7 +8529,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8537,7 +8537,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8545,7 +8545,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8553,7 +8553,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8561,7 +8561,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8569,7 +8569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8577,7 +8577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8585,7 +8585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8593,7 +8593,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8601,7 +8601,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8609,7 +8609,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8617,7 +8617,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8625,7 +8625,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8633,7 +8633,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8641,7 +8641,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8649,7 +8649,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8657,7 +8657,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8665,7 +8665,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8673,7 +8673,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8681,7 +8681,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8689,7 +8689,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8697,7 +8697,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8705,7 +8705,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8713,7 +8713,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8721,7 +8721,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8729,7 +8729,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8737,7 +8737,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8745,7 +8745,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Privilege + capability-id: AC-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -8753,7 +8753,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8761,7 +8761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8769,7 +8769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8777,7 +8777,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8785,7 +8785,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8793,7 +8793,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8801,7 +8801,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8809,7 +8809,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8817,7 +8817,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8825,7 +8825,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8833,7 +8833,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8841,7 +8841,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8849,7 +8849,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8857,7 +8857,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8865,7 +8865,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8873,7 +8873,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Unsuccessful Logon Attempts + capability-id: AC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8881,7 +8881,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: System Use Notification + capability-id: AC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -8889,7 +8889,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8897,7 +8897,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8905,7 +8905,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8913,7 +8913,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8921,7 +8921,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Control Assessments + capability-id: CA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -8929,7 +8929,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8937,7 +8937,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8945,7 +8945,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8953,7 +8953,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8961,7 +8961,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8969,7 +8969,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8977,7 +8977,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8985,7 +8985,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -8993,7 +8993,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9001,7 +9001,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9009,7 +9009,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9017,7 +9017,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9025,7 +9025,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9033,7 +9033,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9041,7 +9041,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9049,7 +9049,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9057,7 +9057,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9065,7 +9065,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9073,7 +9073,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9081,7 +9081,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9089,7 +9089,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9097,7 +9097,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9105,7 +9105,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9113,7 +9113,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9121,7 +9121,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9129,7 +9129,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9137,7 +9137,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9145,7 +9145,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9153,7 +9153,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9161,7 +9161,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9169,7 +9169,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9177,7 +9177,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9185,7 +9185,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9193,7 +9193,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9201,7 +9201,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9209,7 +9209,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9217,7 +9217,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9225,7 +9225,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9233,7 +9233,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9241,7 +9241,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9249,7 +9249,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9257,7 +9257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9265,7 +9265,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9273,7 +9273,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9281,7 +9281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9289,7 +9289,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9297,7 +9297,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9305,7 +9305,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9313,7 +9313,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9321,7 +9321,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9329,7 +9329,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9337,7 +9337,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9345,7 +9345,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9353,7 +9353,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9361,7 +9361,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9369,7 +9369,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9377,7 +9377,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9385,7 +9385,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9393,7 +9393,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9401,7 +9401,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9409,7 +9409,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9417,7 +9417,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9425,7 +9425,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9433,7 +9433,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9441,7 +9441,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9449,7 +9449,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9457,7 +9457,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9465,7 +9465,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9473,7 +9473,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9481,7 +9481,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9489,7 +9489,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9497,7 +9497,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9505,7 +9505,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9513,7 +9513,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9521,7 +9521,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9529,7 +9529,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9537,7 +9537,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9545,7 +9545,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9553,7 +9553,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9561,7 +9561,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9569,7 +9569,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9577,7 +9577,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9585,7 +9585,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9593,7 +9593,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9601,7 +9601,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9609,7 +9609,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9617,7 +9617,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9625,7 +9625,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9633,7 +9633,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9641,7 +9641,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9649,7 +9649,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9657,7 +9657,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9665,7 +9665,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9673,7 +9673,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9681,7 +9681,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9689,7 +9689,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9697,7 +9697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9705,7 +9705,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9713,7 +9713,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9721,7 +9721,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9729,7 +9729,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9737,7 +9737,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9745,7 +9745,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9753,7 +9753,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9761,7 +9761,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9769,7 +9769,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9777,7 +9777,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9785,7 +9785,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9793,7 +9793,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9801,7 +9801,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9809,7 +9809,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9817,7 +9817,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9825,7 +9825,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9833,7 +9833,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9841,7 +9841,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9849,7 +9849,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9857,7 +9857,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9865,7 +9865,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9873,7 +9873,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9881,7 +9881,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9889,7 +9889,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9897,7 +9897,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9905,7 +9905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9913,7 +9913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9921,7 +9921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9929,7 +9929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9937,7 +9937,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9945,7 +9945,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9953,7 +9953,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9961,7 +9961,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9969,7 +9969,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9977,7 +9977,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9985,7 +9985,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -9993,7 +9993,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10001,7 +10001,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10009,7 +10009,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10017,7 +10017,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10025,7 +10025,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10033,7 +10033,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10041,7 +10041,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10049,7 +10049,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10057,7 +10057,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10065,7 +10065,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10073,7 +10073,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10081,7 +10081,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10089,7 +10089,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10097,7 +10097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10105,7 +10105,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10113,7 +10113,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10121,7 +10121,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10129,7 +10129,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10137,7 +10137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10145,7 +10145,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10153,7 +10153,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10161,7 +10161,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10169,7 +10169,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10177,7 +10177,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10185,7 +10185,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10193,7 +10193,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10201,7 +10201,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10209,7 +10209,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10217,7 +10217,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10225,7 +10225,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10233,7 +10233,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10241,7 +10241,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10249,7 +10249,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10257,7 +10257,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10265,7 +10265,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10273,7 +10273,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10281,7 +10281,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10289,7 +10289,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10297,7 +10297,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10305,7 +10305,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10313,7 +10313,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10321,7 +10321,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10329,7 +10329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10337,7 +10337,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10345,7 +10345,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10353,7 +10353,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10361,7 +10361,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10369,7 +10369,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10377,7 +10377,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10385,7 +10385,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10393,7 +10393,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10401,7 +10401,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Continuous Monitoring + capability-id: CA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -10409,7 +10409,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10417,7 +10417,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10425,7 +10425,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10433,7 +10433,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10441,7 +10441,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10449,7 +10449,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10457,7 +10457,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10465,7 +10465,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10473,7 +10473,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10481,7 +10481,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10489,7 +10489,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10497,7 +10497,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10505,7 +10505,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10513,7 +10513,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10521,7 +10521,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10529,7 +10529,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10537,7 +10537,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10545,7 +10545,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10553,7 +10553,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10561,7 +10561,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10569,7 +10569,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10577,7 +10577,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10585,7 +10585,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10593,7 +10593,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10601,7 +10601,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10609,7 +10609,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10617,7 +10617,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10625,7 +10625,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10633,7 +10633,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10641,7 +10641,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10649,7 +10649,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10657,7 +10657,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10665,7 +10665,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10673,7 +10673,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10681,7 +10681,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10689,7 +10689,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10697,7 +10697,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10705,7 +10705,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10713,7 +10713,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10721,7 +10721,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10729,7 +10729,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10737,7 +10737,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10745,7 +10745,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10753,7 +10753,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10761,7 +10761,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10769,7 +10769,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10777,7 +10777,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10785,7 +10785,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10793,7 +10793,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10801,7 +10801,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10809,7 +10809,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10817,7 +10817,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10825,7 +10825,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10833,7 +10833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10841,7 +10841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10849,7 +10849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10857,7 +10857,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10865,7 +10865,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10873,7 +10873,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10881,7 +10881,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10889,7 +10889,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10897,7 +10897,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10905,7 +10905,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10913,7 +10913,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10921,7 +10921,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10929,7 +10929,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10937,7 +10937,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Penetration Testing + capability-id: CA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -10945,7 +10945,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10953,7 +10953,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10961,7 +10961,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10969,7 +10969,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10977,7 +10977,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10985,7 +10985,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -10993,7 +10993,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Software Usage Restrictions + capability-id: CM-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -11001,7 +11001,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11009,7 +11009,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11017,7 +11017,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11025,7 +11025,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11033,7 +11033,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11041,7 +11041,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11049,7 +11049,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11057,7 +11057,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11065,7 +11065,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11073,7 +11073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11081,7 +11081,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11089,7 +11089,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11097,7 +11097,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11105,7 +11105,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11113,7 +11113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11121,7 +11121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11129,7 +11129,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11137,7 +11137,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11145,7 +11145,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: User-installed Software + capability-id: CM-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -11153,7 +11153,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11161,7 +11161,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11169,7 +11169,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11177,7 +11177,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11185,7 +11185,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11193,7 +11193,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11201,7 +11201,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11209,7 +11209,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11217,7 +11217,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11225,7 +11225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11233,7 +11233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11241,7 +11241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11249,7 +11249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11257,7 +11257,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11265,7 +11265,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11273,7 +11273,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11281,7 +11281,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11289,7 +11289,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11297,7 +11297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11305,7 +11305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11313,7 +11313,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11321,7 +11321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11329,7 +11329,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11337,7 +11337,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11345,7 +11345,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11353,7 +11353,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11361,7 +11361,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11369,7 +11369,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11377,7 +11377,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11385,7 +11385,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11393,7 +11393,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11401,7 +11401,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11409,7 +11409,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11417,7 +11417,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11425,7 +11425,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11433,7 +11433,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11441,7 +11441,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11449,7 +11449,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11457,7 +11457,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11465,7 +11465,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11473,7 +11473,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11481,7 +11481,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11489,7 +11489,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11497,7 +11497,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11505,7 +11505,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11513,7 +11513,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11521,7 +11521,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11529,7 +11529,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11537,7 +11537,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11545,7 +11545,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11553,7 +11553,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11561,7 +11561,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11569,7 +11569,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11577,7 +11577,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11585,7 +11585,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11593,7 +11593,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11601,7 +11601,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11609,7 +11609,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11617,7 +11617,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11625,7 +11625,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11633,7 +11633,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11641,7 +11641,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11649,7 +11649,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11657,7 +11657,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11665,7 +11665,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11673,7 +11673,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11681,7 +11681,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11689,7 +11689,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11697,7 +11697,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11705,7 +11705,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11713,7 +11713,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11721,7 +11721,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11729,7 +11729,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11737,7 +11737,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11745,7 +11745,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11753,7 +11753,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11761,7 +11761,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11769,7 +11769,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11777,7 +11777,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11785,7 +11785,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11793,7 +11793,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11801,7 +11801,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11809,7 +11809,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11817,7 +11817,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11825,7 +11825,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11833,7 +11833,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11841,7 +11841,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11849,7 +11849,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11857,7 +11857,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11865,7 +11865,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11873,7 +11873,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11881,7 +11881,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11889,7 +11889,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11897,7 +11897,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11905,7 +11905,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11913,7 +11913,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11921,7 +11921,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11929,7 +11929,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11937,7 +11937,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11945,7 +11945,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11953,7 +11953,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11961,7 +11961,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11969,7 +11969,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11977,7 +11977,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11985,7 +11985,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -11993,7 +11993,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12001,7 +12001,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12009,7 +12009,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12017,7 +12017,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12025,7 +12025,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12033,7 +12033,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12041,7 +12041,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12049,7 +12049,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12057,7 +12057,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12065,7 +12065,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12073,7 +12073,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12081,7 +12081,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12089,7 +12089,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12097,7 +12097,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12105,7 +12105,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12113,7 +12113,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12121,7 +12121,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12129,7 +12129,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12137,7 +12137,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12145,7 +12145,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12153,7 +12153,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12161,7 +12161,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12169,7 +12169,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12177,7 +12177,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12185,7 +12185,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12193,7 +12193,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12201,7 +12201,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12209,7 +12209,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12217,7 +12217,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12225,7 +12225,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12233,7 +12233,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12241,7 +12241,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12249,7 +12249,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12257,7 +12257,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12265,7 +12265,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12273,7 +12273,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12281,7 +12281,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12289,7 +12289,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12297,7 +12297,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12305,7 +12305,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12313,7 +12313,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12321,7 +12321,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12329,7 +12329,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12337,7 +12337,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12345,7 +12345,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12353,7 +12353,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12361,7 +12361,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12369,7 +12369,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12377,7 +12377,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12385,7 +12385,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12393,7 +12393,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12401,7 +12401,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12409,7 +12409,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12417,7 +12417,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12425,7 +12425,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12433,7 +12433,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12441,7 +12441,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12449,7 +12449,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12457,7 +12457,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12465,7 +12465,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12473,7 +12473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12481,7 +12481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12489,7 +12489,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12497,7 +12497,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12505,7 +12505,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12513,7 +12513,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12521,7 +12521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12529,7 +12529,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12537,7 +12537,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12545,7 +12545,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12553,7 +12553,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12561,7 +12561,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12569,7 +12569,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12577,7 +12577,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12585,7 +12585,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12593,7 +12593,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12601,7 +12601,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12609,7 +12609,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12617,7 +12617,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12625,7 +12625,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12633,7 +12633,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12641,7 +12641,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12649,7 +12649,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12657,7 +12657,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12665,7 +12665,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12673,7 +12673,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12681,7 +12681,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12689,7 +12689,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12697,7 +12697,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12705,7 +12705,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12713,7 +12713,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12721,7 +12721,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12729,7 +12729,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12737,7 +12737,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12745,7 +12745,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12753,7 +12753,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12761,7 +12761,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12769,7 +12769,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12777,7 +12777,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12785,7 +12785,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12793,7 +12793,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12801,7 +12801,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12809,7 +12809,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12817,7 +12817,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12825,7 +12825,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12833,7 +12833,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12841,7 +12841,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12849,7 +12849,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12857,7 +12857,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12865,7 +12865,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12873,7 +12873,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12881,7 +12881,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12889,7 +12889,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12897,7 +12897,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12905,7 +12905,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12913,7 +12913,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12921,7 +12921,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12929,7 +12929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12937,7 +12937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12945,7 +12945,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12953,7 +12953,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12961,7 +12961,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12969,7 +12969,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12977,7 +12977,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12985,7 +12985,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -12993,7 +12993,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13001,7 +13001,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13009,7 +13009,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13017,7 +13017,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13025,7 +13025,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Baseline Configuration + capability-id: CM-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -13033,7 +13033,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13041,7 +13041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13049,7 +13049,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13057,7 +13057,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13065,7 +13065,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13073,7 +13073,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13081,7 +13081,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13089,7 +13089,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13097,7 +13097,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13105,7 +13105,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13113,7 +13113,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13121,7 +13121,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13129,7 +13129,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13137,7 +13137,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13145,7 +13145,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13153,7 +13153,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13161,7 +13161,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13169,7 +13169,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13177,7 +13177,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13185,7 +13185,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13193,7 +13193,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13201,7 +13201,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13209,7 +13209,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Change Control + capability-id: CM-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -13217,7 +13217,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13225,7 +13225,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13233,7 +13233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13241,7 +13241,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13249,7 +13249,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13257,7 +13257,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13265,7 +13265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13273,7 +13273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13281,7 +13281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13289,7 +13289,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13297,7 +13297,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13305,7 +13305,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13313,7 +13313,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13321,7 +13321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13329,7 +13329,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13337,7 +13337,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13345,7 +13345,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13353,7 +13353,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13361,7 +13361,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13369,7 +13369,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13377,7 +13377,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13385,7 +13385,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13393,7 +13393,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13401,7 +13401,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13409,7 +13409,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13417,7 +13417,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13425,7 +13425,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13433,7 +13433,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13441,7 +13441,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13449,7 +13449,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13457,7 +13457,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13465,7 +13465,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13473,7 +13473,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13481,7 +13481,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13489,7 +13489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13497,7 +13497,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13505,7 +13505,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13513,7 +13513,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13521,7 +13521,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13529,7 +13529,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13537,7 +13537,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13545,7 +13545,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13553,7 +13553,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13561,7 +13561,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13569,7 +13569,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13577,7 +13577,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13585,7 +13585,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13593,7 +13593,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13601,7 +13601,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13609,7 +13609,7 @@ attack-objects: tags: [] - attack-object-id: T1137.002 attack-object-name: Office Test - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13617,7 +13617,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13625,7 +13625,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13633,7 +13633,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13641,7 +13641,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13649,7 +13649,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13657,7 +13657,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13665,7 +13665,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13673,7 +13673,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13681,7 +13681,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13689,7 +13689,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13697,7 +13697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13705,7 +13705,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13713,7 +13713,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13721,7 +13721,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13729,7 +13729,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13737,7 +13737,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13745,7 +13745,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13753,7 +13753,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13761,7 +13761,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13769,7 +13769,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13777,7 +13777,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13785,7 +13785,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13793,7 +13793,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13801,7 +13801,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13809,7 +13809,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13817,7 +13817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13825,7 +13825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13833,7 +13833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13841,7 +13841,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13849,7 +13849,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13857,7 +13857,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13865,7 +13865,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13873,7 +13873,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13881,7 +13881,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13889,7 +13889,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13897,7 +13897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13905,7 +13905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13913,7 +13913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13921,7 +13921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13929,7 +13929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13937,7 +13937,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13945,7 +13945,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13953,7 +13953,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13961,7 +13961,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13969,7 +13969,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13977,7 +13977,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13985,7 +13985,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -13993,7 +13993,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14001,7 +14001,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14009,7 +14009,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14017,7 +14017,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14025,7 +14025,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14033,7 +14033,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14041,7 +14041,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14049,7 +14049,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14057,7 +14057,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14065,7 +14065,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14073,7 +14073,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14081,7 +14081,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14089,7 +14089,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14097,7 +14097,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14105,7 +14105,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14113,7 +14113,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14121,7 +14121,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14129,7 +14129,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14137,7 +14137,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14145,7 +14145,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14153,7 +14153,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14161,7 +14161,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14169,7 +14169,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14177,7 +14177,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14185,7 +14185,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14193,7 +14193,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14201,7 +14201,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14209,7 +14209,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14217,7 +14217,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14225,7 +14225,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14233,7 +14233,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14241,7 +14241,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14249,7 +14249,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14257,7 +14257,7 @@ attack-objects: tags: [] - attack-object-id: T1574.011 attack-object-name: Services Registry Permissions Weakness - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14265,7 +14265,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14273,7 +14273,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14281,7 +14281,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14289,7 +14289,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14297,7 +14297,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14305,7 +14305,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14313,7 +14313,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14321,7 +14321,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14329,7 +14329,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14337,7 +14337,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14345,7 +14345,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Access Restrictions for Change + capability-id: CM-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -14353,7 +14353,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14361,7 +14361,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14369,7 +14369,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14377,7 +14377,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14385,7 +14385,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14393,7 +14393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14401,7 +14401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14409,7 +14409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14417,7 +14417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14425,7 +14425,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14433,7 +14433,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14441,7 +14441,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14449,7 +14449,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14457,7 +14457,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14465,7 +14465,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14473,7 +14473,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14481,7 +14481,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14489,7 +14489,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14497,7 +14497,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14505,7 +14505,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14513,7 +14513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14521,7 +14521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14529,7 +14529,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14537,7 +14537,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14545,7 +14545,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14553,7 +14553,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14561,7 +14561,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14569,7 +14569,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14577,7 +14577,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14585,7 +14585,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14593,7 +14593,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14601,7 +14601,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14609,7 +14609,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14617,7 +14617,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14625,7 +14625,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14633,7 +14633,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14641,7 +14641,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14649,7 +14649,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14657,7 +14657,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14665,7 +14665,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14673,7 +14673,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14681,7 +14681,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14689,7 +14689,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14697,7 +14697,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14705,7 +14705,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14713,7 +14713,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14721,7 +14721,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14729,7 +14729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14737,7 +14737,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14745,7 +14745,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14753,7 +14753,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14761,7 +14761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14769,7 +14769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14777,7 +14777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14785,7 +14785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14793,7 +14793,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14801,7 +14801,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14809,7 +14809,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14817,7 +14817,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14825,7 +14825,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14833,7 +14833,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14841,7 +14841,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14849,7 +14849,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14857,7 +14857,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14865,7 +14865,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14873,7 +14873,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14881,7 +14881,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14889,7 +14889,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14897,7 +14897,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14905,7 +14905,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14913,7 +14913,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14921,7 +14921,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14929,7 +14929,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14937,7 +14937,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14945,7 +14945,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14953,7 +14953,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14961,7 +14961,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14969,7 +14969,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14977,7 +14977,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14985,7 +14985,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -14993,7 +14993,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15001,7 +15001,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15009,7 +15009,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15017,7 +15017,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15025,7 +15025,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15033,7 +15033,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15041,7 +15041,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15049,7 +15049,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15057,7 +15057,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15065,7 +15065,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15073,7 +15073,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15081,7 +15081,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15089,7 +15089,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15097,7 +15097,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15105,7 +15105,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15113,7 +15113,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15121,7 +15121,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15129,7 +15129,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15137,7 +15137,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15145,7 +15145,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15153,7 +15153,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15161,7 +15161,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15169,7 +15169,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15177,7 +15177,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15185,7 +15185,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15193,7 +15193,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15201,7 +15201,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15209,7 +15209,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15217,7 +15217,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15225,7 +15225,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15233,7 +15233,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15241,7 +15241,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15249,7 +15249,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15257,7 +15257,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15265,7 +15265,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15273,7 +15273,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15281,7 +15281,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15289,7 +15289,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15297,7 +15297,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15305,7 +15305,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15313,7 +15313,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15321,7 +15321,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15329,7 +15329,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15337,7 +15337,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15345,7 +15345,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15353,7 +15353,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15361,7 +15361,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15369,7 +15369,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15377,7 +15377,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15385,7 +15385,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15393,7 +15393,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15401,7 +15401,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15409,7 +15409,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15417,7 +15417,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15425,7 +15425,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15433,7 +15433,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15441,7 +15441,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15449,7 +15449,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15457,7 +15457,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15465,7 +15465,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15473,7 +15473,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15481,7 +15481,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15489,7 +15489,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15497,7 +15497,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15505,7 +15505,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15513,7 +15513,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15521,7 +15521,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15529,7 +15529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15537,7 +15537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15545,7 +15545,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15553,7 +15553,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15561,7 +15561,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15569,7 +15569,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15577,7 +15577,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15585,7 +15585,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15593,7 +15593,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15601,7 +15601,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15609,7 +15609,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15617,7 +15617,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15625,7 +15625,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15633,7 +15633,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15641,7 +15641,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15649,7 +15649,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15657,7 +15657,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15665,7 +15665,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15673,7 +15673,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15681,7 +15681,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15689,7 +15689,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15697,7 +15697,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15705,7 +15705,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15713,7 +15713,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15721,7 +15721,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15729,7 +15729,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15737,7 +15737,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15745,7 +15745,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15753,7 +15753,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15761,7 +15761,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15769,7 +15769,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15777,7 +15777,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15785,7 +15785,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15793,7 +15793,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15801,7 +15801,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15809,7 +15809,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15817,7 +15817,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15825,7 +15825,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15833,7 +15833,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15841,7 +15841,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15849,7 +15849,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15857,7 +15857,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15865,7 +15865,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15873,7 +15873,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15881,7 +15881,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15889,7 +15889,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15897,7 +15897,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15905,7 +15905,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15913,7 +15913,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15921,7 +15921,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15929,7 +15929,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15937,7 +15937,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15945,7 +15945,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15953,7 +15953,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15961,7 +15961,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15969,7 +15969,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15977,7 +15977,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15985,7 +15985,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -15993,7 +15993,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16001,7 +16001,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16009,7 +16009,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16017,7 +16017,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16025,7 +16025,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16033,7 +16033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16041,7 +16041,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16049,7 +16049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16057,7 +16057,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16065,7 +16065,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16073,7 +16073,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16081,7 +16081,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16089,7 +16089,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16097,7 +16097,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16105,7 +16105,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16113,7 +16113,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16121,7 +16121,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16129,7 +16129,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16137,7 +16137,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16145,7 +16145,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16153,7 +16153,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16161,7 +16161,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16169,7 +16169,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16177,7 +16177,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16185,7 +16185,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16193,7 +16193,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16201,7 +16201,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16209,7 +16209,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16217,7 +16217,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16225,7 +16225,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16233,7 +16233,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16241,7 +16241,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16249,7 +16249,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16257,7 +16257,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16265,7 +16265,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16273,7 +16273,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16281,7 +16281,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16289,7 +16289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16297,7 +16297,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16305,7 +16305,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16313,7 +16313,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16321,7 +16321,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16329,7 +16329,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16337,7 +16337,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16345,7 +16345,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16353,7 +16353,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16361,7 +16361,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16369,7 +16369,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16377,7 +16377,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16385,7 +16385,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16393,7 +16393,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16401,7 +16401,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16409,7 +16409,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16417,7 +16417,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16425,7 +16425,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16433,7 +16433,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16441,7 +16441,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16449,7 +16449,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16457,7 +16457,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16465,7 +16465,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16473,7 +16473,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16481,7 +16481,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16489,7 +16489,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16497,7 +16497,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16505,7 +16505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16513,7 +16513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16521,7 +16521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16529,7 +16529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16537,7 +16537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16545,7 +16545,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16553,7 +16553,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16561,7 +16561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16569,7 +16569,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16577,7 +16577,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16585,7 +16585,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16593,7 +16593,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16601,7 +16601,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16609,7 +16609,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16617,7 +16617,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16625,7 +16625,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16633,7 +16633,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16641,7 +16641,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16649,7 +16649,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16657,7 +16657,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16665,7 +16665,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16673,7 +16673,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16681,7 +16681,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16689,7 +16689,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Configuration Settings + capability-id: CM-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -16697,7 +16697,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16705,7 +16705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16713,7 +16713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16721,7 +16721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16729,7 +16729,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16737,7 +16737,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16745,7 +16745,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16753,7 +16753,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16761,7 +16761,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16769,7 +16769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16777,7 +16777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16785,7 +16785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16793,7 +16793,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16801,7 +16801,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16809,7 +16809,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16817,7 +16817,7 @@ attack-objects: tags: [] - attack-object-id: T1037.001 attack-object-name: Logon Script (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16825,7 +16825,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16833,7 +16833,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16841,7 +16841,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16849,7 +16849,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16857,7 +16857,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16865,7 +16865,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16873,7 +16873,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16881,7 +16881,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16889,7 +16889,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16897,7 +16897,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16905,7 +16905,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16913,7 +16913,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16921,7 +16921,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16929,7 +16929,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16937,7 +16937,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16945,7 +16945,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16953,7 +16953,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16961,7 +16961,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16969,7 +16969,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16977,7 +16977,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16985,7 +16985,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -16993,7 +16993,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17001,7 +17001,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17009,7 +17009,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17017,7 +17017,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17025,7 +17025,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17033,7 +17033,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17041,7 +17041,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17049,7 +17049,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17057,7 +17057,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17065,7 +17065,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17073,7 +17073,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17081,7 +17081,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17089,7 +17089,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17097,7 +17097,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17105,7 +17105,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17113,7 +17113,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17121,7 +17121,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17129,7 +17129,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17137,7 +17137,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17145,7 +17145,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17153,7 +17153,7 @@ attack-objects: tags: [] - attack-object-id: T1106 attack-object-name: Native API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17161,7 +17161,7 @@ attack-objects: tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17169,7 +17169,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17177,7 +17177,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17185,7 +17185,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17193,7 +17193,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17201,7 +17201,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17209,7 +17209,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17217,7 +17217,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17225,7 +17225,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17233,7 +17233,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17241,7 +17241,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17249,7 +17249,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17257,7 +17257,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17265,7 +17265,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17273,7 +17273,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17281,7 +17281,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17289,7 +17289,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17297,7 +17297,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17305,7 +17305,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17313,7 +17313,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17321,7 +17321,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17329,7 +17329,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17337,7 +17337,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17345,7 +17345,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17353,7 +17353,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17361,7 +17361,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17369,7 +17369,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17377,7 +17377,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17385,7 +17385,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17393,7 +17393,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17401,7 +17401,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17409,7 +17409,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17417,7 +17417,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17425,7 +17425,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17433,7 +17433,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17441,7 +17441,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17449,7 +17449,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17457,7 +17457,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17465,7 +17465,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17473,7 +17473,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17481,7 +17481,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17489,7 +17489,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17497,7 +17497,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17505,7 +17505,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17513,7 +17513,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17521,7 +17521,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17529,7 +17529,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17537,7 +17537,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17545,7 +17545,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17553,7 +17553,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17561,7 +17561,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17569,7 +17569,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17577,7 +17577,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17585,7 +17585,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17593,7 +17593,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17601,7 +17601,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17609,7 +17609,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17617,7 +17617,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17625,7 +17625,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17633,7 +17633,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17641,7 +17641,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17649,7 +17649,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17657,7 +17657,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17665,7 +17665,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17673,7 +17673,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17681,7 +17681,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17689,7 +17689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17697,7 +17697,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17705,7 +17705,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17713,7 +17713,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17721,7 +17721,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17729,7 +17729,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17737,7 +17737,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17745,7 +17745,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17753,7 +17753,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17761,7 +17761,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17769,7 +17769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17777,7 +17777,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17785,7 +17785,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17793,7 +17793,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17801,7 +17801,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17809,7 +17809,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17817,7 +17817,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17825,7 +17825,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17833,7 +17833,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17841,7 +17841,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17849,7 +17849,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17857,7 +17857,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17865,7 +17865,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17873,7 +17873,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17881,7 +17881,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17889,7 +17889,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17897,7 +17897,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17905,7 +17905,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17913,7 +17913,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17921,7 +17921,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17929,7 +17929,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17937,7 +17937,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17945,7 +17945,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17953,7 +17953,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17961,7 +17961,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17969,7 +17969,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17977,7 +17977,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17985,7 +17985,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -17993,7 +17993,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18001,7 +18001,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18009,7 +18009,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18017,7 +18017,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18025,7 +18025,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18033,7 +18033,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18041,7 +18041,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18049,7 +18049,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18057,7 +18057,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18065,7 +18065,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18073,7 +18073,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18081,7 +18081,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18089,7 +18089,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18097,7 +18097,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18105,7 +18105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18113,7 +18113,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18121,7 +18121,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18129,7 +18129,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18137,7 +18137,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18145,7 +18145,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18153,7 +18153,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18161,7 +18161,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18169,7 +18169,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18177,7 +18177,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18185,7 +18185,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18193,7 +18193,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18201,7 +18201,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18209,7 +18209,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Least Functionality + capability-id: CM-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -18217,7 +18217,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18225,7 +18225,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18233,7 +18233,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18241,7 +18241,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18249,7 +18249,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18257,7 +18257,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18265,7 +18265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18273,7 +18273,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18281,7 +18281,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18289,7 +18289,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18297,7 +18297,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18305,7 +18305,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18313,7 +18313,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18321,7 +18321,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18329,7 +18329,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18337,7 +18337,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18345,7 +18345,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18353,7 +18353,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18361,7 +18361,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18369,7 +18369,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18377,7 +18377,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18385,7 +18385,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18393,7 +18393,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18401,7 +18401,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18409,7 +18409,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18417,7 +18417,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18425,7 +18425,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18433,7 +18433,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18441,7 +18441,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18449,7 +18449,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18457,7 +18457,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18465,7 +18465,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18473,7 +18473,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18481,7 +18481,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18489,7 +18489,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18497,7 +18497,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18505,7 +18505,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18513,7 +18513,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18521,7 +18521,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18529,7 +18529,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18537,7 +18537,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18545,7 +18545,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18553,7 +18553,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18561,7 +18561,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18569,7 +18569,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18577,7 +18577,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18585,7 +18585,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18593,7 +18593,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18601,7 +18601,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18609,7 +18609,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18617,7 +18617,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18625,7 +18625,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18633,7 +18633,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18641,7 +18641,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18649,7 +18649,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18657,7 +18657,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18665,7 +18665,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18673,7 +18673,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18681,7 +18681,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18689,7 +18689,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18697,7 +18697,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18705,7 +18705,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18713,7 +18713,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18721,7 +18721,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18729,7 +18729,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18737,7 +18737,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18745,7 +18745,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18753,7 +18753,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18761,7 +18761,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18769,7 +18769,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18777,7 +18777,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18785,7 +18785,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18793,7 +18793,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18801,7 +18801,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18809,7 +18809,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18817,7 +18817,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18825,7 +18825,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18833,7 +18833,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18841,7 +18841,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18849,7 +18849,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18857,7 +18857,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18865,7 +18865,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18873,7 +18873,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18881,7 +18881,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18889,7 +18889,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18897,7 +18897,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18905,7 +18905,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18913,7 +18913,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Component Inventory + capability-id: CM-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -18921,7 +18921,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18929,7 +18929,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18937,7 +18937,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18945,7 +18945,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18953,7 +18953,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18961,7 +18961,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18969,7 +18969,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18977,7 +18977,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18985,7 +18985,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -18993,7 +18993,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19001,7 +19001,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Recovery and Reconstitution + capability-id: CP-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -19009,7 +19009,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19017,7 +19017,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19025,7 +19025,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19033,7 +19033,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19041,7 +19041,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19049,7 +19049,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19057,7 +19057,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19065,7 +19065,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19073,7 +19073,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Contingency Plan + capability-id: CP-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19081,7 +19081,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19089,7 +19089,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19097,7 +19097,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19105,7 +19105,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19113,7 +19113,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19121,7 +19121,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19129,7 +19129,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Storage Site + capability-id: CP-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -19137,7 +19137,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19145,7 +19145,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19153,7 +19153,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19161,7 +19161,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19169,7 +19169,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19177,7 +19177,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19185,7 +19185,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19193,7 +19193,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19201,7 +19201,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19209,7 +19209,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19217,7 +19217,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19225,7 +19225,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19233,7 +19233,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19241,7 +19241,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19249,7 +19249,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Alternate Processing Site + capability-id: CP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -19257,7 +19257,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19265,7 +19265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19273,7 +19273,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19281,7 +19281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19289,7 +19289,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19297,7 +19297,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19305,7 +19305,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19313,7 +19313,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19321,7 +19321,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19329,7 +19329,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19337,7 +19337,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19345,7 +19345,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19353,7 +19353,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19361,7 +19361,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19369,7 +19369,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19377,7 +19377,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19385,7 +19385,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19393,7 +19393,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Backup + capability-id: CP-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -19401,7 +19401,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19409,7 +19409,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19417,7 +19417,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19425,7 +19425,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19433,7 +19433,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Re-authentication + capability-id: IA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -19441,7 +19441,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -19449,7 +19449,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -19457,7 +19457,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -19465,7 +19465,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identity Proofing + capability-id: IA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -19473,7 +19473,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19481,7 +19481,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19489,7 +19489,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19497,7 +19497,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19505,7 +19505,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19513,7 +19513,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19521,7 +19521,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19529,7 +19529,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19537,7 +19537,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19545,7 +19545,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19553,7 +19553,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19561,7 +19561,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19569,7 +19569,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19577,7 +19577,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19585,7 +19585,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19593,7 +19593,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19601,7 +19601,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19609,7 +19609,7 @@ attack-objects: tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19617,7 +19617,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19625,7 +19625,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19633,7 +19633,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19641,7 +19641,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19649,7 +19649,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19657,7 +19657,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19665,7 +19665,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19673,7 +19673,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19681,7 +19681,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19689,7 +19689,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19697,7 +19697,7 @@ attack-objects: tags: [] - attack-object-id: T1056.003 attack-object-name: Web Portal Capture - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19705,7 +19705,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19713,7 +19713,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19721,7 +19721,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19729,7 +19729,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19737,7 +19737,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19745,7 +19745,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19753,7 +19753,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19761,7 +19761,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19769,7 +19769,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19777,7 +19777,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19785,7 +19785,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19793,7 +19793,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19801,7 +19801,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19809,7 +19809,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19817,7 +19817,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19825,7 +19825,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19833,7 +19833,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19841,7 +19841,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19849,7 +19849,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19857,7 +19857,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19865,7 +19865,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19873,7 +19873,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19881,7 +19881,7 @@ attack-objects: tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19889,7 +19889,7 @@ attack-objects: tags: [] - attack-object-id: T1134.001 attack-object-name: Token Impersonation/Theft - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19897,7 +19897,7 @@ attack-objects: tags: [] - attack-object-id: T1134.002 attack-object-name: Create Process with Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19905,7 +19905,7 @@ attack-objects: tags: [] - attack-object-id: T1134.003 attack-object-name: Make and Impersonate Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19913,7 +19913,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19921,7 +19921,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19929,7 +19929,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19937,7 +19937,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19945,7 +19945,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19953,7 +19953,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19961,7 +19961,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19969,7 +19969,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19977,7 +19977,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19985,7 +19985,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -19993,7 +19993,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20001,7 +20001,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20009,7 +20009,7 @@ attack-objects: tags: [] - attack-object-id: T1218.007 attack-object-name: Msiexec - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20017,7 +20017,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20025,7 +20025,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20033,7 +20033,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20041,7 +20041,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20049,7 +20049,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20057,7 +20057,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20065,7 +20065,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20073,7 +20073,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20081,7 +20081,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20089,7 +20089,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20097,7 +20097,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20105,7 +20105,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20113,7 +20113,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20121,7 +20121,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20129,7 +20129,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20137,7 +20137,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20145,7 +20145,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20153,7 +20153,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20161,7 +20161,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20169,7 +20169,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20177,7 +20177,7 @@ attack-objects: tags: [] - attack-object-id: T1543.001 attack-object-name: Launch Agent - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20185,7 +20185,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20193,7 +20193,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20201,7 +20201,7 @@ attack-objects: tags: [] - attack-object-id: T1543.004 attack-object-name: Launch Daemon - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20209,7 +20209,7 @@ attack-objects: tags: [] - attack-object-id: T1546.003 attack-object-name: Windows Management Instrumentation Event Subscription - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20217,7 +20217,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20225,7 +20225,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20233,7 +20233,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20241,7 +20241,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20249,7 +20249,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20257,7 +20257,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20265,7 +20265,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20273,7 +20273,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20281,7 +20281,7 @@ attack-objects: tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20289,7 +20289,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20297,7 +20297,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20305,7 +20305,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20313,7 +20313,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20321,7 +20321,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20329,7 +20329,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20337,7 +20337,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20345,7 +20345,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20353,7 +20353,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20361,7 +20361,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20369,7 +20369,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20377,7 +20377,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20385,7 +20385,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20393,7 +20393,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20401,7 +20401,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20409,7 +20409,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20417,7 +20417,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20425,7 +20425,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20433,7 +20433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20441,7 +20441,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20449,7 +20449,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20457,7 +20457,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20465,7 +20465,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20473,7 +20473,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20481,7 +20481,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20489,7 +20489,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20497,7 +20497,7 @@ attack-objects: tags: [] - attack-object-id: T1562.007 attack-object-name: Disable or Modify Cloud Firewall - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20505,7 +20505,7 @@ attack-objects: tags: [] - attack-object-id: T1562.008 attack-object-name: Disable Cloud Logs - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20513,7 +20513,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20521,7 +20521,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20529,7 +20529,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20537,7 +20537,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20545,7 +20545,7 @@ attack-objects: tags: [] - attack-object-id: T1569.001 attack-object-name: Launchctl - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20553,7 +20553,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20561,7 +20561,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20569,7 +20569,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20577,7 +20577,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20585,7 +20585,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20593,7 +20593,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20601,7 +20601,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20609,7 +20609,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20617,7 +20617,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20625,7 +20625,7 @@ attack-objects: tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20633,7 +20633,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20641,7 +20641,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20649,7 +20649,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20657,7 +20657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20665,7 +20665,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20673,7 +20673,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20681,7 +20681,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20689,7 +20689,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Identification and Authentication (organizational Users) + capability-id: IA-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -20697,7 +20697,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20705,7 +20705,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20713,7 +20713,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20721,7 +20721,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20729,7 +20729,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20737,7 +20737,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20745,7 +20745,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Device Identification and Authentication + capability-id: IA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -20753,7 +20753,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20761,7 +20761,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20769,7 +20769,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20777,7 +20777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20785,7 +20785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20793,7 +20793,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20801,7 +20801,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20809,7 +20809,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20817,7 +20817,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20825,7 +20825,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20833,7 +20833,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20841,7 +20841,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20849,7 +20849,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20857,7 +20857,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20865,7 +20865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20873,7 +20873,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20881,7 +20881,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20889,7 +20889,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20897,7 +20897,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20905,7 +20905,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20913,7 +20913,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20921,7 +20921,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20929,7 +20929,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20937,7 +20937,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20945,7 +20945,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20953,7 +20953,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20961,7 +20961,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20969,7 +20969,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20977,7 +20977,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20985,7 +20985,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -20993,7 +20993,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21001,7 +21001,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21009,7 +21009,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Identifier Management + capability-id: IA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -21017,7 +21017,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21025,7 +21025,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21033,7 +21033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21041,7 +21041,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21049,7 +21049,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21057,7 +21057,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21065,7 +21065,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21073,7 +21073,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21081,7 +21081,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21089,7 +21089,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21097,7 +21097,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21105,7 +21105,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21113,7 +21113,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21121,7 +21121,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21129,7 +21129,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21137,7 +21137,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21145,7 +21145,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21153,7 +21153,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21161,7 +21161,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21169,7 +21169,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21177,7 +21177,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21185,7 +21185,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21193,7 +21193,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21201,7 +21201,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21209,7 +21209,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21217,7 +21217,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21225,7 +21225,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21233,7 +21233,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21241,7 +21241,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21249,7 +21249,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21257,7 +21257,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21265,7 +21265,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21273,7 +21273,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21281,7 +21281,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21289,7 +21289,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21297,7 +21297,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21305,7 +21305,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21313,7 +21313,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21321,7 +21321,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21329,7 +21329,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21337,7 +21337,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21345,7 +21345,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21353,7 +21353,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21361,7 +21361,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21369,7 +21369,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21377,7 +21377,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21385,7 +21385,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21393,7 +21393,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21401,7 +21401,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21409,7 +21409,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21417,7 +21417,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21425,7 +21425,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21433,7 +21433,7 @@ attack-objects: tags: [] - attack-object-id: T1558.001 attack-object-name: Golden Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21441,7 +21441,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21449,7 +21449,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21457,7 +21457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21465,7 +21465,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21473,7 +21473,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21481,7 +21481,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21489,7 +21489,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21497,7 +21497,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21505,7 +21505,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Authenticator Management + capability-id: IA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -21513,7 +21513,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21521,7 +21521,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21529,7 +21529,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21537,7 +21537,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21545,7 +21545,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21553,7 +21553,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21561,7 +21561,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21569,7 +21569,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Authentication Feedback + capability-id: IA-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -21577,7 +21577,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21585,7 +21585,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21593,7 +21593,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21601,7 +21601,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21609,7 +21609,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21617,7 +21617,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21625,7 +21625,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21633,7 +21633,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21641,7 +21641,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21649,7 +21649,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21657,7 +21657,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21665,7 +21665,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Cryptographic Module Authentication + capability-id: IA-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -21673,7 +21673,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21681,7 +21681,7 @@ attack-objects: tags: [] - attack-object-id: T1053.007 attack-object-name: Container Orchestration Job - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21689,7 +21689,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21697,7 +21697,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21705,7 +21705,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21713,7 +21713,7 @@ attack-objects: tags: [] - attack-object-id: T1087.004 attack-object-name: Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21721,7 +21721,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21729,7 +21729,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21737,7 +21737,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21745,7 +21745,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21753,7 +21753,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21761,7 +21761,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21769,7 +21769,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21777,7 +21777,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21785,7 +21785,7 @@ attack-objects: tags: [] - attack-object-id: T1538 attack-object-name: Cloud Service Dashboard - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21793,7 +21793,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21801,7 +21801,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21809,7 +21809,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21817,7 +21817,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Identification and Authentication (non-organizational Users) + capability-id: IA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -21825,7 +21825,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21833,7 +21833,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21841,7 +21841,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21849,7 +21849,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21857,7 +21857,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21865,7 +21865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21873,7 +21873,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21881,7 +21881,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21889,7 +21889,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21897,7 +21897,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21905,7 +21905,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21913,7 +21913,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21921,7 +21921,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21929,7 +21929,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21937,7 +21937,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21945,7 +21945,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21953,7 +21953,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21961,7 +21961,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21969,7 +21969,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21977,7 +21977,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21985,7 +21985,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -21993,7 +21993,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Service Identification and Authentication + capability-id: IA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22001,7 +22001,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22009,7 +22009,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22017,7 +22017,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22025,7 +22025,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22033,7 +22033,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Media Use + capability-id: MP-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -22041,7 +22041,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security and Privacy Architectures + capability-id: PL-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -22049,7 +22049,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22057,7 +22057,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22065,7 +22065,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22073,7 +22073,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22081,7 +22081,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22089,7 +22089,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22097,7 +22097,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22105,7 +22105,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Threat Hunting + capability-id: RA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22113,7 +22113,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22121,7 +22121,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22129,7 +22129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22137,7 +22137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22145,7 +22145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22153,7 +22153,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22161,7 +22161,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22169,7 +22169,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22177,7 +22177,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22185,7 +22185,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22193,7 +22193,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22201,7 +22201,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22209,7 +22209,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22217,7 +22217,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22225,7 +22225,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22233,7 +22233,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22241,7 +22241,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22249,7 +22249,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22257,7 +22257,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22265,7 +22265,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22273,7 +22273,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22281,7 +22281,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22289,7 +22289,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22297,7 +22297,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22305,7 +22305,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22313,7 +22313,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22321,7 +22321,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22329,7 +22329,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22337,7 +22337,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22345,7 +22345,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22353,7 +22353,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22361,7 +22361,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22369,7 +22369,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22377,7 +22377,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22385,7 +22385,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22393,7 +22393,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22401,7 +22401,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22409,7 +22409,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22417,7 +22417,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22425,7 +22425,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22433,7 +22433,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22441,7 +22441,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22449,7 +22449,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22457,7 +22457,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22465,7 +22465,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22473,7 +22473,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22481,7 +22481,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22489,7 +22489,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22497,7 +22497,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22505,7 +22505,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22513,7 +22513,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22521,7 +22521,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22529,7 +22529,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22537,7 +22537,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22545,7 +22545,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22553,7 +22553,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22561,7 +22561,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22569,7 +22569,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22577,7 +22577,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22585,7 +22585,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22593,7 +22593,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22601,7 +22601,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22609,7 +22609,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22617,7 +22617,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22625,7 +22625,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22633,7 +22633,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22641,7 +22641,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22649,7 +22649,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22657,7 +22657,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22665,7 +22665,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22673,7 +22673,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22681,7 +22681,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22689,7 +22689,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22697,7 +22697,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22705,7 +22705,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22713,7 +22713,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22721,7 +22721,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22729,7 +22729,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22737,7 +22737,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22745,7 +22745,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22753,7 +22753,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22761,7 +22761,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22769,7 +22769,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22777,7 +22777,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22785,7 +22785,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22793,7 +22793,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22801,7 +22801,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22809,7 +22809,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22817,7 +22817,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22825,7 +22825,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22833,7 +22833,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22841,7 +22841,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22849,7 +22849,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22857,7 +22857,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22865,7 +22865,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22873,7 +22873,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Vulnerability Monitoring and Scanning + capability-id: RA-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -22881,7 +22881,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22889,7 +22889,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22897,7 +22897,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22905,7 +22905,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22913,7 +22913,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22921,7 +22921,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22929,7 +22929,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22937,7 +22937,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22945,7 +22945,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22953,7 +22953,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22961,7 +22961,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22969,7 +22969,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Criticality Analysis + capability-id: RA-9 comments: '' mapping-description: '' mapping-type: mitigates @@ -22977,7 +22977,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22985,7 +22985,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -22993,7 +22993,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23001,7 +23001,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23009,7 +23009,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23017,7 +23017,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23025,7 +23025,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23033,7 +23033,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23041,7 +23041,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23049,7 +23049,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23057,7 +23057,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23065,7 +23065,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23073,7 +23073,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23081,7 +23081,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23089,7 +23089,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23097,7 +23097,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23105,7 +23105,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23113,7 +23113,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23121,7 +23121,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23129,7 +23129,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Configuration Management + capability-id: SA-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23137,7 +23137,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23145,7 +23145,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23153,7 +23153,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23161,7 +23161,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23169,7 +23169,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23177,7 +23177,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23185,7 +23185,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23193,7 +23193,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23201,7 +23201,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23209,7 +23209,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23217,7 +23217,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23225,7 +23225,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23233,7 +23233,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23241,7 +23241,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23249,7 +23249,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23257,7 +23257,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23265,7 +23265,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23273,7 +23273,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23281,7 +23281,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23289,7 +23289,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23297,7 +23297,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23305,7 +23305,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23313,7 +23313,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23321,7 +23321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23329,7 +23329,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23337,7 +23337,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23345,7 +23345,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23353,7 +23353,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23361,7 +23361,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Developer Testing and Evaluation + capability-id: SA-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -23369,7 +23369,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Supply Chain Protection + capability-id: SA-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23377,7 +23377,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23385,7 +23385,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23393,7 +23393,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23401,7 +23401,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23409,7 +23409,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23417,7 +23417,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23425,7 +23425,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23433,7 +23433,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23441,7 +23441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23449,7 +23449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23457,7 +23457,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23465,7 +23465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Development Process, Standards, and Tools + capability-id: SA-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -23473,7 +23473,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23481,7 +23481,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23489,7 +23489,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23497,7 +23497,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23505,7 +23505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer-provided Training + capability-id: SA-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23513,7 +23513,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23521,7 +23521,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23529,7 +23529,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23537,7 +23537,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23545,7 +23545,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23553,7 +23553,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23561,7 +23561,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Developer Security and Privacy Architecture and Design + capability-id: SA-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23569,7 +23569,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23577,7 +23577,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23585,7 +23585,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23593,7 +23593,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23601,7 +23601,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23609,7 +23609,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Unsupported System Components + capability-id: SA-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -23617,7 +23617,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23625,7 +23625,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23633,7 +23633,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23641,7 +23641,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23649,7 +23649,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: System Development Life Cycle + capability-id: SA-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -23657,7 +23657,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23665,7 +23665,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23673,7 +23673,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23681,7 +23681,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23689,7 +23689,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23697,7 +23697,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Acquisition Process + capability-id: SA-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -23705,7 +23705,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23713,7 +23713,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23721,7 +23721,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23729,7 +23729,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23737,7 +23737,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23745,7 +23745,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23753,7 +23753,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23761,7 +23761,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Security and Privacy Engineering Principles + capability-id: SA-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -23769,7 +23769,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23777,7 +23777,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23785,7 +23785,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23793,7 +23793,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23801,7 +23801,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Network Disconnect + capability-id: SC-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -23809,7 +23809,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23817,7 +23817,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23825,7 +23825,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23833,7 +23833,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23841,7 +23841,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23849,7 +23849,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23857,7 +23857,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23865,7 +23865,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23873,7 +23873,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23881,7 +23881,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Cryptographic Key Establishment and Management + capability-id: SC-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -23889,7 +23889,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23897,7 +23897,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23905,7 +23905,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Transmission of Security and Privacy Attributes + capability-id: SC-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -23913,7 +23913,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Public Key Infrastructure Certificates + capability-id: SC-17 comments: '' mapping-description: '' mapping-type: mitigates @@ -23921,7 +23921,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23929,7 +23929,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23937,7 +23937,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23945,7 +23945,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23953,7 +23953,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23961,7 +23961,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23969,7 +23969,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23977,7 +23977,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23985,7 +23985,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -23993,7 +23993,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24001,7 +24001,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24009,7 +24009,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24017,7 +24017,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24025,7 +24025,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24033,7 +24033,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24041,7 +24041,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24049,7 +24049,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24057,7 +24057,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24065,7 +24065,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24073,7 +24073,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24081,7 +24081,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24089,7 +24089,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24097,7 +24097,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24105,7 +24105,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24113,7 +24113,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24121,7 +24121,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24129,7 +24129,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24137,7 +24137,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24145,7 +24145,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24153,7 +24153,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Mobile Code + capability-id: SC-18 comments: '' mapping-description: '' mapping-type: mitigates @@ -24161,7 +24161,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24169,7 +24169,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24177,7 +24177,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24185,7 +24185,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24193,7 +24193,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24201,7 +24201,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24209,7 +24209,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24217,7 +24217,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Separation of System and User Functionality + capability-id: SC-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -24225,7 +24225,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24233,7 +24233,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24241,7 +24241,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24249,7 +24249,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24257,7 +24257,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24265,7 +24265,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24273,7 +24273,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24281,7 +24281,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24289,7 +24289,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24297,7 +24297,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24305,7 +24305,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24313,7 +24313,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24321,7 +24321,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24329,7 +24329,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Secure Name/address Resolution Service (authoritative Source) + capability-id: SC-20 comments: '' mapping-description: '' mapping-type: mitigates @@ -24337,7 +24337,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24345,7 +24345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24353,7 +24353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24361,7 +24361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24369,7 +24369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24377,7 +24377,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24385,7 +24385,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Secure Name/address Resolution Service (recursive or Caching Resolver) + capability-id: SC-21 comments: '' mapping-description: '' mapping-type: mitigates @@ -24393,7 +24393,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24401,7 +24401,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24409,7 +24409,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24417,7 +24417,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24425,7 +24425,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24433,7 +24433,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24441,7 +24441,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Architecture and Provisioning for Name/address Resolution Service + capability-id: SC-22 comments: '' mapping-description: '' mapping-type: mitigates @@ -24449,7 +24449,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24457,7 +24457,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24465,7 +24465,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24473,7 +24473,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24481,7 +24481,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24489,7 +24489,7 @@ attack-objects: tags: [] - attack-object-id: T1535 attack-object-name: Unused/Unsupported Cloud Regions - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24497,7 +24497,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24505,7 +24505,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24513,7 +24513,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24521,7 +24521,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24529,7 +24529,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24537,7 +24537,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24545,7 +24545,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24553,7 +24553,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Session Authenticity + capability-id: SC-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -24561,7 +24561,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24569,7 +24569,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24577,7 +24577,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24585,7 +24585,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Decoys + capability-id: SC-26 comments: '' mapping-description: '' mapping-type: mitigates @@ -24593,7 +24593,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24601,7 +24601,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24609,7 +24609,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24617,7 +24617,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24625,7 +24625,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24633,7 +24633,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24641,7 +24641,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24649,7 +24649,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24657,7 +24657,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24665,7 +24665,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24673,7 +24673,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24681,7 +24681,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24689,7 +24689,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24697,7 +24697,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24705,7 +24705,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24713,7 +24713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24721,7 +24721,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24729,7 +24729,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24737,7 +24737,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24745,7 +24745,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24753,7 +24753,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24761,7 +24761,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24769,7 +24769,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24777,7 +24777,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24785,7 +24785,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24793,7 +24793,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24801,7 +24801,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24809,7 +24809,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24817,7 +24817,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24825,7 +24825,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24833,7 +24833,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Protection of Information at Rest + capability-id: SC-28 comments: '' mapping-description: '' mapping-type: mitigates @@ -24841,7 +24841,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24849,7 +24849,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24857,7 +24857,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24865,7 +24865,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24873,7 +24873,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24881,7 +24881,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24889,7 +24889,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Heterogeneity + capability-id: SC-29 comments: '' mapping-description: '' mapping-type: mitigates @@ -24897,7 +24897,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24905,7 +24905,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24913,7 +24913,7 @@ attack-objects: tags: [] - attack-object-id: T1134.005 attack-object-name: SID-History Injection - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24921,7 +24921,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24929,7 +24929,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24937,7 +24937,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24945,7 +24945,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24953,7 +24953,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24961,7 +24961,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24969,7 +24969,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24977,7 +24977,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24985,7 +24985,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -24993,7 +24993,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25001,7 +25001,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25009,7 +25009,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25017,7 +25017,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Security Function Isolation + capability-id: SC-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -25025,7 +25025,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25033,7 +25033,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25041,7 +25041,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25049,7 +25049,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25057,7 +25057,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25065,7 +25065,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25073,7 +25073,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Concealment and Misdirection + capability-id: SC-30 comments: '' mapping-description: '' mapping-type: mitigates @@ -25081,7 +25081,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25089,7 +25089,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25097,7 +25097,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25105,7 +25105,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25113,7 +25113,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Covert Channel Analysis + capability-id: SC-31 comments: '' mapping-description: '' mapping-type: mitigates @@ -25121,7 +25121,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25129,7 +25129,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25137,7 +25137,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25145,7 +25145,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25153,7 +25153,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25161,7 +25161,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25169,7 +25169,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25177,7 +25177,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25185,7 +25185,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25193,7 +25193,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25201,7 +25201,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25209,7 +25209,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25217,7 +25217,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25225,7 +25225,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Non-modifiable Executable Programs + capability-id: SC-34 comments: '' mapping-description: '' mapping-type: mitigates @@ -25233,7 +25233,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25241,7 +25241,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25249,7 +25249,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25257,7 +25257,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: External Malicious Code Identification + capability-id: SC-35 comments: '' mapping-description: '' mapping-type: mitigates @@ -25265,7 +25265,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25273,7 +25273,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25281,7 +25281,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25289,7 +25289,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25297,7 +25297,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25305,7 +25305,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Distributed Processing and Storage + capability-id: SC-36 comments: '' mapping-description: '' mapping-type: mitigates @@ -25313,7 +25313,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25321,7 +25321,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25329,7 +25329,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25337,7 +25337,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25345,7 +25345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Out-of-band Channels + capability-id: SC-37 comments: '' mapping-description: '' mapping-type: mitigates @@ -25353,7 +25353,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25361,7 +25361,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25369,7 +25369,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25377,7 +25377,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25385,7 +25385,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25393,7 +25393,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25401,7 +25401,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25409,7 +25409,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25417,7 +25417,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25425,7 +25425,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25433,7 +25433,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25441,7 +25441,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25449,7 +25449,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25457,7 +25457,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25465,7 +25465,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25473,7 +25473,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25481,7 +25481,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25489,7 +25489,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25497,7 +25497,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25505,7 +25505,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25513,7 +25513,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25521,7 +25521,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Process Isolation + capability-id: SC-39 comments: '' mapping-description: '' mapping-type: mitigates @@ -25529,7 +25529,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25537,7 +25537,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25545,7 +25545,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25553,7 +25553,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25561,7 +25561,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25569,7 +25569,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25577,7 +25577,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25585,7 +25585,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25593,7 +25593,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25601,7 +25601,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25609,7 +25609,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25617,7 +25617,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25625,7 +25625,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25633,7 +25633,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25641,7 +25641,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25649,7 +25649,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25657,7 +25657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25665,7 +25665,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25673,7 +25673,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25681,7 +25681,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25689,7 +25689,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25697,7 +25697,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25705,7 +25705,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25713,7 +25713,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25721,7 +25721,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information in Shared System Resources + capability-id: SC-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -25729,7 +25729,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25737,7 +25737,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25745,7 +25745,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25753,7 +25753,7 @@ attack-objects: tags: [] - attack-object-id: T1200 attack-object-name: Hardware Additions - capability-id: Port and I/O Device Access + capability-id: SC-41 comments: '' mapping-description: '' mapping-type: mitigates @@ -25761,7 +25761,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Usage Restrictions + capability-id: SC-43 comments: '' mapping-description: '' mapping-type: mitigates @@ -25769,7 +25769,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25777,7 +25777,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25785,7 +25785,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25793,7 +25793,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25801,7 +25801,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25809,7 +25809,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25817,7 +25817,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25825,7 +25825,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25833,7 +25833,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25841,7 +25841,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25849,7 +25849,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25857,7 +25857,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25865,7 +25865,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Detonation Chambers + capability-id: SC-44 comments: '' mapping-description: '' mapping-type: mitigates @@ -25873,7 +25873,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25881,7 +25881,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25889,7 +25889,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25897,7 +25897,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25905,7 +25905,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25913,7 +25913,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25921,7 +25921,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25929,7 +25929,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25937,7 +25937,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25945,7 +25945,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25953,7 +25953,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25961,7 +25961,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25969,7 +25969,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25977,7 +25977,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25985,7 +25985,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -25993,7 +25993,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26001,7 +26001,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26009,7 +26009,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26017,7 +26017,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26025,7 +26025,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26033,7 +26033,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26041,7 +26041,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26049,7 +26049,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26057,7 +26057,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26065,7 +26065,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26073,7 +26073,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26081,7 +26081,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Cross Domain Policy Enforcement + capability-id: SC-46 comments: '' mapping-description: '' mapping-type: mitigates @@ -26089,7 +26089,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26097,7 +26097,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26105,7 +26105,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26113,7 +26113,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26121,7 +26121,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26129,7 +26129,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26137,7 +26137,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26145,7 +26145,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26153,7 +26153,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26161,7 +26161,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26169,7 +26169,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26177,7 +26177,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26185,7 +26185,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26193,7 +26193,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26201,7 +26201,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26209,7 +26209,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26217,7 +26217,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26225,7 +26225,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26233,7 +26233,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26241,7 +26241,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26249,7 +26249,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26257,7 +26257,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26265,7 +26265,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26273,7 +26273,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26281,7 +26281,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26289,7 +26289,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26297,7 +26297,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26305,7 +26305,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26313,7 +26313,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26321,7 +26321,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26329,7 +26329,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26337,7 +26337,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26345,7 +26345,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26353,7 +26353,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26361,7 +26361,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26369,7 +26369,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26377,7 +26377,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26385,7 +26385,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26393,7 +26393,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26401,7 +26401,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26409,7 +26409,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26417,7 +26417,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26425,7 +26425,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26433,7 +26433,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26441,7 +26441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26449,7 +26449,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26457,7 +26457,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26465,7 +26465,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26473,7 +26473,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26481,7 +26481,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26489,7 +26489,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26497,7 +26497,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26505,7 +26505,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26513,7 +26513,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26521,7 +26521,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26529,7 +26529,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26537,7 +26537,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26545,7 +26545,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26553,7 +26553,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26561,7 +26561,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26569,7 +26569,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26577,7 +26577,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26585,7 +26585,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26593,7 +26593,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26601,7 +26601,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26609,7 +26609,7 @@ attack-objects: tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26617,7 +26617,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26625,7 +26625,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26633,7 +26633,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26641,7 +26641,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26649,7 +26649,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26657,7 +26657,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26665,7 +26665,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26673,7 +26673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26681,7 +26681,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26689,7 +26689,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26697,7 +26697,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26705,7 +26705,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26713,7 +26713,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26721,7 +26721,7 @@ attack-objects: tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26729,7 +26729,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26737,7 +26737,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26745,7 +26745,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26753,7 +26753,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26761,7 +26761,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26769,7 +26769,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26777,7 +26777,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26785,7 +26785,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26793,7 +26793,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26801,7 +26801,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26809,7 +26809,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26817,7 +26817,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26825,7 +26825,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26833,7 +26833,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26841,7 +26841,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26849,7 +26849,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26857,7 +26857,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26865,7 +26865,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26873,7 +26873,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26881,7 +26881,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26889,7 +26889,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26897,7 +26897,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26905,7 +26905,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26913,7 +26913,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26921,7 +26921,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26929,7 +26929,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26937,7 +26937,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26945,7 +26945,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26953,7 +26953,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26961,7 +26961,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26969,7 +26969,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26977,7 +26977,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26985,7 +26985,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -26993,7 +26993,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27001,7 +27001,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27009,7 +27009,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27017,7 +27017,7 @@ attack-objects: tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27025,7 +27025,7 @@ attack-objects: tags: [] - attack-object-id: T1567.001 attack-object-name: Exfiltration to Code Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27033,7 +27033,7 @@ attack-objects: tags: [] - attack-object-id: T1567.002 attack-object-name: Exfiltration to Cloud Storage - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27041,7 +27041,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27049,7 +27049,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27057,7 +27057,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27065,7 +27065,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27073,7 +27073,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27081,7 +27081,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27089,7 +27089,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27097,7 +27097,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27105,7 +27105,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27113,7 +27113,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27121,7 +27121,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27129,7 +27129,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27137,7 +27137,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27145,7 +27145,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27153,7 +27153,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27161,7 +27161,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27169,7 +27169,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27177,7 +27177,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27185,7 +27185,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27193,7 +27193,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27201,7 +27201,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27209,7 +27209,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: Boundary Protection + capability-id: SC-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -27217,7 +27217,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27225,7 +27225,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27233,7 +27233,7 @@ attack-objects: tags: [] - attack-object-id: T1090.004 attack-object-name: Domain Fronting - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27241,7 +27241,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27249,7 +27249,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27257,7 +27257,7 @@ attack-objects: tags: [] - attack-object-id: T1552.007 attack-object-name: Container API - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27265,7 +27265,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27273,7 +27273,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27281,7 +27281,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27289,7 +27289,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27297,7 +27297,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27305,7 +27305,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27313,7 +27313,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Transmission Confidentiality and Integrity + capability-id: SC-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -27321,7 +27321,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27329,7 +27329,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27337,7 +27337,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27345,7 +27345,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27353,7 +27353,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27361,7 +27361,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27369,7 +27369,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27377,7 +27377,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27385,7 +27385,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27393,7 +27393,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27401,7 +27401,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27409,7 +27409,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27417,7 +27417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27425,7 +27425,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27433,7 +27433,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27441,7 +27441,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27449,7 +27449,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27457,7 +27457,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27465,7 +27465,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27473,7 +27473,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27481,7 +27481,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27489,7 +27489,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27497,7 +27497,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27505,7 +27505,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27513,7 +27513,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27521,7 +27521,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27529,7 +27529,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27537,7 +27537,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27545,7 +27545,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27553,7 +27553,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27561,7 +27561,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27569,7 +27569,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27577,7 +27577,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27585,7 +27585,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27593,7 +27593,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27601,7 +27601,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27609,7 +27609,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27617,7 +27617,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27625,7 +27625,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27633,7 +27633,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27641,7 +27641,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27649,7 +27649,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27657,7 +27657,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27665,7 +27665,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27673,7 +27673,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27681,7 +27681,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27689,7 +27689,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27697,7 +27697,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27705,7 +27705,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27713,7 +27713,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27721,7 +27721,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27729,7 +27729,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27737,7 +27737,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27745,7 +27745,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27753,7 +27753,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27761,7 +27761,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27769,7 +27769,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27777,7 +27777,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27785,7 +27785,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27793,7 +27793,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27801,7 +27801,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27809,7 +27809,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27817,7 +27817,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27825,7 +27825,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27833,7 +27833,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27841,7 +27841,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27849,7 +27849,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27857,7 +27857,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27865,7 +27865,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27873,7 +27873,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27881,7 +27881,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27889,7 +27889,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27897,7 +27897,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27905,7 +27905,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27913,7 +27913,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27921,7 +27921,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27929,7 +27929,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27937,7 +27937,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27945,7 +27945,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27953,7 +27953,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27961,7 +27961,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27969,7 +27969,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27977,7 +27977,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27985,7 +27985,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -27993,7 +27993,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -28001,7 +28001,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -28009,7 +28009,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -28017,7 +28017,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Information Input Validation + capability-id: SI-10 comments: '' mapping-description: '' mapping-type: mitigates @@ -28025,7 +28025,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28033,7 +28033,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28041,7 +28041,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28049,7 +28049,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28057,7 +28057,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28065,7 +28065,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28073,7 +28073,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28081,7 +28081,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28089,7 +28089,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28097,7 +28097,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28105,7 +28105,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28113,7 +28113,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28121,7 +28121,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28129,7 +28129,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28137,7 +28137,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28145,7 +28145,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28153,7 +28153,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28161,7 +28161,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28169,7 +28169,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28177,7 +28177,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28185,7 +28185,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28193,7 +28193,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28201,7 +28201,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28209,7 +28209,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28217,7 +28217,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28225,7 +28225,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28233,7 +28233,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28241,7 +28241,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28249,7 +28249,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28257,7 +28257,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Management and Retention + capability-id: SI-12 comments: '' mapping-description: '' mapping-type: mitigates @@ -28265,7 +28265,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28273,7 +28273,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28281,7 +28281,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28289,7 +28289,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28297,7 +28297,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28305,7 +28305,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28313,7 +28313,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28321,7 +28321,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28329,7 +28329,7 @@ attack-objects: tags: [] - attack-object-id: T1090.003 attack-object-name: Multi-hop Proxy - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28337,7 +28337,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28345,7 +28345,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28353,7 +28353,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28361,7 +28361,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28369,7 +28369,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28377,7 +28377,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28385,7 +28385,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28393,7 +28393,7 @@ attack-objects: tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28401,7 +28401,7 @@ attack-objects: tags: [] - attack-object-id: T1498.001 attack-object-name: Direct Network Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28409,7 +28409,7 @@ attack-objects: tags: [] - attack-object-id: T1498.002 attack-object-name: Reflection Amplification - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28417,7 +28417,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28425,7 +28425,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28433,7 +28433,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28441,7 +28441,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28449,7 +28449,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28457,7 +28457,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28465,7 +28465,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28473,7 +28473,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28481,7 +28481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28489,7 +28489,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28497,7 +28497,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28505,7 +28505,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28513,7 +28513,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28521,7 +28521,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28529,7 +28529,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28537,7 +28537,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28545,7 +28545,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28553,7 +28553,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28561,7 +28561,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Information Output Filtering + capability-id: SI-15 comments: '' mapping-description: '' mapping-type: mitigates @@ -28569,7 +28569,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28577,7 +28577,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28585,7 +28585,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28593,7 +28593,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28601,7 +28601,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28609,7 +28609,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28617,7 +28617,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28625,7 +28625,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28633,7 +28633,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Memory Protection + capability-id: SI-16 comments: '' mapping-description: '' mapping-type: mitigates @@ -28641,7 +28641,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28649,7 +28649,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28657,7 +28657,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28665,7 +28665,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28673,7 +28673,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28681,7 +28681,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28689,7 +28689,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28697,7 +28697,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28705,7 +28705,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28713,7 +28713,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28721,7 +28721,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28729,7 +28729,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28737,7 +28737,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28745,7 +28745,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28753,7 +28753,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28761,7 +28761,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28769,7 +28769,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28777,7 +28777,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28785,7 +28785,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28793,7 +28793,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28801,7 +28801,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28809,7 +28809,7 @@ attack-objects: tags: [] - attack-object-id: T1137.003 attack-object-name: Outlook Forms - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28817,7 +28817,7 @@ attack-objects: tags: [] - attack-object-id: T1137.004 attack-object-name: Outlook Home Page - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28825,7 +28825,7 @@ attack-objects: tags: [] - attack-object-id: T1137.005 attack-object-name: Outlook Rules - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28833,7 +28833,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28841,7 +28841,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28849,7 +28849,7 @@ attack-objects: tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28857,7 +28857,7 @@ attack-objects: tags: [] - attack-object-id: T1195.001 attack-object-name: Compromise Software Dependencies and Development Tools - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28865,7 +28865,7 @@ attack-objects: tags: [] - attack-object-id: T1195.002 attack-object-name: Compromise Software Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28873,7 +28873,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28881,7 +28881,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28889,7 +28889,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28897,7 +28897,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28905,7 +28905,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28913,7 +28913,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28921,7 +28921,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28929,7 +28929,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28937,7 +28937,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28945,7 +28945,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28953,7 +28953,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28961,7 +28961,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28969,7 +28969,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28977,7 +28977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28985,7 +28985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -28993,7 +28993,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29001,7 +29001,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29009,7 +29009,7 @@ attack-objects: tags: [] - attack-object-id: T1546.011 attack-object-name: Application Shimming - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29017,7 +29017,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29025,7 +29025,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29033,7 +29033,7 @@ attack-objects: tags: [] - attack-object-id: T1550.002 attack-object-name: Pass the Hash - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29041,7 +29041,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29049,7 +29049,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29057,7 +29057,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29065,7 +29065,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29073,7 +29073,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29081,7 +29081,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29089,7 +29089,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29097,7 +29097,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29105,7 +29105,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29113,7 +29113,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29121,7 +29121,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29129,7 +29129,7 @@ attack-objects: tags: [] - attack-object-id: T1574.002 attack-object-name: DLL Side-Loading - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29137,7 +29137,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29145,7 +29145,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29153,7 +29153,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29161,7 +29161,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Flaw Remediation + capability-id: SI-2 comments: '' mapping-description: '' mapping-type: mitigates @@ -29169,7 +29169,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29177,7 +29177,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29185,7 +29185,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29193,7 +29193,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29201,7 +29201,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29209,7 +29209,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29217,7 +29217,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Information Fragmentation + capability-id: SI-23 comments: '' mapping-description: '' mapping-type: mitigates @@ -29225,7 +29225,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29233,7 +29233,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29241,7 +29241,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29249,7 +29249,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29257,7 +29257,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29265,7 +29265,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29273,7 +29273,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29281,7 +29281,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29289,7 +29289,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29297,7 +29297,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29305,7 +29305,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29313,7 +29313,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29321,7 +29321,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29329,7 +29329,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29337,7 +29337,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29345,7 +29345,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29353,7 +29353,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29361,7 +29361,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29369,7 +29369,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29377,7 +29377,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29385,7 +29385,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29393,7 +29393,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29401,7 +29401,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29409,7 +29409,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29417,7 +29417,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29425,7 +29425,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29433,7 +29433,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29441,7 +29441,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29449,7 +29449,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29457,7 +29457,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29465,7 +29465,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29473,7 +29473,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29481,7 +29481,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29489,7 +29489,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29497,7 +29497,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29505,7 +29505,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29513,7 +29513,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29521,7 +29521,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29529,7 +29529,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29537,7 +29537,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29545,7 +29545,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29553,7 +29553,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29561,7 +29561,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29569,7 +29569,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29577,7 +29577,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29585,7 +29585,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29593,7 +29593,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29601,7 +29601,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29609,7 +29609,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29617,7 +29617,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29625,7 +29625,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29633,7 +29633,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29641,7 +29641,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29649,7 +29649,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29657,7 +29657,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29665,7 +29665,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29673,7 +29673,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29681,7 +29681,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29689,7 +29689,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29697,7 +29697,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29705,7 +29705,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29713,7 +29713,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29721,7 +29721,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29729,7 +29729,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29737,7 +29737,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29745,7 +29745,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29753,7 +29753,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29761,7 +29761,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29769,7 +29769,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29777,7 +29777,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29785,7 +29785,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29793,7 +29793,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29801,7 +29801,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29809,7 +29809,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29817,7 +29817,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29825,7 +29825,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29833,7 +29833,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29841,7 +29841,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29849,7 +29849,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29857,7 +29857,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29865,7 +29865,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29873,7 +29873,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29881,7 +29881,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29889,7 +29889,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29897,7 +29897,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29905,7 +29905,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29913,7 +29913,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29921,7 +29921,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29929,7 +29929,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29937,7 +29937,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29945,7 +29945,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29953,7 +29953,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29961,7 +29961,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29969,7 +29969,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29977,7 +29977,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29985,7 +29985,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -29993,7 +29993,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30001,7 +30001,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30009,7 +30009,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30017,7 +30017,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30025,7 +30025,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30033,7 +30033,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30041,7 +30041,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30049,7 +30049,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30057,7 +30057,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30065,7 +30065,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30073,7 +30073,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30081,7 +30081,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30089,7 +30089,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30097,7 +30097,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30105,7 +30105,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30113,7 +30113,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30121,7 +30121,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30129,7 +30129,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30137,7 +30137,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30145,7 +30145,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30153,7 +30153,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30161,7 +30161,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30169,7 +30169,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30177,7 +30177,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30185,7 +30185,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30193,7 +30193,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30201,7 +30201,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30209,7 +30209,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30217,7 +30217,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30225,7 +30225,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30233,7 +30233,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30241,7 +30241,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30249,7 +30249,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30257,7 +30257,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30265,7 +30265,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30273,7 +30273,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30281,7 +30281,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30289,7 +30289,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30297,7 +30297,7 @@ attack-objects: tags: [] - attack-object-id: T1559.001 attack-object-name: Component Object Model - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30305,7 +30305,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30313,7 +30313,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30321,7 +30321,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30329,7 +30329,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30337,7 +30337,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30345,7 +30345,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30353,7 +30353,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30361,7 +30361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30369,7 +30369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30377,7 +30377,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30385,7 +30385,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30393,7 +30393,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30401,7 +30401,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30409,7 +30409,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30417,7 +30417,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30425,7 +30425,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30433,7 +30433,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30441,7 +30441,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30449,7 +30449,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30457,7 +30457,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30465,7 +30465,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30473,7 +30473,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30481,7 +30481,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30489,7 +30489,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30497,7 +30497,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30505,7 +30505,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30513,7 +30513,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30521,7 +30521,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30529,7 +30529,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30537,7 +30537,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30545,7 +30545,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30553,7 +30553,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30561,7 +30561,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30569,7 +30569,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30577,7 +30577,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30585,7 +30585,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30593,7 +30593,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30601,7 +30601,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30609,7 +30609,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30617,7 +30617,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Malicious Code Protection + capability-id: SI-3 comments: '' mapping-description: '' mapping-type: mitigates @@ -30625,7 +30625,7 @@ attack-objects: tags: [] - attack-object-id: T1001 attack-object-name: Data Obfuscation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30633,7 +30633,7 @@ attack-objects: tags: [] - attack-object-id: T1001.001 attack-object-name: Junk Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30641,7 +30641,7 @@ attack-objects: tags: [] - attack-object-id: T1001.002 attack-object-name: Steganography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30649,7 +30649,7 @@ attack-objects: tags: [] - attack-object-id: T1001.003 attack-object-name: Protocol Impersonation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30657,7 +30657,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30665,7 +30665,7 @@ attack-objects: tags: [] - attack-object-id: T1003.001 attack-object-name: LSASS Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30673,7 +30673,7 @@ attack-objects: tags: [] - attack-object-id: T1003.002 attack-object-name: Security Account Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30681,7 +30681,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30689,7 +30689,7 @@ attack-objects: tags: [] - attack-object-id: T1003.004 attack-object-name: LSA Secrets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30697,7 +30697,7 @@ attack-objects: tags: [] - attack-object-id: T1003.005 attack-object-name: Cached Domain Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30705,7 +30705,7 @@ attack-objects: tags: [] - attack-object-id: T1003.006 attack-object-name: DCSync - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30713,7 +30713,7 @@ attack-objects: tags: [] - attack-object-id: T1003.007 attack-object-name: Proc Filesystem - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30721,7 +30721,7 @@ attack-objects: tags: [] - attack-object-id: T1003.008 attack-object-name: /etc/passwd and /etc/shadow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30729,7 +30729,7 @@ attack-objects: tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30737,7 +30737,7 @@ attack-objects: tags: [] - attack-object-id: T1011 attack-object-name: Exfiltration Over Other Network Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30745,7 +30745,7 @@ attack-objects: tags: [] - attack-object-id: T1011.001 attack-object-name: Exfiltration Over Bluetooth - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30753,7 +30753,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30761,7 +30761,7 @@ attack-objects: tags: [] - attack-object-id: T1021 attack-object-name: Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30769,7 +30769,7 @@ attack-objects: tags: [] - attack-object-id: T1021.001 attack-object-name: Remote Desktop Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30777,7 +30777,7 @@ attack-objects: tags: [] - attack-object-id: T1021.002 attack-object-name: SMB/Windows Admin Shares - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30785,7 +30785,7 @@ attack-objects: tags: [] - attack-object-id: T1021.003 attack-object-name: Distributed Component Object Model - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30793,7 +30793,7 @@ attack-objects: tags: [] - attack-object-id: T1021.004 attack-object-name: SSH - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30801,7 +30801,7 @@ attack-objects: tags: [] - attack-object-id: T1021.005 attack-object-name: VNC - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30809,7 +30809,7 @@ attack-objects: tags: [] - attack-object-id: T1021.006 attack-object-name: Windows Remote Management - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30817,7 +30817,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30825,7 +30825,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30833,7 +30833,7 @@ attack-objects: tags: [] - attack-object-id: T1029 attack-object-name: Scheduled Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30841,7 +30841,7 @@ attack-objects: tags: [] - attack-object-id: T1030 attack-object-name: Data Transfer Size Limits - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30849,7 +30849,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30857,7 +30857,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30865,7 +30865,7 @@ attack-objects: tags: [] - attack-object-id: T1036.003 attack-object-name: Rename System Utilities - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30873,7 +30873,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30881,7 +30881,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30889,7 +30889,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30897,7 +30897,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30905,7 +30905,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30913,7 +30913,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30921,7 +30921,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30929,7 +30929,7 @@ attack-objects: tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30937,7 +30937,7 @@ attack-objects: tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30945,7 +30945,7 @@ attack-objects: tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30953,7 +30953,7 @@ attack-objects: tags: [] - attack-object-id: T1048.001 attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30961,7 +30961,7 @@ attack-objects: tags: [] - attack-object-id: T1048.002 attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30969,7 +30969,7 @@ attack-objects: tags: [] - attack-object-id: T1048.003 attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30977,7 +30977,7 @@ attack-objects: tags: [] - attack-object-id: T1052 attack-object-name: Exfiltration Over Physical Medium - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30985,7 +30985,7 @@ attack-objects: tags: [] - attack-object-id: T1052.001 attack-object-name: Exfiltration over USB - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -30993,7 +30993,7 @@ attack-objects: tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31001,7 +31001,7 @@ attack-objects: tags: [] - attack-object-id: T1053.001 attack-object-name: At (Linux) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31009,7 +31009,7 @@ attack-objects: tags: [] - attack-object-id: T1053.002 attack-object-name: At (Windows) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31017,7 +31017,7 @@ attack-objects: tags: [] - attack-object-id: T1053.003 attack-object-name: Cron - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31025,7 +31025,7 @@ attack-objects: tags: [] - attack-object-id: T1053.004 attack-object-name: Launchd - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31033,7 +31033,7 @@ attack-objects: tags: [] - attack-object-id: T1053.005 attack-object-name: Scheduled Task - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31041,7 +31041,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31049,7 +31049,7 @@ attack-objects: tags: [] - attack-object-id: T1055 attack-object-name: Process Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31057,7 +31057,7 @@ attack-objects: tags: [] - attack-object-id: T1055.001 attack-object-name: Dynamic-link Library Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31065,7 +31065,7 @@ attack-objects: tags: [] - attack-object-id: T1055.002 attack-object-name: Portable Executable Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31073,7 +31073,7 @@ attack-objects: tags: [] - attack-object-id: T1055.003 attack-object-name: Thread Execution Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31081,7 +31081,7 @@ attack-objects: tags: [] - attack-object-id: T1055.004 attack-object-name: Asynchronous Procedure Call - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31089,7 +31089,7 @@ attack-objects: tags: [] - attack-object-id: T1055.005 attack-object-name: Thread Local Storage - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31097,7 +31097,7 @@ attack-objects: tags: [] - attack-object-id: T1055.008 attack-object-name: Ptrace System Calls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31105,7 +31105,7 @@ attack-objects: tags: [] - attack-object-id: T1055.009 attack-object-name: Proc Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31113,7 +31113,7 @@ attack-objects: tags: [] - attack-object-id: T1055.011 attack-object-name: Extra Window Memory Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31121,7 +31121,7 @@ attack-objects: tags: [] - attack-object-id: T1055.012 attack-object-name: Process Hollowing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31129,7 +31129,7 @@ attack-objects: tags: [] - attack-object-id: T1055.013 attack-object-name: "Process Doppelg\xE4nging" - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31137,7 +31137,7 @@ attack-objects: tags: [] - attack-object-id: T1055.014 attack-object-name: VDSO Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31145,7 +31145,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31153,7 +31153,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31161,7 +31161,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31169,7 +31169,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31177,7 +31177,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31185,7 +31185,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31193,7 +31193,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31201,7 +31201,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31209,7 +31209,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31217,7 +31217,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31225,7 +31225,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31233,7 +31233,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31241,7 +31241,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31249,7 +31249,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31257,7 +31257,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31265,7 +31265,7 @@ attack-objects: tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31273,7 +31273,7 @@ attack-objects: tags: [] - attack-object-id: T1071.001 attack-object-name: Web Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31281,7 +31281,7 @@ attack-objects: tags: [] - attack-object-id: T1071.002 attack-object-name: File Transfer Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31289,7 +31289,7 @@ attack-objects: tags: [] - attack-object-id: T1071.003 attack-object-name: Mail Protocols - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31297,7 +31297,7 @@ attack-objects: tags: [] - attack-object-id: T1071.004 attack-object-name: DNS - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31305,7 +31305,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31313,7 +31313,7 @@ attack-objects: tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31321,7 +31321,7 @@ attack-objects: tags: [] - attack-object-id: T1078.001 attack-object-name: Default Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31329,7 +31329,7 @@ attack-objects: tags: [] - attack-object-id: T1078.002 attack-object-name: Domain Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31337,7 +31337,7 @@ attack-objects: tags: [] - attack-object-id: T1078.003 attack-object-name: Local Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31345,7 +31345,7 @@ attack-objects: tags: [] - attack-object-id: T1078.004 attack-object-name: Cloud Accounts - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31353,7 +31353,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31361,7 +31361,7 @@ attack-objects: tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31369,7 +31369,7 @@ attack-objects: tags: [] - attack-object-id: T1087.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31377,7 +31377,7 @@ attack-objects: tags: [] - attack-object-id: T1087.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31385,7 +31385,7 @@ attack-objects: tags: [] - attack-object-id: T1090 attack-object-name: Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31393,7 +31393,7 @@ attack-objects: tags: [] - attack-object-id: T1090.001 attack-object-name: Internal Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31401,7 +31401,7 @@ attack-objects: tags: [] - attack-object-id: T1090.002 attack-object-name: External Proxy - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31409,7 +31409,7 @@ attack-objects: tags: [] - attack-object-id: T1091 attack-object-name: Replication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31417,7 +31417,7 @@ attack-objects: tags: [] - attack-object-id: T1092 attack-object-name: Communication Through Removable Media - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31425,7 +31425,7 @@ attack-objects: tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31433,7 +31433,7 @@ attack-objects: tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31441,7 +31441,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31449,7 +31449,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31457,7 +31457,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31465,7 +31465,7 @@ attack-objects: tags: [] - attack-object-id: T1098.004 attack-object-name: SSH Authorized Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31473,7 +31473,7 @@ attack-objects: tags: [] - attack-object-id: T1102 attack-object-name: Web Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31481,7 +31481,7 @@ attack-objects: tags: [] - attack-object-id: T1102.001 attack-object-name: Dead Drop Resolver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31489,7 +31489,7 @@ attack-objects: tags: [] - attack-object-id: T1102.002 attack-object-name: Bidirectional Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31497,7 +31497,7 @@ attack-objects: tags: [] - attack-object-id: T1102.003 attack-object-name: One-Way Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31505,7 +31505,7 @@ attack-objects: tags: [] - attack-object-id: T1104 attack-object-name: Multi-Stage Channels - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31513,7 +31513,7 @@ attack-objects: tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31521,7 +31521,7 @@ attack-objects: tags: [] - attack-object-id: T1110 attack-object-name: Brute Force - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31529,7 +31529,7 @@ attack-objects: tags: [] - attack-object-id: T1110.001 attack-object-name: Password Guessing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31537,7 +31537,7 @@ attack-objects: tags: [] - attack-object-id: T1110.002 attack-object-name: Password Cracking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31545,7 +31545,7 @@ attack-objects: tags: [] - attack-object-id: T1110.003 attack-object-name: Password Spraying - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31553,7 +31553,7 @@ attack-objects: tags: [] - attack-object-id: T1110.004 attack-object-name: Credential Stuffing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31561,7 +31561,7 @@ attack-objects: tags: [] - attack-object-id: T1111 attack-object-name: Two-Factor Authentication Interception - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31569,7 +31569,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31577,7 +31577,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31585,7 +31585,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31593,7 +31593,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31601,7 +31601,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31609,7 +31609,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31617,7 +31617,7 @@ attack-objects: tags: [] - attack-object-id: T1127.001 attack-object-name: MSBuild - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31625,7 +31625,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31633,7 +31633,7 @@ attack-objects: tags: [] - attack-object-id: T1132 attack-object-name: Data Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31641,7 +31641,7 @@ attack-objects: tags: [] - attack-object-id: T1132.001 attack-object-name: Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31649,7 +31649,7 @@ attack-objects: tags: [] - attack-object-id: T1132.002 attack-object-name: Non-Standard Encoding - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31657,7 +31657,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31665,7 +31665,7 @@ attack-objects: tags: [] - attack-object-id: T1135 attack-object-name: Network Share Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31673,7 +31673,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31681,7 +31681,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31689,7 +31689,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31697,7 +31697,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31705,7 +31705,7 @@ attack-objects: tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31713,7 +31713,7 @@ attack-objects: tags: [] - attack-object-id: T1137.001 attack-object-name: Office Template Macros - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31721,7 +31721,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31729,7 +31729,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31737,7 +31737,7 @@ attack-objects: tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31745,7 +31745,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31753,7 +31753,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31761,7 +31761,7 @@ attack-objects: tags: [] - attack-object-id: T1197 attack-object-name: BITS Jobs - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31769,7 +31769,7 @@ attack-objects: tags: [] - attack-object-id: T1201 attack-object-name: Password Policy Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31777,7 +31777,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31785,7 +31785,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31793,7 +31793,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31801,7 +31801,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31809,7 +31809,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31817,7 +31817,7 @@ attack-objects: tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31825,7 +31825,7 @@ attack-objects: tags: [] - attack-object-id: T1205.001 attack-object-name: Port Knocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31833,7 +31833,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31841,7 +31841,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31849,7 +31849,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31857,7 +31857,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31865,7 +31865,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31873,7 +31873,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31881,7 +31881,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31889,7 +31889,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31897,7 +31897,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31905,7 +31905,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31913,7 +31913,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31921,7 +31921,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31929,7 +31929,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31937,7 +31937,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31945,7 +31945,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31953,7 +31953,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31961,7 +31961,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31969,7 +31969,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31977,7 +31977,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31985,7 +31985,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -31993,7 +31993,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32001,7 +32001,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32009,7 +32009,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32017,7 +32017,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32025,7 +32025,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32033,7 +32033,7 @@ attack-objects: tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32041,7 +32041,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32049,7 +32049,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32057,7 +32057,7 @@ attack-objects: tags: [] - attack-object-id: T1489 attack-object-name: Service Stop - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32065,7 +32065,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32073,7 +32073,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32081,7 +32081,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32089,7 +32089,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32097,7 +32097,7 @@ attack-objects: tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32105,7 +32105,7 @@ attack-objects: tags: [] - attack-object-id: T1499.001 attack-object-name: OS Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32113,7 +32113,7 @@ attack-objects: tags: [] - attack-object-id: T1499.002 attack-object-name: Service Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32121,7 +32121,7 @@ attack-objects: tags: [] - attack-object-id: T1499.003 attack-object-name: Application Exhaustion Flood - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32129,7 +32129,7 @@ attack-objects: tags: [] - attack-object-id: T1499.004 attack-object-name: Application or System Exploitation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32137,7 +32137,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32145,7 +32145,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32153,7 +32153,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32161,7 +32161,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32169,7 +32169,7 @@ attack-objects: tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32177,7 +32177,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32185,7 +32185,7 @@ attack-objects: tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32193,7 +32193,7 @@ attack-objects: tags: [] - attack-object-id: T1539 attack-object-name: Steal Web Session Cookie - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32201,7 +32201,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32209,7 +32209,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32217,7 +32217,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32225,7 +32225,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32233,7 +32233,7 @@ attack-objects: tags: [] - attack-object-id: T1543.003 attack-object-name: Windows Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32241,7 +32241,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32249,7 +32249,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32257,7 +32257,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32265,7 +32265,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32273,7 +32273,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32281,7 +32281,7 @@ attack-objects: tags: [] - attack-object-id: T1546.014 attack-object-name: Emond - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32289,7 +32289,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32297,7 +32297,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32305,7 +32305,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32313,7 +32313,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32321,7 +32321,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32329,7 +32329,7 @@ attack-objects: tags: [] - attack-object-id: T1547.007 attack-object-name: Re-opened Applications - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32337,7 +32337,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32345,7 +32345,7 @@ attack-objects: tags: [] - attack-object-id: T1547.009 attack-object-name: Shortcut Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32353,7 +32353,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32361,7 +32361,7 @@ attack-objects: tags: [] - attack-object-id: T1547.012 attack-object-name: Print Processors - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32369,7 +32369,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32377,7 +32377,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32385,7 +32385,7 @@ attack-objects: tags: [] - attack-object-id: T1548.001 attack-object-name: Setuid and Setgid - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32393,7 +32393,7 @@ attack-objects: tags: [] - attack-object-id: T1548.002 attack-object-name: Bypass User Account Control - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32401,7 +32401,7 @@ attack-objects: tags: [] - attack-object-id: T1548.003 attack-object-name: Sudo and Sudo Caching - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32409,7 +32409,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32417,7 +32417,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32425,7 +32425,7 @@ attack-objects: tags: [] - attack-object-id: T1550.003 attack-object-name: Pass the Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32433,7 +32433,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32441,7 +32441,7 @@ attack-objects: tags: [] - attack-object-id: T1552.001 attack-object-name: Credentials In Files - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32449,7 +32449,7 @@ attack-objects: tags: [] - attack-object-id: T1552.002 attack-object-name: Credentials in Registry - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32457,7 +32457,7 @@ attack-objects: tags: [] - attack-object-id: T1552.003 attack-object-name: Bash History - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32465,7 +32465,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32473,7 +32473,7 @@ attack-objects: tags: [] - attack-object-id: T1552.005 attack-object-name: Cloud Instance Metadata API - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32481,7 +32481,7 @@ attack-objects: tags: [] - attack-object-id: T1552.006 attack-object-name: Group Policy Preferences - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32489,7 +32489,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32497,7 +32497,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32505,7 +32505,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32513,7 +32513,7 @@ attack-objects: tags: [] - attack-object-id: T1553.004 attack-object-name: Install Root Certificate - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32521,7 +32521,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32529,7 +32529,7 @@ attack-objects: tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32537,7 +32537,7 @@ attack-objects: tags: [] - attack-object-id: T1555.001 attack-object-name: Keychain - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32545,7 +32545,7 @@ attack-objects: tags: [] - attack-object-id: T1555.002 attack-object-name: Securityd Memory - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32553,7 +32553,7 @@ attack-objects: tags: [] - attack-object-id: T1555.004 attack-object-name: Windows Credential Manager - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32561,7 +32561,7 @@ attack-objects: tags: [] - attack-object-id: T1555.005 attack-object-name: Password Managers - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32569,7 +32569,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32577,7 +32577,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32585,7 +32585,7 @@ attack-objects: tags: [] - attack-object-id: T1556.002 attack-object-name: Password Filter DLL - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32593,7 +32593,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32601,7 +32601,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32609,7 +32609,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32617,7 +32617,7 @@ attack-objects: tags: [] - attack-object-id: T1557.001 attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32625,7 +32625,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32633,7 +32633,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32641,7 +32641,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32649,7 +32649,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32657,7 +32657,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32665,7 +32665,7 @@ attack-objects: tags: [] - attack-object-id: T1559 attack-object-name: Inter-Process Communication - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32673,7 +32673,7 @@ attack-objects: tags: [] - attack-object-id: T1559.002 attack-object-name: Dynamic Data Exchange - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32681,7 +32681,7 @@ attack-objects: tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32689,7 +32689,7 @@ attack-objects: tags: [] - attack-object-id: T1560.001 attack-object-name: Archive via Utility - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32697,7 +32697,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32705,7 +32705,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32713,7 +32713,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32721,7 +32721,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32729,7 +32729,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32737,7 +32737,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32745,7 +32745,7 @@ attack-objects: tags: [] - attack-object-id: T1562.003 attack-object-name: Impair Command History Logging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32753,7 +32753,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32761,7 +32761,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32769,7 +32769,7 @@ attack-objects: tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32777,7 +32777,7 @@ attack-objects: tags: [] - attack-object-id: T1563.001 attack-object-name: SSH Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32785,7 +32785,7 @@ attack-objects: tags: [] - attack-object-id: T1563.002 attack-object-name: RDP Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32793,7 +32793,7 @@ attack-objects: tags: [] - attack-object-id: T1564.002 attack-object-name: Hidden Users - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32801,7 +32801,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32809,7 +32809,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32817,7 +32817,7 @@ attack-objects: tags: [] - attack-object-id: T1564.007 attack-object-name: VBA Stomping - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32825,7 +32825,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32833,7 +32833,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32841,7 +32841,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32849,7 +32849,7 @@ attack-objects: tags: [] - attack-object-id: T1565.003 attack-object-name: Runtime Data Manipulation - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32857,7 +32857,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32865,7 +32865,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32873,7 +32873,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32881,7 +32881,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32889,7 +32889,7 @@ attack-objects: tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32897,7 +32897,7 @@ attack-objects: tags: [] - attack-object-id: T1568.002 attack-object-name: Domain Generation Algorithms - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32905,7 +32905,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32913,7 +32913,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32921,7 +32921,7 @@ attack-objects: tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32929,7 +32929,7 @@ attack-objects: tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32937,7 +32937,7 @@ attack-objects: tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32945,7 +32945,7 @@ attack-objects: tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32953,7 +32953,7 @@ attack-objects: tags: [] - attack-object-id: T1573.001 attack-object-name: Symmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32961,7 +32961,7 @@ attack-objects: tags: [] - attack-object-id: T1573.002 attack-object-name: Asymmetric Cryptography - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32969,7 +32969,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32977,7 +32977,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32985,7 +32985,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -32993,7 +32993,7 @@ attack-objects: tags: [] - attack-object-id: T1574.005 attack-object-name: Executable Installer File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33001,7 +33001,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33009,7 +33009,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33017,7 +33017,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33025,7 +33025,7 @@ attack-objects: tags: [] - attack-object-id: T1574.010 attack-object-name: Services File Permissions Weakness - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33033,7 +33033,7 @@ attack-objects: tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33041,7 +33041,7 @@ attack-objects: tags: [] - attack-object-id: T1578.001 attack-object-name: Create Snapshot - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33049,7 +33049,7 @@ attack-objects: tags: [] - attack-object-id: T1578.002 attack-object-name: Create Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33057,7 +33057,7 @@ attack-objects: tags: [] - attack-object-id: T1578.003 attack-object-name: Delete Cloud Instance - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33065,7 +33065,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33073,7 +33073,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33081,7 +33081,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33089,7 +33089,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33097,7 +33097,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33105,7 +33105,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33113,7 +33113,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33121,7 +33121,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33129,7 +33129,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33137,7 +33137,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33145,7 +33145,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33153,7 +33153,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33161,7 +33161,7 @@ attack-objects: tags: [] - attack-object-id: T1610 attack-object-name: Deploy Container - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33169,7 +33169,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33177,7 +33177,7 @@ attack-objects: tags: [] - attack-object-id: T1612 attack-object-name: Build Image on Host - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33185,7 +33185,7 @@ attack-objects: tags: [] - attack-object-id: T1613 attack-object-name: Container and Resource Discovery - capability-id: System Monitoring + capability-id: SI-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -33193,7 +33193,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33201,7 +33201,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33209,7 +33209,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33217,7 +33217,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Security Alerts, Advisories, and Directives + capability-id: SI-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -33225,7 +33225,7 @@ attack-objects: tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33233,7 +33233,7 @@ attack-objects: tags: [] - attack-object-id: T1003.003 attack-object-name: NTDS - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33241,7 +33241,7 @@ attack-objects: tags: [] - attack-object-id: T1020.001 attack-object-name: Traffic Duplication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33249,7 +33249,7 @@ attack-objects: tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33257,7 +33257,7 @@ attack-objects: tags: [] - attack-object-id: T1027.002 attack-object-name: Software Packing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33265,7 +33265,7 @@ attack-objects: tags: [] - attack-object-id: T1036 attack-object-name: Masquerading - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33273,7 +33273,7 @@ attack-objects: tags: [] - attack-object-id: T1036.001 attack-object-name: Invalid Code Signature - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33281,7 +33281,7 @@ attack-objects: tags: [] - attack-object-id: T1036.005 attack-object-name: Match Legitimate Name or Location - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33289,7 +33289,7 @@ attack-objects: tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33297,7 +33297,7 @@ attack-objects: tags: [] - attack-object-id: T1037.002 attack-object-name: Logon Script (Mac) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33305,7 +33305,7 @@ attack-objects: tags: [] - attack-object-id: T1037.003 attack-object-name: Network Logon Script - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33313,7 +33313,7 @@ attack-objects: tags: [] - attack-object-id: T1037.004 attack-object-name: RC Scripts - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33321,7 +33321,7 @@ attack-objects: tags: [] - attack-object-id: T1037.005 attack-object-name: Startup Items - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33329,7 +33329,7 @@ attack-objects: tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33337,7 +33337,7 @@ attack-objects: tags: [] - attack-object-id: T1053.006 attack-object-name: Systemd Timers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33345,7 +33345,7 @@ attack-objects: tags: [] - attack-object-id: T1056.002 attack-object-name: GUI Input Capture - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33353,7 +33353,7 @@ attack-objects: tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33361,7 +33361,7 @@ attack-objects: tags: [] - attack-object-id: T1059.001 attack-object-name: PowerShell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33369,7 +33369,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33377,7 +33377,7 @@ attack-objects: tags: [] - attack-object-id: T1059.003 attack-object-name: Windows Command Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33385,7 +33385,7 @@ attack-objects: tags: [] - attack-object-id: T1059.004 attack-object-name: Unix Shell - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33393,7 +33393,7 @@ attack-objects: tags: [] - attack-object-id: T1059.005 attack-object-name: Visual Basic - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33401,7 +33401,7 @@ attack-objects: tags: [] - attack-object-id: T1059.006 attack-object-name: Python - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33409,7 +33409,7 @@ attack-objects: tags: [] - attack-object-id: T1059.007 attack-object-name: JavaScript - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33417,7 +33417,7 @@ attack-objects: tags: [] - attack-object-id: T1059.008 attack-object-name: Network Device CLI - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33425,7 +33425,7 @@ attack-objects: tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33433,7 +33433,7 @@ attack-objects: tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33441,7 +33441,7 @@ attack-objects: tags: [] - attack-object-id: T1070.001 attack-object-name: Clear Windows Event Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33449,7 +33449,7 @@ attack-objects: tags: [] - attack-object-id: T1070.002 attack-object-name: Clear Linux or Mac System Logs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33457,7 +33457,7 @@ attack-objects: tags: [] - attack-object-id: T1070.003 attack-object-name: Clear Command History - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33465,7 +33465,7 @@ attack-objects: tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33473,7 +33473,7 @@ attack-objects: tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33481,7 +33481,7 @@ attack-objects: tags: [] - attack-object-id: T1098.001 attack-object-name: Additional Cloud Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33489,7 +33489,7 @@ attack-objects: tags: [] - attack-object-id: T1098.002 attack-object-name: Exchange Email Delegate Permissions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33497,7 +33497,7 @@ attack-objects: tags: [] - attack-object-id: T1098.003 attack-object-name: Add Office 365 Global Administrator Role - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33505,7 +33505,7 @@ attack-objects: tags: [] - attack-object-id: T1114 attack-object-name: Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33513,7 +33513,7 @@ attack-objects: tags: [] - attack-object-id: T1114.001 attack-object-name: Local Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33521,7 +33521,7 @@ attack-objects: tags: [] - attack-object-id: T1114.002 attack-object-name: Remote Email Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33529,7 +33529,7 @@ attack-objects: tags: [] - attack-object-id: T1114.003 attack-object-name: Email Forwarding Rule - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33537,7 +33537,7 @@ attack-objects: tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33545,7 +33545,7 @@ attack-objects: tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33553,7 +33553,7 @@ attack-objects: tags: [] - attack-object-id: T1129 attack-object-name: Shared Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33561,7 +33561,7 @@ attack-objects: tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33569,7 +33569,7 @@ attack-objects: tags: [] - attack-object-id: T1136 attack-object-name: Create Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33577,7 +33577,7 @@ attack-objects: tags: [] - attack-object-id: T1136.001 attack-object-name: Local Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33585,7 +33585,7 @@ attack-objects: tags: [] - attack-object-id: T1136.002 attack-object-name: Domain Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33593,7 +33593,7 @@ attack-objects: tags: [] - attack-object-id: T1136.003 attack-object-name: Cloud Account - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33601,7 +33601,7 @@ attack-objects: tags: [] - attack-object-id: T1176 attack-object-name: Browser Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33609,7 +33609,7 @@ attack-objects: tags: [] - attack-object-id: T1185 attack-object-name: Man in the Browser - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33617,7 +33617,7 @@ attack-objects: tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33625,7 +33625,7 @@ attack-objects: tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33633,7 +33633,7 @@ attack-objects: tags: [] - attack-object-id: T1195.003 attack-object-name: Compromise Hardware Supply Chain - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33641,7 +33641,7 @@ attack-objects: tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33649,7 +33649,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33657,7 +33657,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33665,7 +33665,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33673,7 +33673,7 @@ attack-objects: tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33681,7 +33681,7 @@ attack-objects: tags: [] - attack-object-id: T1211 attack-object-name: Exploitation for Defense Evasion - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33689,7 +33689,7 @@ attack-objects: tags: [] - attack-object-id: T1212 attack-object-name: Exploitation for Credential Access - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33697,7 +33697,7 @@ attack-objects: tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33705,7 +33705,7 @@ attack-objects: tags: [] - attack-object-id: T1213.001 attack-object-name: Confluence - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33713,7 +33713,7 @@ attack-objects: tags: [] - attack-object-id: T1213.002 attack-object-name: Sharepoint - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33721,7 +33721,7 @@ attack-objects: tags: [] - attack-object-id: T1216 attack-object-name: Signed Script Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33729,7 +33729,7 @@ attack-objects: tags: [] - attack-object-id: T1216.001 attack-object-name: PubPrn - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33737,7 +33737,7 @@ attack-objects: tags: [] - attack-object-id: T1218 attack-object-name: Signed Binary Proxy Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33745,7 +33745,7 @@ attack-objects: tags: [] - attack-object-id: T1218.001 attack-object-name: Compiled HTML File - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33753,7 +33753,7 @@ attack-objects: tags: [] - attack-object-id: T1218.002 attack-object-name: Control Panel - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33761,7 +33761,7 @@ attack-objects: tags: [] - attack-object-id: T1218.003 attack-object-name: CMSTP - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33769,7 +33769,7 @@ attack-objects: tags: [] - attack-object-id: T1218.004 attack-object-name: InstallUtil - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33777,7 +33777,7 @@ attack-objects: tags: [] - attack-object-id: T1218.005 attack-object-name: Mshta - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33785,7 +33785,7 @@ attack-objects: tags: [] - attack-object-id: T1218.008 attack-object-name: Odbcconf - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33793,7 +33793,7 @@ attack-objects: tags: [] - attack-object-id: T1218.009 attack-object-name: Regsvcs/Regasm - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33801,7 +33801,7 @@ attack-objects: tags: [] - attack-object-id: T1218.010 attack-object-name: Regsvr32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33809,7 +33809,7 @@ attack-objects: tags: [] - attack-object-id: T1218.011 attack-object-name: Rundll32 - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33817,7 +33817,7 @@ attack-objects: tags: [] - attack-object-id: T1218.012 attack-object-name: Verclsid - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33825,7 +33825,7 @@ attack-objects: tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33833,7 +33833,7 @@ attack-objects: tags: [] - attack-object-id: T1220 attack-object-name: XSL Script Processing - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33841,7 +33841,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33849,7 +33849,7 @@ attack-objects: tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33857,7 +33857,7 @@ attack-objects: tags: [] - attack-object-id: T1222.001 attack-object-name: Windows File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33865,7 +33865,7 @@ attack-objects: tags: [] - attack-object-id: T1222.002 attack-object-name: Linux and Mac File and Directory Permissions Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33873,7 +33873,7 @@ attack-objects: tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33881,7 +33881,7 @@ attack-objects: tags: [] - attack-object-id: T1486 attack-object-name: Data Encrypted for Impact - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33889,7 +33889,7 @@ attack-objects: tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33897,7 +33897,7 @@ attack-objects: tags: [] - attack-object-id: T1491 attack-object-name: Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33905,7 +33905,7 @@ attack-objects: tags: [] - attack-object-id: T1491.001 attack-object-name: Internal Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33913,7 +33913,7 @@ attack-objects: tags: [] - attack-object-id: T1491.002 attack-object-name: External Defacement - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33921,7 +33921,7 @@ attack-objects: tags: [] - attack-object-id: T1495 attack-object-name: Firmware Corruption - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33929,7 +33929,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33937,7 +33937,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33945,7 +33945,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33953,7 +33953,7 @@ attack-objects: tags: [] - attack-object-id: T1525 attack-object-name: Implant Internal Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33961,7 +33961,7 @@ attack-objects: tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33969,7 +33969,7 @@ attack-objects: tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33977,7 +33977,7 @@ attack-objects: tags: [] - attack-object-id: T1542.001 attack-object-name: System Firmware - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33985,7 +33985,7 @@ attack-objects: tags: [] - attack-object-id: T1542.003 attack-object-name: Bootkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -33993,7 +33993,7 @@ attack-objects: tags: [] - attack-object-id: T1542.004 attack-object-name: ROMMONkit - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34001,7 +34001,7 @@ attack-objects: tags: [] - attack-object-id: T1542.005 attack-object-name: TFTP Boot - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34009,7 +34009,7 @@ attack-objects: tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34017,7 +34017,7 @@ attack-objects: tags: [] - attack-object-id: T1543.002 attack-object-name: Systemd Service - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34025,7 +34025,7 @@ attack-objects: tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34033,7 +34033,7 @@ attack-objects: tags: [] - attack-object-id: T1546.002 attack-object-name: Screensaver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34041,7 +34041,7 @@ attack-objects: tags: [] - attack-object-id: T1546.004 attack-object-name: Unix Shell Configuration Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34049,7 +34049,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34057,7 +34057,7 @@ attack-objects: tags: [] - attack-object-id: T1546.008 attack-object-name: Accessibility Features - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34065,7 +34065,7 @@ attack-objects: tags: [] - attack-object-id: T1546.009 attack-object-name: AppCert DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34073,7 +34073,7 @@ attack-objects: tags: [] - attack-object-id: T1546.010 attack-object-name: AppInit DLLs - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34081,7 +34081,7 @@ attack-objects: tags: [] - attack-object-id: T1546.013 attack-object-name: PowerShell Profile - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34089,7 +34089,7 @@ attack-objects: tags: [] - attack-object-id: T1547.002 attack-object-name: Authentication Package - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34097,7 +34097,7 @@ attack-objects: tags: [] - attack-object-id: T1547.003 attack-object-name: Time Providers - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34105,7 +34105,7 @@ attack-objects: tags: [] - attack-object-id: T1547.004 attack-object-name: Winlogon Helper DLL - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34113,7 +34113,7 @@ attack-objects: tags: [] - attack-object-id: T1547.005 attack-object-name: Security Support Provider - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34121,7 +34121,7 @@ attack-objects: tags: [] - attack-object-id: T1547.006 attack-object-name: Kernel Modules and Extensions - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34129,7 +34129,7 @@ attack-objects: tags: [] - attack-object-id: T1547.008 attack-object-name: LSASS Driver - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34137,7 +34137,7 @@ attack-objects: tags: [] - attack-object-id: T1547.011 attack-object-name: Plist Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34145,7 +34145,7 @@ attack-objects: tags: [] - attack-object-id: T1547.013 attack-object-name: XDG Autostart Entries - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34153,7 +34153,7 @@ attack-objects: tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34161,7 +34161,7 @@ attack-objects: tags: [] - attack-object-id: T1548.004 attack-object-name: Elevated Execution with Prompt - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34169,7 +34169,7 @@ attack-objects: tags: [] - attack-object-id: T1550.001 attack-object-name: Application Access Token - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34177,7 +34177,7 @@ attack-objects: tags: [] - attack-object-id: T1550.004 attack-object-name: Web Session Cookie - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34185,7 +34185,7 @@ attack-objects: tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34193,7 +34193,7 @@ attack-objects: tags: [] - attack-object-id: T1552.004 attack-object-name: Private Keys - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34201,7 +34201,7 @@ attack-objects: tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34209,7 +34209,7 @@ attack-objects: tags: [] - attack-object-id: T1553.001 attack-object-name: Gatekeeper Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34217,7 +34217,7 @@ attack-objects: tags: [] - attack-object-id: T1553.003 attack-object-name: SIP and Trust Provider Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34225,7 +34225,7 @@ attack-objects: tags: [] - attack-object-id: T1553.005 attack-object-name: Mark-of-the-Web Bypass - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34233,7 +34233,7 @@ attack-objects: tags: [] - attack-object-id: T1553.006 attack-object-name: Code Signing Policy Modification - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34241,7 +34241,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34249,7 +34249,7 @@ attack-objects: tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34257,7 +34257,7 @@ attack-objects: tags: [] - attack-object-id: T1556.001 attack-object-name: Domain Controller Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34265,7 +34265,7 @@ attack-objects: tags: [] - attack-object-id: T1556.003 attack-object-name: Pluggable Authentication Modules - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34273,7 +34273,7 @@ attack-objects: tags: [] - attack-object-id: T1556.004 attack-object-name: Network Device Authentication - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34281,7 +34281,7 @@ attack-objects: tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34289,7 +34289,7 @@ attack-objects: tags: [] - attack-object-id: T1557.002 attack-object-name: ARP Cache Poisoning - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34297,7 +34297,7 @@ attack-objects: tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34305,7 +34305,7 @@ attack-objects: tags: [] - attack-object-id: T1558.002 attack-object-name: Silver Ticket - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34313,7 +34313,7 @@ attack-objects: tags: [] - attack-object-id: T1558.003 attack-object-name: Kerberoasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34321,7 +34321,7 @@ attack-objects: tags: [] - attack-object-id: T1558.004 attack-object-name: AS-REP Roasting - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34329,7 +34329,7 @@ attack-objects: tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34337,7 +34337,7 @@ attack-objects: tags: [] - attack-object-id: T1561.001 attack-object-name: Disk Content Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34345,7 +34345,7 @@ attack-objects: tags: [] - attack-object-id: T1561.002 attack-object-name: Disk Structure Wipe - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34353,7 +34353,7 @@ attack-objects: tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34361,7 +34361,7 @@ attack-objects: tags: [] - attack-object-id: T1562.001 attack-object-name: Disable or Modify Tools - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34369,7 +34369,7 @@ attack-objects: tags: [] - attack-object-id: T1562.002 attack-object-name: Disable Windows Event Logging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34377,7 +34377,7 @@ attack-objects: tags: [] - attack-object-id: T1562.004 attack-object-name: Disable or Modify System Firewall - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34385,7 +34385,7 @@ attack-objects: tags: [] - attack-object-id: T1562.006 attack-object-name: Indicator Blocking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34393,7 +34393,7 @@ attack-objects: tags: [] - attack-object-id: T1564.003 attack-object-name: Hidden Window - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34401,7 +34401,7 @@ attack-objects: tags: [] - attack-object-id: T1564.004 attack-object-name: NTFS File Attributes - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34409,7 +34409,7 @@ attack-objects: tags: [] - attack-object-id: T1564.006 attack-object-name: Run Virtual Instance - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34417,7 +34417,7 @@ attack-objects: tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34425,7 +34425,7 @@ attack-objects: tags: [] - attack-object-id: T1565.001 attack-object-name: Stored Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34433,7 +34433,7 @@ attack-objects: tags: [] - attack-object-id: T1565.002 attack-object-name: Transmitted Data Manipulation - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34441,7 +34441,7 @@ attack-objects: tags: [] - attack-object-id: T1569 attack-object-name: System Services - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34449,7 +34449,7 @@ attack-objects: tags: [] - attack-object-id: T1569.002 attack-object-name: Service Execution - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34457,7 +34457,7 @@ attack-objects: tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34465,7 +34465,7 @@ attack-objects: tags: [] - attack-object-id: T1574.001 attack-object-name: DLL Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34473,7 +34473,7 @@ attack-objects: tags: [] - attack-object-id: T1574.004 attack-object-name: Dylib Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34481,7 +34481,7 @@ attack-objects: tags: [] - attack-object-id: T1574.006 attack-object-name: Dynamic Linker Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34489,7 +34489,7 @@ attack-objects: tags: [] - attack-object-id: T1574.007 attack-object-name: Path Interception by PATH Environment Variable - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34497,7 +34497,7 @@ attack-objects: tags: [] - attack-object-id: T1574.008 attack-object-name: Path Interception by Search Order Hijacking - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34505,7 +34505,7 @@ attack-objects: tags: [] - attack-object-id: T1574.009 attack-object-name: Path Interception by Unquoted Path - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34513,7 +34513,7 @@ attack-objects: tags: [] - attack-object-id: T1574.012 attack-object-name: COR_PROFILER - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34521,7 +34521,7 @@ attack-objects: tags: [] - attack-object-id: T1599 attack-object-name: Network Boundary Bridging - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34529,7 +34529,7 @@ attack-objects: tags: [] - attack-object-id: T1599.001 attack-object-name: Network Address Translation Traversal - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34537,7 +34537,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34545,7 +34545,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34553,7 +34553,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34561,7 +34561,7 @@ attack-objects: tags: [] - attack-object-id: T1602 attack-object-name: Data from Configuration Repository - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34569,7 +34569,7 @@ attack-objects: tags: [] - attack-object-id: T1602.001 attack-object-name: SNMP (MIB Dump) - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34577,7 +34577,7 @@ attack-objects: tags: [] - attack-object-id: T1602.002 attack-object-name: Network Device Configuration Dump - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34585,7 +34585,7 @@ attack-objects: tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34593,7 +34593,7 @@ attack-objects: tags: [] - attack-object-id: T1611 attack-object-name: Escape to Host - capability-id: Software, Firmware, and Information Integrity + capability-id: SI-7 comments: '' mapping-description: '' mapping-type: mitigates @@ -34601,7 +34601,7 @@ attack-objects: tags: [] - attack-object-id: T1204 attack-object-name: User Execution - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34609,7 +34609,7 @@ attack-objects: tags: [] - attack-object-id: T1204.001 attack-object-name: Malicious Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34617,7 +34617,7 @@ attack-objects: tags: [] - attack-object-id: T1204.002 attack-object-name: Malicious File - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34625,7 +34625,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34633,7 +34633,7 @@ attack-objects: tags: [] - attack-object-id: T1221 attack-object-name: Template Injection - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34641,7 +34641,7 @@ attack-objects: tags: [] - attack-object-id: T1566 attack-object-name: Phishing - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34649,7 +34649,7 @@ attack-objects: tags: [] - attack-object-id: T1566.001 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34657,7 +34657,7 @@ attack-objects: tags: [] - attack-object-id: T1566.002 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34665,7 +34665,7 @@ attack-objects: tags: [] - attack-object-id: T1566.003 attack-object-name: Spearphishing via Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34673,7 +34673,7 @@ attack-objects: tags: [] - attack-object-id: T1598 attack-object-name: Phishing for Information - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34681,7 +34681,7 @@ attack-objects: tags: [] - attack-object-id: T1598.001 attack-object-name: Spearphishing Service - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34689,7 +34689,7 @@ attack-objects: tags: [] - attack-object-id: T1598.002 attack-object-name: Spearphishing Attachment - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34697,7 +34697,7 @@ attack-objects: tags: [] - attack-object-id: T1598.003 attack-object-name: Spearphishing Link - capability-id: Spam Protection + capability-id: SI-8 comments: '' mapping-description: '' mapping-type: mitigates @@ -34705,7 +34705,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34713,7 +34713,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34721,7 +34721,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34729,7 +34729,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34737,7 +34737,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34745,7 +34745,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34753,7 +34753,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34761,7 +34761,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34769,7 +34769,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34777,7 +34777,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Component Authenticity + capability-id: SR-11 comments: '' mapping-description: '' mapping-type: mitigates @@ -34785,7 +34785,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34793,7 +34793,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34801,7 +34801,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34809,7 +34809,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34817,7 +34817,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34825,7 +34825,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34833,7 +34833,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34841,7 +34841,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34849,7 +34849,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34857,7 +34857,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Provenance + capability-id: SR-4 comments: '' mapping-description: '' mapping-type: mitigates @@ -34865,7 +34865,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34873,7 +34873,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34881,7 +34881,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34889,7 +34889,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34897,7 +34897,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34905,7 +34905,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34913,7 +34913,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34921,7 +34921,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34929,7 +34929,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34937,7 +34937,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Acquisition Strategies, Tools, and Methods + capability-id: SR-5 comments: '' mapping-description: '' mapping-type: mitigates @@ -34945,7 +34945,7 @@ attack-objects: tags: [] - attack-object-id: T1059.002 attack-object-name: AppleScript - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -34953,7 +34953,7 @@ attack-objects: tags: [] - attack-object-id: T1204.003 attack-object-name: Malicious Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -34961,7 +34961,7 @@ attack-objects: tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -34969,7 +34969,7 @@ attack-objects: tags: [] - attack-object-id: T1505.001 attack-object-name: SQL Stored Procedures - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -34977,7 +34977,7 @@ attack-objects: tags: [] - attack-object-id: T1505.002 attack-object-name: Transport Agent - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -34985,7 +34985,7 @@ attack-objects: tags: [] - attack-object-id: T1546.006 attack-object-name: LC_LOAD_DYLIB Addition - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -34993,7 +34993,7 @@ attack-objects: tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -35001,7 +35001,7 @@ attack-objects: tags: [] - attack-object-id: T1601 attack-object-name: Modify System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -35009,7 +35009,7 @@ attack-objects: tags: [] - attack-object-id: T1601.001 attack-object-name: Patch System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates @@ -35017,7 +35017,7 @@ attack-objects: tags: [] - attack-object-id: T1601.002 attack-object-name: Downgrade System Image - capability-id: Supplier Assessments and Reviews + capability-id: SR-6 comments: '' mapping-description: '' mapping-type: mitigates diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_attack_objects.csv new file mode 100644 index 00000000..ff57fe89 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_attack_objects.csv @@ -0,0 +1,4379 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,3 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,3 +2,,T1528,Steal Application Access Token,[],[],,AC-10,mitigates,3 +3,,T1021.001,Remote Desktop Protocol,[],[],,AC-11,mitigates,3 +4,,T1563.002,RDP Hijacking,[],[],,AC-11,mitigates,3 +5,,T1021.001,Remote Desktop Protocol,[],[],,AC-12,mitigates,3 +6,,T1072,Software Deployment Tools,[],[],,AC-12,mitigates,3 +7,,T1563.002,RDP Hijacking,[],[],,AC-12,mitigates,3 +8,,T1137.002,Office Test,[],[],,AC-14,mitigates,3 +9,,T1003,OS Credential Dumping,[],[],,AC-16,mitigates,3 +10,,T1003.003,NTDS,[],[],,AC-16,mitigates,3 +11,,T1020.001,Traffic Duplication,[],[],,AC-16,mitigates,3 +12,,T1040,Network Sniffing,[],[],,AC-16,mitigates,3 +13,,T1070,Indicator Removal on Host,[],[],,AC-16,mitigates,3 +14,,T1070.001,Clear Windows Event Logs,[],[],,AC-16,mitigates,3 +15,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-16,mitigates,3 +16,,T1114,Email Collection,[],[],,AC-16,mitigates,3 +17,,T1114.001,Local Email Collection,[],[],,AC-16,mitigates,3 +18,,T1114.002,Remote Email Collection,[],[],,AC-16,mitigates,3 +19,,T1114.003,Email Forwarding Rule,[],[],,AC-16,mitigates,3 +20,,T1119,Automated Collection,[],[],,AC-16,mitigates,3 +21,,T1213,Data from Information Repositories,[],[],,AC-16,mitigates,3 +22,,T1213.001,Confluence,[],[],,AC-16,mitigates,3 +23,,T1213.002,Sharepoint,[],[],,AC-16,mitigates,3 +24,,T1222,File and Directory Permissions Modification,[],[],,AC-16,mitigates,3 +25,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-16,mitigates,3 +26,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-16,mitigates,3 +27,,T1530,Data from Cloud Storage Object,[],[],,AC-16,mitigates,3 +28,,T1537,Transfer Data to Cloud Account,[],[],,AC-16,mitigates,3 +29,,T1547.007,Re-opened Applications,[],[],,AC-16,mitigates,3 +30,,T1547.011,Plist Modification,[],[],,AC-16,mitigates,3 +31,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-16,mitigates,3 +32,,T1548.003,Sudo and Sudo Caching,[],[],,AC-16,mitigates,3 +33,,T1550.001,Application Access Token,[],[],,AC-16,mitigates,3 +34,,T1552,Unsecured Credentials,[],[],,AC-16,mitigates,3 +35,,T1552.004,Private Keys,[],[],,AC-16,mitigates,3 +36,,T1552.005,Cloud Instance Metadata API,[],[],,AC-16,mitigates,3 +37,,T1557,Man-in-the-Middle,[],[],,AC-16,mitigates,3 +38,,T1557.002,ARP Cache Poisoning,[],[],,AC-16,mitigates,3 +39,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-16,mitigates,3 +40,,T1558.002,Silver Ticket,[],[],,AC-16,mitigates,3 +41,,T1558.003,Kerberoasting,[],[],,AC-16,mitigates,3 +42,,T1558.004,AS-REP Roasting,[],[],,AC-16,mitigates,3 +43,,T1564.004,NTFS File Attributes,[],[],,AC-16,mitigates,3 +44,,T1565,Data Manipulation,[],[],,AC-16,mitigates,3 +45,,T1565.001,Stored Data Manipulation,[],[],,AC-16,mitigates,3 +46,,T1565.002,Transmitted Data Manipulation,[],[],,AC-16,mitigates,3 +47,,T1602,Data from Configuration Repository,[],[],,AC-16,mitigates,3 +48,,T1602.001,SNMP (MIB Dump),[],[],,AC-16,mitigates,3 +49,,T1602.002,Network Device Configuration Dump,[],[],,AC-16,mitigates,3 +50,,T1020.001,Traffic Duplication,[],[],,AC-17,mitigates,3 +51,,T1021,Remote Services,[],[],,AC-17,mitigates,3 +52,,T1021.001,Remote Desktop Protocol,[],[],,AC-17,mitigates,3 +53,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-17,mitigates,3 +54,,T1021.003,Distributed Component Object Model,[],[],,AC-17,mitigates,3 +55,,T1021.004,SSH,[],[],,AC-17,mitigates,3 +56,,T1021.005,VNC,[],[],,AC-17,mitigates,3 +57,,T1021.006,Windows Remote Management,[],[],,AC-17,mitigates,3 +58,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-17,mitigates,3 +59,,T1037.001,Logon Script (Windows),[],[],,AC-17,mitigates,3 +60,,T1040,Network Sniffing,[],[],,AC-17,mitigates,3 +61,,T1047,Windows Management Instrumentation,[],[],,AC-17,mitigates,3 +62,,T1070,Indicator Removal on Host,[],[],,AC-17,mitigates,3 +63,,T1070.001,Clear Windows Event Logs,[],[],,AC-17,mitigates,3 +64,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-17,mitigates,3 +65,,T1114,Email Collection,[],[],,AC-17,mitigates,3 +66,,T1114.001,Local Email Collection,[],[],,AC-17,mitigates,3 +67,,T1114.002,Remote Email Collection,[],[],,AC-17,mitigates,3 +68,,T1114.003,Email Forwarding Rule,[],[],,AC-17,mitigates,3 +69,,T1119,Automated Collection,[],[],,AC-17,mitigates,3 +70,,T1133,External Remote Services,[],[],,AC-17,mitigates,3 +71,,T1137,Office Application Startup,[],[],,AC-17,mitigates,3 +72,,T1137.002,Office Test,[],[],,AC-17,mitigates,3 +73,,T1213,Data from Information Repositories,[],[],,AC-17,mitigates,3 +74,,T1213.001,Confluence,[],[],,AC-17,mitigates,3 +75,,T1213.002,Sharepoint,[],[],,AC-17,mitigates,3 +76,,T1219,Remote Access Software,[],[],,AC-17,mitigates,3 +77,,T1530,Data from Cloud Storage Object,[],[],,AC-17,mitigates,3 +78,,T1537,Transfer Data to Cloud Account,[],[],,AC-17,mitigates,3 +79,,T1543,Create or Modify System Process,[],[],,AC-17,mitigates,3 +80,,T1543.003,Windows Service,[],[],,AC-17,mitigates,3 +81,,T1547.003,Time Providers,[],[],,AC-17,mitigates,3 +82,,T1547.004,Winlogon Helper DLL,[],[],,AC-17,mitigates,3 +83,,T1547.009,Shortcut Modification,[],[],,AC-17,mitigates,3 +84,,T1547.011,Plist Modification,[],[],,AC-17,mitigates,3 +85,,T1547.012,Print Processors,[],[],,AC-17,mitigates,3 +86,,T1547.013,XDG Autostart Entries,[],[],,AC-17,mitigates,3 +87,,T1550.001,Application Access Token,[],[],,AC-17,mitigates,3 +88,,T1552,Unsecured Credentials,[],[],,AC-17,mitigates,3 +89,,T1552.002,Credentials in Registry,[],[],,AC-17,mitigates,3 +90,,T1552.004,Private Keys,[],[],,AC-17,mitigates,3 +91,,T1552.007,Container API,[],[],,AC-17,mitigates,3 +92,,T1557,Man-in-the-Middle,[],[],,AC-17,mitigates,3 +93,,T1557.002,ARP Cache Poisoning,[],[],,AC-17,mitigates,3 +94,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-17,mitigates,3 +95,,T1558.002,Silver Ticket,[],[],,AC-17,mitigates,3 +96,,T1558.003,Kerberoasting,[],[],,AC-17,mitigates,3 +97,,T1558.004,AS-REP Roasting,[],[],,AC-17,mitigates,3 +98,,T1563,Remote Service Session Hijacking,[],[],,AC-17,mitigates,3 +99,,T1563.001,SSH Hijacking,[],[],,AC-17,mitigates,3 +100,,T1563.002,RDP Hijacking,[],[],,AC-17,mitigates,3 +101,,T1565,Data Manipulation,[],[],,AC-17,mitigates,3 +102,,T1565.001,Stored Data Manipulation,[],[],,AC-17,mitigates,3 +103,,T1565.002,Transmitted Data Manipulation,[],[],,AC-17,mitigates,3 +104,,T1602,Data from Configuration Repository,[],[],,AC-17,mitigates,3 +105,,T1602.001,SNMP (MIB Dump),[],[],,AC-17,mitigates,3 +106,,T1602.002,Network Device Configuration Dump,[],[],,AC-17,mitigates,3 +107,,T1609,Container Administration Command,[],[],,AC-17,mitigates,3 +108,,T1610,Deploy Container,[],[],,AC-17,mitigates,3 +109,,T1612,Build Image on Host,[],[],,AC-17,mitigates,3 +110,,T1613,Container and Resource Discovery,[],[],,AC-17,mitigates,3 +111,,T1011,Exfiltration Over Other Network Medium,[],[],,AC-18,mitigates,3 +112,,T1011.001,Exfiltration Over Bluetooth,[],[],,AC-18,mitigates,3 +113,,T1020.001,Traffic Duplication,[],[],,AC-18,mitigates,3 +114,,T1040,Network Sniffing,[],[],,AC-18,mitigates,3 +115,,T1070,Indicator Removal on Host,[],[],,AC-18,mitigates,3 +116,,T1070.001,Clear Windows Event Logs,[],[],,AC-18,mitigates,3 +117,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-18,mitigates,3 +118,,T1119,Automated Collection,[],[],,AC-18,mitigates,3 +119,,T1530,Data from Cloud Storage Object,[],[],,AC-18,mitigates,3 +120,,T1552,Unsecured Credentials,[],[],,AC-18,mitigates,3 +121,,T1552.004,Private Keys,[],[],,AC-18,mitigates,3 +122,,T1557,Man-in-the-Middle,[],[],,AC-18,mitigates,3 +123,,T1557.002,ARP Cache Poisoning,[],[],,AC-18,mitigates,3 +124,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-18,mitigates,3 +125,,T1558.002,Silver Ticket,[],[],,AC-18,mitigates,3 +126,,T1558.003,Kerberoasting,[],[],,AC-18,mitigates,3 +127,,T1558.004,AS-REP Roasting,[],[],,AC-18,mitigates,3 +128,,T1565,Data Manipulation,[],[],,AC-18,mitigates,3 +129,,T1565.001,Stored Data Manipulation,[],[],,AC-18,mitigates,3 +130,,T1565.002,Transmitted Data Manipulation,[],[],,AC-18,mitigates,3 +131,,T1602,Data from Configuration Repository,[],[],,AC-18,mitigates,3 +132,,T1602.001,SNMP (MIB Dump),[],[],,AC-18,mitigates,3 +133,,T1602.002,Network Device Configuration Dump,[],[],,AC-18,mitigates,3 +134,,T1020.001,Traffic Duplication,[],[],,AC-19,mitigates,3 +135,,T1040,Network Sniffing,[],[],,AC-19,mitigates,3 +136,,T1070,Indicator Removal on Host,[],[],,AC-19,mitigates,3 +137,,T1070.001,Clear Windows Event Logs,[],[],,AC-19,mitigates,3 +138,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-19,mitigates,3 +139,,T1114,Email Collection,[],[],,AC-19,mitigates,3 +140,,T1114.001,Local Email Collection,[],[],,AC-19,mitigates,3 +141,,T1114.002,Remote Email Collection,[],[],,AC-19,mitigates,3 +142,,T1114.003,Email Forwarding Rule,[],[],,AC-19,mitigates,3 +143,,T1119,Automated Collection,[],[],,AC-19,mitigates,3 +144,,T1530,Data from Cloud Storage Object,[],[],,AC-19,mitigates,3 +145,,T1550.001,Application Access Token,[],[],,AC-19,mitigates,3 +146,,T1552,Unsecured Credentials,[],[],,AC-19,mitigates,3 +147,,T1552.004,Private Keys,[],[],,AC-19,mitigates,3 +148,,T1557,Man-in-the-Middle,[],[],,AC-19,mitigates,3 +149,,T1557.002,ARP Cache Poisoning,[],[],,AC-19,mitigates,3 +150,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-19,mitigates,3 +151,,T1558.002,Silver Ticket,[],[],,AC-19,mitigates,3 +152,,T1558.003,Kerberoasting,[],[],,AC-19,mitigates,3 +153,,T1558.004,AS-REP Roasting,[],[],,AC-19,mitigates,3 +154,,T1565,Data Manipulation,[],[],,AC-19,mitigates,3 +155,,T1565.001,Stored Data Manipulation,[],[],,AC-19,mitigates,3 +156,,T1565.002,Transmitted Data Manipulation,[],[],,AC-19,mitigates,3 +157,,T1602,Data from Configuration Repository,[],[],,AC-19,mitigates,3 +158,,T1602.001,SNMP (MIB Dump),[],[],,AC-19,mitigates,3 +159,,T1602.002,Network Device Configuration Dump,[],[],,AC-19,mitigates,3 +160,,T1003,OS Credential Dumping,[],[],,AC-2,mitigates,3 +161,,T1003.001,LSASS Memory,[],[],,AC-2,mitigates,3 +162,,T1003.002,Security Account Manager,[],[],,AC-2,mitigates,3 +163,,T1003.003,NTDS,[],[],,AC-2,mitigates,3 +164,,T1003.004,LSA Secrets,[],[],,AC-2,mitigates,3 +165,,T1003.005,Cached Domain Credentials,[],[],,AC-2,mitigates,3 +166,,T1003.006,DCSync,[],[],,AC-2,mitigates,3 +167,,T1003.007,Proc Filesystem,[],[],,AC-2,mitigates,3 +168,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-2,mitigates,3 +169,,T1021,Remote Services,[],[],,AC-2,mitigates,3 +170,,T1021.001,Remote Desktop Protocol,[],[],,AC-2,mitigates,3 +171,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-2,mitigates,3 +172,,T1021.003,Distributed Component Object Model,[],[],,AC-2,mitigates,3 +173,,T1021.004,SSH,[],[],,AC-2,mitigates,3 +174,,T1021.005,VNC,[],[],,AC-2,mitigates,3 +175,,T1021.006,Windows Remote Management,[],[],,AC-2,mitigates,3 +176,,T1036,Masquerading,[],[],,AC-2,mitigates,3 +177,,T1036.003,Rename System Utilities,[],[],,AC-2,mitigates,3 +178,,T1036.005,Match Legitimate Name or Location,[],[],,AC-2,mitigates,3 +179,,T1047,Windows Management Instrumentation,[],[],,AC-2,mitigates,3 +180,,T1053,Scheduled Task/Job,[],[],,AC-2,mitigates,3 +181,,T1053.001,At (Linux),[],[],,AC-2,mitigates,3 +182,,T1053.002,At (Windows),[],[],,AC-2,mitigates,3 +183,,T1053.003,Cron,[],[],,AC-2,mitigates,3 +184,,T1053.004,Launchd,[],[],,AC-2,mitigates,3 +185,,T1053.005,Scheduled Task,[],[],,AC-2,mitigates,3 +186,,T1053.006,Systemd Timers,[],[],,AC-2,mitigates,3 +187,,T1053.007,Container Orchestration Job,[],[],,AC-2,mitigates,3 +188,,T1055,Process Injection,[],[],,AC-2,mitigates,3 +189,,T1055.008,Ptrace System Calls,[],[],,AC-2,mitigates,3 +190,,T1056.003,Web Portal Capture,[],[],,AC-2,mitigates,3 +191,,T1059,Command and Scripting Interpreter,[],[],,AC-2,mitigates,3 +192,,T1059.001,PowerShell,[],[],,AC-2,mitigates,3 +193,,T1059.008,Network Device CLI,[],[],,AC-2,mitigates,3 +194,,T1068,Exploitation for Privilege Escalation,[],[],,AC-2,mitigates,3 +195,,T1070,Indicator Removal on Host,[],[],,AC-2,mitigates,3 +196,,T1070.001,Clear Windows Event Logs,[],[],,AC-2,mitigates,3 +197,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-2,mitigates,3 +198,,T1070.003,Clear Command History,[],[],,AC-2,mitigates,3 +199,,T1072,Software Deployment Tools,[],[],,AC-2,mitigates,3 +200,,T1078,Valid Accounts,[],[],,AC-2,mitigates,3 +201,,T1078.001,Default Accounts,[],[],,AC-2,mitigates,3 +202,,T1078.002,Domain Accounts,[],[],,AC-2,mitigates,3 +203,,T1078.003,Local Accounts,[],[],,AC-2,mitigates,3 +204,,T1078.004,Cloud Accounts,[],[],,AC-2,mitigates,3 +205,,T1087.004,Cloud Account,[],[],,AC-2,mitigates,3 +206,,T1098,Account Manipulation,[],[],,AC-2,mitigates,3 +207,,T1098.001,Additional Cloud Credentials,[],[],,AC-2,mitigates,3 +208,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-2,mitigates,3 +209,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-2,mitigates,3 +210,,T1110,Brute Force,[],[],,AC-2,mitigates,3 +211,,T1110.001,Password Guessing,[],[],,AC-2,mitigates,3 +212,,T1110.002,Password Cracking,[],[],,AC-2,mitigates,3 +213,,T1110.003,Password Spraying,[],[],,AC-2,mitigates,3 +214,,T1110.004,Credential Stuffing,[],[],,AC-2,mitigates,3 +215,,T1134,Access Token Manipulation,[],[],,AC-2,mitigates,3 +216,,T1134.001,Token Impersonation/Theft,[],[],,AC-2,mitigates,3 +217,,T1134.002,Create Process with Token,[],[],,AC-2,mitigates,3 +218,,T1134.003,Make and Impersonate Token,[],[],,AC-2,mitigates,3 +219,,T1136,Create Account,[],[],,AC-2,mitigates,3 +220,,T1136.001,Local Account,[],[],,AC-2,mitigates,3 +221,,T1136.002,Domain Account,[],[],,AC-2,mitigates,3 +222,,T1136.003,Cloud Account,[],[],,AC-2,mitigates,3 +223,,T1185,Man in the Browser,[],[],,AC-2,mitigates,3 +224,,T1190,Exploit Public-Facing Application,[],[],,AC-2,mitigates,3 +225,,T1197,BITS Jobs,[],[],,AC-2,mitigates,3 +226,,T1210,Exploitation of Remote Services,[],[],,AC-2,mitigates,3 +227,,T1212,Exploitation for Credential Access,[],[],,AC-2,mitigates,3 +228,,T1213,Data from Information Repositories,[],[],,AC-2,mitigates,3 +229,,T1213.001,Confluence,[],[],,AC-2,mitigates,3 +230,,T1213.002,Sharepoint,[],[],,AC-2,mitigates,3 +231,,T1218,Signed Binary Proxy Execution,[],[],,AC-2,mitigates,3 +232,,T1218.007,Msiexec,[],[],,AC-2,mitigates,3 +233,,T1222,File and Directory Permissions Modification,[],[],,AC-2,mitigates,3 +234,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-2,mitigates,3 +235,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-2,mitigates,3 +236,,T1484,Domain Policy Modification,[],[],,AC-2,mitigates,3 +237,,T1489,Service Stop,[],[],,AC-2,mitigates,3 +238,,T1495,Firmware Corruption,[],[],,AC-2,mitigates,3 +239,,T1505,Server Software Component,[],[],,AC-2,mitigates,3 +240,,T1505.001,SQL Stored Procedures,[],[],,AC-2,mitigates,3 +241,,T1505.002,Transport Agent,[],[],,AC-2,mitigates,3 +242,,T1525,Implant Internal Image,[],[],,AC-2,mitigates,3 +243,,T1528,Steal Application Access Token,[],[],,AC-2,mitigates,3 +244,,T1530,Data from Cloud Storage Object,[],[],,AC-2,mitigates,3 +245,,T1537,Transfer Data to Cloud Account,[],[],,AC-2,mitigates,3 +246,,T1538,Cloud Service Dashboard,[],[],,AC-2,mitigates,3 +247,,T1542,Pre-OS Boot,[],[],,AC-2,mitigates,3 +248,,T1542.001,System Firmware,[],[],,AC-2,mitigates,3 +249,,T1542.003,Bootkit,[],[],,AC-2,mitigates,3 +250,,T1542.005,TFTP Boot,[],[],,AC-2,mitigates,3 +251,,T1543,Create or Modify System Process,[],[],,AC-2,mitigates,3 +252,,T1543.001,Launch Agent,[],[],,AC-2,mitigates,3 +253,,T1543.002,Systemd Service,[],[],,AC-2,mitigates,3 +254,,T1543.003,Windows Service,[],[],,AC-2,mitigates,3 +255,,T1543.004,Launch Daemon,[],[],,AC-2,mitigates,3 +256,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-2,mitigates,3 +257,,T1547.004,Winlogon Helper DLL,[],[],,AC-2,mitigates,3 +258,,T1547.006,Kernel Modules and Extensions,[],[],,AC-2,mitigates,3 +259,,T1547.009,Shortcut Modification,[],[],,AC-2,mitigates,3 +260,,T1547.012,Print Processors,[],[],,AC-2,mitigates,3 +261,,T1547.013,XDG Autostart Entries,[],[],,AC-2,mitigates,3 +262,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-2,mitigates,3 +263,,T1548.002,Bypass User Account Control,[],[],,AC-2,mitigates,3 +264,,T1548.003,Sudo and Sudo Caching,[],[],,AC-2,mitigates,3 +265,,T1550,Use Alternate Authentication Material,[],[],,AC-2,mitigates,3 +266,,T1550.002,Pass the Hash,[],[],,AC-2,mitigates,3 +267,,T1550.003,Pass the Ticket,[],[],,AC-2,mitigates,3 +268,,T1552,Unsecured Credentials,[],[],,AC-2,mitigates,3 +269,,T1552.001,Credentials In Files,[],[],,AC-2,mitigates,3 +270,,T1552.002,Credentials in Registry,[],[],,AC-2,mitigates,3 +271,,T1552.004,Private Keys,[],[],,AC-2,mitigates,3 +272,,T1552.006,Group Policy Preferences,[],[],,AC-2,mitigates,3 +273,,T1552.007,Container API,[],[],,AC-2,mitigates,3 +274,,T1556,Modify Authentication Process,[],[],,AC-2,mitigates,3 +275,,T1556.001,Domain Controller Authentication,[],[],,AC-2,mitigates,3 +276,,T1556.003,Pluggable Authentication Modules,[],[],,AC-2,mitigates,3 +277,,T1556.004,Network Device Authentication,[],[],,AC-2,mitigates,3 +278,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-2,mitigates,3 +279,,T1558.001,Golden Ticket,[],[],,AC-2,mitigates,3 +280,,T1558.002,Silver Ticket,[],[],,AC-2,mitigates,3 +281,,T1558.003,Kerberoasting,[],[],,AC-2,mitigates,3 +282,,T1558.004,AS-REP Roasting,[],[],,AC-2,mitigates,3 +283,,T1559,Inter-Process Communication,[],[],,AC-2,mitigates,3 +284,,T1559.001,Component Object Model,[],[],,AC-2,mitigates,3 +285,,T1562,Impair Defenses,[],[],,AC-2,mitigates,3 +286,,T1562.001,Disable or Modify Tools,[],[],,AC-2,mitigates,3 +287,,T1562.002,Disable Windows Event Logging,[],[],,AC-2,mitigates,3 +288,,T1562.004,Disable or Modify System Firewall,[],[],,AC-2,mitigates,3 +289,,T1562.006,Indicator Blocking,[],[],,AC-2,mitigates,3 +290,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-2,mitigates,3 +291,,T1562.008,Disable Cloud Logs,[],[],,AC-2,mitigates,3 +292,,T1563,Remote Service Session Hijacking,[],[],,AC-2,mitigates,3 +293,,T1563.001,SSH Hijacking,[],[],,AC-2,mitigates,3 +294,,T1563.002,RDP Hijacking,[],[],,AC-2,mitigates,3 +295,,T1569,System Services,[],[],,AC-2,mitigates,3 +296,,T1569.001,Launchctl,[],[],,AC-2,mitigates,3 +297,,T1569.002,Service Execution,[],[],,AC-2,mitigates,3 +298,,T1574,Hijack Execution Flow,[],[],,AC-2,mitigates,3 +299,,T1574.004,Dylib Hijacking,[],[],,AC-2,mitigates,3 +300,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-2,mitigates,3 +301,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-2,mitigates,3 +302,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-2,mitigates,3 +303,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-2,mitigates,3 +304,,T1574.010,Services File Permissions Weakness,[],[],,AC-2,mitigates,3 +305,,T1574.012,COR_PROFILER,[],[],,AC-2,mitigates,3 +306,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-2,mitigates,3 +307,,T1578.001,Create Snapshot,[],[],,AC-2,mitigates,3 +308,,T1578.002,Create Cloud Instance,[],[],,AC-2,mitigates,3 +309,,T1578.003,Delete Cloud Instance,[],[],,AC-2,mitigates,3 +310,,T1580,Cloud Infrastructure Discovery,[],[],,AC-2,mitigates,3 +311,,T1599,Network Boundary Bridging,[],[],,AC-2,mitigates,3 +312,,T1599.001,Network Address Translation Traversal,[],[],,AC-2,mitigates,3 +313,,T1601,Modify System Image,[],[],,AC-2,mitigates,3 +314,,T1601.001,Patch System Image,[],[],,AC-2,mitigates,3 +315,,T1601.002,Downgrade System Image,[],[],,AC-2,mitigates,3 +316,,T1609,Container Administration Command,[],[],,AC-2,mitigates,3 +317,,T1610,Deploy Container,[],[],,AC-2,mitigates,3 +318,,T1611,Escape to Host,[],[],,AC-2,mitigates,3 +319,,T1612,Build Image on Host,[],[],,AC-2,mitigates,3 +320,,T1613,Container and Resource Discovery,[],[],,AC-2,mitigates,3 +321,,T1020.001,Traffic Duplication,[],[],,AC-20,mitigates,3 +322,,T1021,Remote Services,[],[],,AC-20,mitigates,3 +323,,T1021.001,Remote Desktop Protocol,[],[],,AC-20,mitigates,3 +324,,T1021.004,SSH,[],[],,AC-20,mitigates,3 +325,,T1072,Software Deployment Tools,[],[],,AC-20,mitigates,3 +326,,T1078.002,Domain Accounts,[],[],,AC-20,mitigates,3 +327,,T1078.004,Cloud Accounts,[],[],,AC-20,mitigates,3 +328,,T1098.001,Additional Cloud Credentials,[],[],,AC-20,mitigates,3 +329,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-20,mitigates,3 +330,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-20,mitigates,3 +331,,T1110,Brute Force,[],[],,AC-20,mitigates,3 +332,,T1110.001,Password Guessing,[],[],,AC-20,mitigates,3 +333,,T1110.002,Password Cracking,[],[],,AC-20,mitigates,3 +334,,T1110.003,Password Spraying,[],[],,AC-20,mitigates,3 +335,,T1110.004,Credential Stuffing,[],[],,AC-20,mitigates,3 +336,,T1114,Email Collection,[],[],,AC-20,mitigates,3 +337,,T1114.001,Local Email Collection,[],[],,AC-20,mitigates,3 +338,,T1114.002,Remote Email Collection,[],[],,AC-20,mitigates,3 +339,,T1114.003,Email Forwarding Rule,[],[],,AC-20,mitigates,3 +340,,T1119,Automated Collection,[],[],,AC-20,mitigates,3 +341,,T1133,External Remote Services,[],[],,AC-20,mitigates,3 +342,,T1134.005,SID-History Injection,[],[],,AC-20,mitigates,3 +343,,T1136,Create Account,[],[],,AC-20,mitigates,3 +344,,T1136.001,Local Account,[],[],,AC-20,mitigates,3 +345,,T1136.002,Domain Account,[],[],,AC-20,mitigates,3 +346,,T1136.003,Cloud Account,[],[],,AC-20,mitigates,3 +347,,T1200,Hardware Additions,[],[],,AC-20,mitigates,3 +348,,T1530,Data from Cloud Storage Object,[],[],,AC-20,mitigates,3 +349,,T1537,Transfer Data to Cloud Account,[],[],,AC-20,mitigates,3 +350,,T1539,Steal Web Session Cookie,[],[],,AC-20,mitigates,3 +351,,T1550.001,Application Access Token,[],[],,AC-20,mitigates,3 +352,,T1552,Unsecured Credentials,[],[],,AC-20,mitigates,3 +353,,T1552.004,Private Keys,[],[],,AC-20,mitigates,3 +354,,T1552.005,Cloud Instance Metadata API,[],[],,AC-20,mitigates,3 +355,,T1556,Modify Authentication Process,[],[],,AC-20,mitigates,3 +356,,T1556.001,Domain Controller Authentication,[],[],,AC-20,mitigates,3 +357,,T1556.003,Pluggable Authentication Modules,[],[],,AC-20,mitigates,3 +358,,T1556.004,Network Device Authentication,[],[],,AC-20,mitigates,3 +359,,T1557,Man-in-the-Middle,[],[],,AC-20,mitigates,3 +360,,T1557.002,ARP Cache Poisoning,[],[],,AC-20,mitigates,3 +361,,T1565,Data Manipulation,[],[],,AC-20,mitigates,3 +362,,T1565.001,Stored Data Manipulation,[],[],,AC-20,mitigates,3 +363,,T1565.002,Transmitted Data Manipulation,[],[],,AC-20,mitigates,3 +364,,T1567,Exfiltration Over Web Service,[],[],,AC-20,mitigates,3 +365,,T1567.001,Exfiltration to Code Repository,[],[],,AC-20,mitigates,3 +366,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-20,mitigates,3 +367,,T1602,Data from Configuration Repository,[],[],,AC-20,mitigates,3 +368,,T1602.001,SNMP (MIB Dump),[],[],,AC-20,mitigates,3 +369,,T1602.002,Network Device Configuration Dump,[],[],,AC-20,mitigates,3 +370,,T1213,Data from Information Repositories,[],[],,AC-21,mitigates,3 +371,,T1213.001,Confluence,[],[],,AC-21,mitigates,3 +372,,T1213.002,Sharepoint,[],[],,AC-21,mitigates,3 +373,,T1133,External Remote Services,[],[],,AC-23,mitigates,3 +374,,T1213,Data from Information Repositories,[],[],,AC-23,mitigates,3 +375,,T1213.001,Confluence,[],[],,AC-23,mitigates,3 +376,,T1213.002,Sharepoint,[],[],,AC-23,mitigates,3 +377,,T1552.007,Container API,[],[],,AC-23,mitigates,3 +378,,T1003,OS Credential Dumping,[],[],,AC-3,mitigates,3 +379,,T1003.001,LSASS Memory,[],[],,AC-3,mitigates,3 +380,,T1003.002,Security Account Manager,[],[],,AC-3,mitigates,3 +381,,T1003.003,NTDS,[],[],,AC-3,mitigates,3 +382,,T1003.004,LSA Secrets,[],[],,AC-3,mitigates,3 +383,,T1003.005,Cached Domain Credentials,[],[],,AC-3,mitigates,3 +384,,T1003.006,DCSync,[],[],,AC-3,mitigates,3 +385,,T1003.007,Proc Filesystem,[],[],,AC-3,mitigates,3 +386,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-3,mitigates,3 +387,,T1021,Remote Services,[],[],,AC-3,mitigates,3 +388,,T1021.001,Remote Desktop Protocol,[],[],,AC-3,mitigates,3 +389,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-3,mitigates,3 +390,,T1021.003,Distributed Component Object Model,[],[],,AC-3,mitigates,3 +391,,T1021.004,SSH,[],[],,AC-3,mitigates,3 +392,,T1021.005,VNC,[],[],,AC-3,mitigates,3 +393,,T1021.006,Windows Remote Management,[],[],,AC-3,mitigates,3 +394,,T1036,Masquerading,[],[],,AC-3,mitigates,3 +395,,T1036.003,Rename System Utilities,[],[],,AC-3,mitigates,3 +396,,T1036.005,Match Legitimate Name or Location,[],[],,AC-3,mitigates,3 +397,,T1037,Boot or Logon Initialization Scripts,[],[],,AC-3,mitigates,3 +398,,T1037.002,Logon Script (Mac),[],[],,AC-3,mitigates,3 +399,,T1037.003,Network Logon Script,[],[],,AC-3,mitigates,3 +400,,T1037.004,RC Scripts,[],[],,AC-3,mitigates,3 +401,,T1037.005,Startup Items,[],[],,AC-3,mitigates,3 +402,,T1047,Windows Management Instrumentation,[],[],,AC-3,mitigates,3 +403,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-3,mitigates,3 +404,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,3 +405,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-3,mitigates,3 +406,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-3,mitigates,3 +407,,T1052,Exfiltration Over Physical Medium,[],[],,AC-3,mitigates,3 +408,,T1052.001,Exfiltration over USB,[],[],,AC-3,mitigates,3 +409,,T1053,Scheduled Task/Job,[],[],,AC-3,mitigates,3 +410,,T1053.001,At (Linux),[],[],,AC-3,mitigates,3 +411,,T1053.002,At (Windows),[],[],,AC-3,mitigates,3 +412,,T1053.003,Cron,[],[],,AC-3,mitigates,3 +413,,T1053.004,Launchd,[],[],,AC-3,mitigates,3 +414,,T1053.005,Scheduled Task,[],[],,AC-3,mitigates,3 +415,,T1053.006,Systemd Timers,[],[],,AC-3,mitigates,3 +416,,T1053.007,Container Orchestration Job,[],[],,AC-3,mitigates,3 +417,,T1055,Process Injection,[],[],,AC-3,mitigates,3 +418,,T1055.008,Ptrace System Calls,[],[],,AC-3,mitigates,3 +419,,T1055.009,Proc Memory,[],[],,AC-3,mitigates,3 +420,,T1056.003,Web Portal Capture,[],[],,AC-3,mitigates,3 +421,,T1059,Command and Scripting Interpreter,[],[],,AC-3,mitigates,3 +422,,T1059.001,PowerShell,[],[],,AC-3,mitigates,3 +423,,T1059.008,Network Device CLI,[],[],,AC-3,mitigates,3 +424,,T1070,Indicator Removal on Host,[],[],,AC-3,mitigates,3 +425,,T1070.001,Clear Windows Event Logs,[],[],,AC-3,mitigates,3 +426,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-3,mitigates,3 +427,,T1070.003,Clear Command History,[],[],,AC-3,mitigates,3 +428,,T1071.004,DNS,[],[],,AC-3,mitigates,3 +429,,T1072,Software Deployment Tools,[],[],,AC-3,mitigates,3 +430,,T1078,Valid Accounts,[],[],,AC-3,mitigates,3 +431,,T1078.002,Domain Accounts,[],[],,AC-3,mitigates,3 +432,,T1078.003,Local Accounts,[],[],,AC-3,mitigates,3 +433,,T1078.004,Cloud Accounts,[],[],,AC-3,mitigates,3 +434,,T1080,Taint Shared Content,[],[],,AC-3,mitigates,3 +435,,T1087.004,Cloud Account,[],[],,AC-3,mitigates,3 +436,,T1090,Proxy,[],[],,AC-3,mitigates,3 +437,,T1090.003,Multi-hop Proxy,[],[],,AC-3,mitigates,3 +438,,T1091,Replication Through Removable Media,[],[],,AC-3,mitigates,3 +439,,T1095,Non-Application Layer Protocol,[],[],,AC-3,mitigates,3 +440,,T1098,Account Manipulation,[],[],,AC-3,mitigates,3 +441,,T1098.001,Additional Cloud Credentials,[],[],,AC-3,mitigates,3 +442,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-3,mitigates,3 +443,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-3,mitigates,3 +444,,T1098.004,SSH Authorized Keys,[],[],,AC-3,mitigates,3 +445,,T1110,Brute Force,[],[],,AC-3,mitigates,3 +446,,T1110.001,Password Guessing,[],[],,AC-3,mitigates,3 +447,,T1110.002,Password Cracking,[],[],,AC-3,mitigates,3 +448,,T1110.003,Password Spraying,[],[],,AC-3,mitigates,3 +449,,T1110.004,Credential Stuffing,[],[],,AC-3,mitigates,3 +450,,T1114,Email Collection,[],[],,AC-3,mitigates,3 +451,,T1114.002,Remote Email Collection,[],[],,AC-3,mitigates,3 +452,,T1133,External Remote Services,[],[],,AC-3,mitigates,3 +453,,T1134,Access Token Manipulation,[],[],,AC-3,mitigates,3 +454,,T1134.001,Token Impersonation/Theft,[],[],,AC-3,mitigates,3 +455,,T1134.002,Create Process with Token,[],[],,AC-3,mitigates,3 +456,,T1134.003,Make and Impersonate Token,[],[],,AC-3,mitigates,3 +457,,T1134.005,SID-History Injection,[],[],,AC-3,mitigates,3 +458,,T1136,Create Account,[],[],,AC-3,mitigates,3 +459,,T1136.001,Local Account,[],[],,AC-3,mitigates,3 +460,,T1136.002,Domain Account,[],[],,AC-3,mitigates,3 +461,,T1136.003,Cloud Account,[],[],,AC-3,mitigates,3 +462,,T1185,Man in the Browser,[],[],,AC-3,mitigates,3 +463,,T1187,Forced Authentication,[],[],,AC-3,mitigates,3 +464,,T1190,Exploit Public-Facing Application,[],[],,AC-3,mitigates,3 +465,,T1197,BITS Jobs,[],[],,AC-3,mitigates,3 +466,,T1199,Trusted Relationship,[],[],,AC-3,mitigates,3 +467,,T1200,Hardware Additions,[],[],,AC-3,mitigates,3 +468,,T1205,Traffic Signaling,[],[],,AC-3,mitigates,3 +469,,T1205.001,Port Knocking,[],[],,AC-3,mitigates,3 +470,,T1210,Exploitation of Remote Services,[],[],,AC-3,mitigates,3 +471,,T1213,Data from Information Repositories,[],[],,AC-3,mitigates,3 +472,,T1213.001,Confluence,[],[],,AC-3,mitigates,3 +473,,T1213.002,Sharepoint,[],[],,AC-3,mitigates,3 +474,,T1218,Signed Binary Proxy Execution,[],[],,AC-3,mitigates,3 +475,,T1218.002,Control Panel,[],[],,AC-3,mitigates,3 +476,,T1218.007,Msiexec,[],[],,AC-3,mitigates,3 +477,,T1218.012,Verclsid,[],[],,AC-3,mitigates,3 +478,,T1219,Remote Access Software,[],[],,AC-3,mitigates,3 +479,,T1222,File and Directory Permissions Modification,[],[],,AC-3,mitigates,3 +480,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-3,mitigates,3 +481,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-3,mitigates,3 +482,,T1484,Domain Policy Modification,[],[],,AC-3,mitigates,3 +483,,T1485,Data Destruction,[],[],,AC-3,mitigates,3 +484,,T1486,Data Encrypted for Impact,[],[],,AC-3,mitigates,3 +485,,T1489,Service Stop,[],[],,AC-3,mitigates,3 +486,,T1490,Inhibit System Recovery,[],[],,AC-3,mitigates,3 +487,,T1491,Defacement,[],[],,AC-3,mitigates,3 +488,,T1491.001,Internal Defacement,[],[],,AC-3,mitigates,3 +489,,T1491.002,External Defacement,[],[],,AC-3,mitigates,3 +490,,T1495,Firmware Corruption,[],[],,AC-3,mitigates,3 +491,,T1498,Network Denial of Service,[],[],,AC-3,mitigates,3 +492,,T1498.001,Direct Network Flood,[],[],,AC-3,mitigates,3 +493,,T1498.002,Reflection Amplification,[],[],,AC-3,mitigates,3 +494,,T1499,Endpoint Denial of Service,[],[],,AC-3,mitigates,3 +495,,T1499.001,OS Exhaustion Flood,[],[],,AC-3,mitigates,3 +496,,T1499.002,Service Exhaustion Flood,[],[],,AC-3,mitigates,3 +497,,T1499.003,Application Exhaustion Flood,[],[],,AC-3,mitigates,3 +498,,T1499.004,Application or System Exploitation,[],[],,AC-3,mitigates,3 +499,,T1505,Server Software Component,[],[],,AC-3,mitigates,3 +500,,T1505.001,SQL Stored Procedures,[],[],,AC-3,mitigates,3 +501,,T1505.002,Transport Agent,[],[],,AC-3,mitigates,3 +502,,T1525,Implant Internal Image,[],[],,AC-3,mitigates,3 +503,,T1528,Steal Application Access Token,[],[],,AC-3,mitigates,3 +504,,T1530,Data from Cloud Storage Object,[],[],,AC-3,mitigates,3 +505,,T1537,Transfer Data to Cloud Account,[],[],,AC-3,mitigates,3 +506,,T1538,Cloud Service Dashboard,[],[],,AC-3,mitigates,3 +507,,T1539,Steal Web Session Cookie,[],[],,AC-3,mitigates,3 +508,,T1542,Pre-OS Boot,[],[],,AC-3,mitigates,3 +509,,T1542.001,System Firmware,[],[],,AC-3,mitigates,3 +510,,T1542.003,Bootkit,[],[],,AC-3,mitigates,3 +511,,T1542.004,ROMMONkit,[],[],,AC-3,mitigates,3 +512,,T1542.005,TFTP Boot,[],[],,AC-3,mitigates,3 +513,,T1543,Create or Modify System Process,[],[],,AC-3,mitigates,3 +514,,T1543.001,Launch Agent,[],[],,AC-3,mitigates,3 +515,,T1543.002,Systemd Service,[],[],,AC-3,mitigates,3 +516,,T1543.003,Windows Service,[],[],,AC-3,mitigates,3 +517,,T1543.004,Launch Daemon,[],[],,AC-3,mitigates,3 +518,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-3,mitigates,3 +519,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-3,mitigates,3 +520,,T1546.013,PowerShell Profile,[],[],,AC-3,mitigates,3 +521,,T1547.003,Time Providers,[],[],,AC-3,mitigates,3 +522,,T1547.004,Winlogon Helper DLL,[],[],,AC-3,mitigates,3 +523,,T1547.006,Kernel Modules and Extensions,[],[],,AC-3,mitigates,3 +524,,T1547.007,Re-opened Applications,[],[],,AC-3,mitigates,3 +525,,T1547.009,Shortcut Modification,[],[],,AC-3,mitigates,3 +526,,T1547.011,Plist Modification,[],[],,AC-3,mitigates,3 +527,,T1547.012,Print Processors,[],[],,AC-3,mitigates,3 +528,,T1547.013,XDG Autostart Entries,[],[],,AC-3,mitigates,3 +529,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-3,mitigates,3 +530,,T1548.002,Bypass User Account Control,[],[],,AC-3,mitigates,3 +531,,T1548.003,Sudo and Sudo Caching,[],[],,AC-3,mitigates,3 +532,,T1550,Use Alternate Authentication Material,[],[],,AC-3,mitigates,3 +533,,T1550.002,Pass the Hash,[],[],,AC-3,mitigates,3 +534,,T1550.003,Pass the Ticket,[],[],,AC-3,mitigates,3 +535,,T1552,Unsecured Credentials,[],[],,AC-3,mitigates,3 +536,,T1552.002,Credentials in Registry,[],[],,AC-3,mitigates,3 +537,,T1552.005,Cloud Instance Metadata API,[],[],,AC-3,mitigates,3 +538,,T1552.007,Container API,[],[],,AC-3,mitigates,3 +539,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-3,mitigates,3 +540,,T1556,Modify Authentication Process,[],[],,AC-3,mitigates,3 +541,,T1556.001,Domain Controller Authentication,[],[],,AC-3,mitigates,3 +542,,T1556.003,Pluggable Authentication Modules,[],[],,AC-3,mitigates,3 +543,,T1556.004,Network Device Authentication,[],[],,AC-3,mitigates,3 +544,,T1557,Man-in-the-Middle,[],[],,AC-3,mitigates,3 +545,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-3,mitigates,3 +546,,T1557.002,ARP Cache Poisoning,[],[],,AC-3,mitigates,3 +547,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-3,mitigates,3 +548,,T1558.001,Golden Ticket,[],[],,AC-3,mitigates,3 +549,,T1558.002,Silver Ticket,[],[],,AC-3,mitigates,3 +550,,T1558.003,Kerberoasting,[],[],,AC-3,mitigates,3 +551,,T1558.004,AS-REP Roasting,[],[],,AC-3,mitigates,3 +552,,T1559,Inter-Process Communication,[],[],,AC-3,mitigates,3 +553,,T1559.001,Component Object Model,[],[],,AC-3,mitigates,3 +554,,T1561,Disk Wipe,[],[],,AC-3,mitigates,3 +555,,T1561.001,Disk Content Wipe,[],[],,AC-3,mitigates,3 +556,,T1561.002,Disk Structure Wipe,[],[],,AC-3,mitigates,3 +557,,T1562,Impair Defenses,[],[],,AC-3,mitigates,3 +558,,T1562.001,Disable or Modify Tools,[],[],,AC-3,mitigates,3 +559,,T1562.002,Disable Windows Event Logging,[],[],,AC-3,mitigates,3 +560,,T1562.004,Disable or Modify System Firewall,[],[],,AC-3,mitigates,3 +561,,T1562.006,Indicator Blocking,[],[],,AC-3,mitigates,3 +562,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-3,mitigates,3 +563,,T1562.008,Disable Cloud Logs,[],[],,AC-3,mitigates,3 +564,,T1563,Remote Service Session Hijacking,[],[],,AC-3,mitigates,3 +565,,T1563.001,SSH Hijacking,[],[],,AC-3,mitigates,3 +566,,T1563.002,RDP Hijacking,[],[],,AC-3,mitigates,3 +567,,T1564.004,NTFS File Attributes,[],[],,AC-3,mitigates,3 +568,,T1565,Data Manipulation,[],[],,AC-3,mitigates,3 +569,,T1565.001,Stored Data Manipulation,[],[],,AC-3,mitigates,3 +570,,T1565.003,Runtime Data Manipulation,[],[],,AC-3,mitigates,3 +571,,T1569,System Services,[],[],,AC-3,mitigates,3 +572,,T1569.001,Launchctl,[],[],,AC-3,mitigates,3 +573,,T1569.002,Service Execution,[],[],,AC-3,mitigates,3 +574,,T1570,Lateral Tool Transfer,[],[],,AC-3,mitigates,3 +575,,T1572,Protocol Tunneling,[],[],,AC-3,mitigates,3 +576,,T1574,Hijack Execution Flow,[],[],,AC-3,mitigates,3 +577,,T1574.004,Dylib Hijacking,[],[],,AC-3,mitigates,3 +578,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-3,mitigates,3 +579,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-3,mitigates,3 +580,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-3,mitigates,3 +581,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-3,mitigates,3 +582,,T1574.010,Services File Permissions Weakness,[],[],,AC-3,mitigates,3 +583,,T1574.012,COR_PROFILER,[],[],,AC-3,mitigates,3 +584,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-3,mitigates,3 +585,,T1578.001,Create Snapshot,[],[],,AC-3,mitigates,3 +586,,T1578.002,Create Cloud Instance,[],[],,AC-3,mitigates,3 +587,,T1578.003,Delete Cloud Instance,[],[],,AC-3,mitigates,3 +588,,T1580,Cloud Infrastructure Discovery,[],[],,AC-3,mitigates,3 +589,,T1599,Network Boundary Bridging,[],[],,AC-3,mitigates,3 +590,,T1599.001,Network Address Translation Traversal,[],[],,AC-3,mitigates,3 +591,,T1601,Modify System Image,[],[],,AC-3,mitigates,3 +592,,T1601.001,Patch System Image,[],[],,AC-3,mitigates,3 +593,,T1601.002,Downgrade System Image,[],[],,AC-3,mitigates,3 +594,,T1602,Data from Configuration Repository,[],[],,AC-3,mitigates,3 +595,,T1602.001,SNMP (MIB Dump),[],[],,AC-3,mitigates,3 +596,,T1602.002,Network Device Configuration Dump,[],[],,AC-3,mitigates,3 +597,,T1609,Container Administration Command,[],[],,AC-3,mitigates,3 +598,,T1610,Deploy Container,[],[],,AC-3,mitigates,3 +599,,T1611,Escape to Host,[],[],,AC-3,mitigates,3 +600,,T1612,Build Image on Host,[],[],,AC-3,mitigates,3 +601,,T1613,Container and Resource Discovery,[],[],,AC-3,mitigates,3 +602,,T1001,Data Obfuscation,[],[],,AC-4,mitigates,3 +603,,T1001.001,Junk Data,[],[],,AC-4,mitigates,3 +604,,T1001.002,Steganography,[],[],,AC-4,mitigates,3 +605,,T1001.003,Protocol Impersonation,[],[],,AC-4,mitigates,3 +606,,T1003,OS Credential Dumping,[],[],,AC-4,mitigates,3 +607,,T1003.001,LSASS Memory,[],[],,AC-4,mitigates,3 +608,,T1003.005,Cached Domain Credentials,[],[],,AC-4,mitigates,3 +609,,T1003.006,DCSync,[],[],,AC-4,mitigates,3 +610,,T1008,Fallback Channels,[],[],,AC-4,mitigates,3 +611,,T1021.001,Remote Desktop Protocol,[],[],,AC-4,mitigates,3 +612,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-4,mitigates,3 +613,,T1021.003,Distributed Component Object Model,[],[],,AC-4,mitigates,3 +614,,T1021.005,VNC,[],[],,AC-4,mitigates,3 +615,,T1021.006,Windows Remote Management,[],[],,AC-4,mitigates,3 +616,,T1029,Scheduled Transfer,[],[],,AC-4,mitigates,3 +617,,T1030,Data Transfer Size Limits,[],[],,AC-4,mitigates,3 +618,,T1041,Exfiltration Over C2 Channel,[],[],,AC-4,mitigates,3 +619,,T1046,Network Service Scanning,[],[],,AC-4,mitigates,3 +620,,T1048,Exfiltration Over Alternative Protocol,[],[],,AC-4,mitigates,3 +621,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,3 +622,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AC-4,mitigates,3 +623,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AC-4,mitigates,3 +624,,T1068,Exploitation for Privilege Escalation,[],[],,AC-4,mitigates,3 +625,,T1071,Application Layer Protocol,[],[],,AC-4,mitigates,3 +626,,T1071.001,Web Protocols,[],[],,AC-4,mitigates,3 +627,,T1071.002,File Transfer Protocols,[],[],,AC-4,mitigates,3 +628,,T1071.003,Mail Protocols,[],[],,AC-4,mitigates,3 +629,,T1071.004,DNS,[],[],,AC-4,mitigates,3 +630,,T1072,Software Deployment Tools,[],[],,AC-4,mitigates,3 +631,,T1090,Proxy,[],[],,AC-4,mitigates,3 +632,,T1090.001,Internal Proxy,[],[],,AC-4,mitigates,3 +633,,T1090.002,External Proxy,[],[],,AC-4,mitigates,3 +634,,T1090.003,Multi-hop Proxy,[],[],,AC-4,mitigates,3 +635,,T1095,Non-Application Layer Protocol,[],[],,AC-4,mitigates,3 +636,,T1098,Account Manipulation,[],[],,AC-4,mitigates,3 +637,,T1098.001,Additional Cloud Credentials,[],[],,AC-4,mitigates,3 +638,,T1102,Web Service,[],[],,AC-4,mitigates,3 +639,,T1102.001,Dead Drop Resolver,[],[],,AC-4,mitigates,3 +640,,T1102.002,Bidirectional Communication,[],[],,AC-4,mitigates,3 +641,,T1102.003,One-Way Communication,[],[],,AC-4,mitigates,3 +642,,T1104,Multi-Stage Channels,[],[],,AC-4,mitigates,3 +643,,T1105,Ingress Tool Transfer,[],[],,AC-4,mitigates,3 +644,,T1114,Email Collection,[],[],,AC-4,mitigates,3 +645,,T1114.001,Local Email Collection,[],[],,AC-4,mitigates,3 +646,,T1114.002,Remote Email Collection,[],[],,AC-4,mitigates,3 +647,,T1114.003,Email Forwarding Rule,[],[],,AC-4,mitigates,3 +648,,T1132,Data Encoding,[],[],,AC-4,mitigates,3 +649,,T1132.001,Standard Encoding,[],[],,AC-4,mitigates,3 +650,,T1132.002,Non-Standard Encoding,[],[],,AC-4,mitigates,3 +651,,T1133,External Remote Services,[],[],,AC-4,mitigates,3 +652,,T1134.005,SID-History Injection,[],[],,AC-4,mitigates,3 +653,,T1136,Create Account,[],[],,AC-4,mitigates,3 +654,,T1136.002,Domain Account,[],[],,AC-4,mitigates,3 +655,,T1136.003,Cloud Account,[],[],,AC-4,mitigates,3 +656,,T1187,Forced Authentication,[],[],,AC-4,mitigates,3 +657,,T1189,Drive-by Compromise,[],[],,AC-4,mitigates,3 +658,,T1190,Exploit Public-Facing Application,[],[],,AC-4,mitigates,3 +659,,T1197,BITS Jobs,[],[],,AC-4,mitigates,3 +660,,T1199,Trusted Relationship,[],[],,AC-4,mitigates,3 +661,,T1203,Exploitation for Client Execution,[],[],,AC-4,mitigates,3 +662,,T1204,User Execution,[],[],,AC-4,mitigates,3 +663,,T1204.001,Malicious Link,[],[],,AC-4,mitigates,3 +664,,T1204.002,Malicious File,[],[],,AC-4,mitigates,3 +665,,T1204.003,Malicious Image,[],[],,AC-4,mitigates,3 +666,,T1205,Traffic Signaling,[],[],,AC-4,mitigates,3 +667,,T1205.001,Port Knocking,[],[],,AC-4,mitigates,3 +668,,T1210,Exploitation of Remote Services,[],[],,AC-4,mitigates,3 +669,,T1211,Exploitation for Defense Evasion,[],[],,AC-4,mitigates,3 +670,,T1212,Exploitation for Credential Access,[],[],,AC-4,mitigates,3 +671,,T1213,Data from Information Repositories,[],[],,AC-4,mitigates,3 +672,,T1213.001,Confluence,[],[],,AC-4,mitigates,3 +673,,T1213.002,Sharepoint,[],[],,AC-4,mitigates,3 +674,,T1218.012,Verclsid,[],[],,AC-4,mitigates,3 +675,,T1219,Remote Access Software,[],[],,AC-4,mitigates,3 +676,,T1482,Domain Trust Discovery,[],[],,AC-4,mitigates,3 +677,,T1484,Domain Policy Modification,[],[],,AC-4,mitigates,3 +678,,T1489,Service Stop,[],[],,AC-4,mitigates,3 +679,,T1498,Network Denial of Service,[],[],,AC-4,mitigates,3 +680,,T1498.001,Direct Network Flood,[],[],,AC-4,mitigates,3 +681,,T1498.002,Reflection Amplification,[],[],,AC-4,mitigates,3 +682,,T1499,Endpoint Denial of Service,[],[],,AC-4,mitigates,3 +683,,T1499.001,OS Exhaustion Flood,[],[],,AC-4,mitigates,3 +684,,T1499.002,Service Exhaustion Flood,[],[],,AC-4,mitigates,3 +685,,T1499.003,Application Exhaustion Flood,[],[],,AC-4,mitigates,3 +686,,T1499.004,Application or System Exploitation,[],[],,AC-4,mitigates,3 +687,,T1528,Steal Application Access Token,[],[],,AC-4,mitigates,3 +688,,T1530,Data from Cloud Storage Object,[],[],,AC-4,mitigates,3 +689,,T1537,Transfer Data to Cloud Account,[],[],,AC-4,mitigates,3 +690,,T1547.003,Time Providers,[],[],,AC-4,mitigates,3 +691,,T1552,Unsecured Credentials,[],[],,AC-4,mitigates,3 +692,,T1552.001,Credentials In Files,[],[],,AC-4,mitigates,3 +693,,T1552.005,Cloud Instance Metadata API,[],[],,AC-4,mitigates,3 +694,,T1552.007,Container API,[],[],,AC-4,mitigates,3 +695,,T1557,Man-in-the-Middle,[],[],,AC-4,mitigates,3 +696,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,AC-4,mitigates,3 +697,,T1557.002,ARP Cache Poisoning,[],[],,AC-4,mitigates,3 +698,,T1559,Inter-Process Communication,[],[],,AC-4,mitigates,3 +699,,T1559.001,Component Object Model,[],[],,AC-4,mitigates,3 +700,,T1559.002,Dynamic Data Exchange,[],[],,AC-4,mitigates,3 +701,,T1563,Remote Service Session Hijacking,[],[],,AC-4,mitigates,3 +702,,T1563.002,RDP Hijacking,[],[],,AC-4,mitigates,3 +703,,T1565,Data Manipulation,[],[],,AC-4,mitigates,3 +704,,T1565.003,Runtime Data Manipulation,[],[],,AC-4,mitigates,3 +705,,T1566,Phishing,[],[],,AC-4,mitigates,3 +706,,T1566.001,Spearphishing Attachment,[],[],,AC-4,mitigates,3 +707,,T1566.002,Spearphishing Link,[],[],,AC-4,mitigates,3 +708,,T1566.003,Spearphishing via Service,[],[],,AC-4,mitigates,3 +709,,T1567,Exfiltration Over Web Service,[],[],,AC-4,mitigates,3 +710,,T1567.001,Exfiltration to Code Repository,[],[],,AC-4,mitigates,3 +711,,T1567.002,Exfiltration to Cloud Storage,[],[],,AC-4,mitigates,3 +712,,T1568,Dynamic Resolution,[],[],,AC-4,mitigates,3 +713,,T1568.002,Domain Generation Algorithms,[],[],,AC-4,mitigates,3 +714,,T1570,Lateral Tool Transfer,[],[],,AC-4,mitigates,3 +715,,T1571,Non-Standard Port,[],[],,AC-4,mitigates,3 +716,,T1572,Protocol Tunneling,[],[],,AC-4,mitigates,3 +717,,T1573,Encrypted Channel,[],[],,AC-4,mitigates,3 +718,,T1573.001,Symmetric Cryptography,[],[],,AC-4,mitigates,3 +719,,T1573.002,Asymmetric Cryptography,[],[],,AC-4,mitigates,3 +720,,T1574,Hijack Execution Flow,[],[],,AC-4,mitigates,3 +721,,T1574.004,Dylib Hijacking,[],[],,AC-4,mitigates,3 +722,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-4,mitigates,3 +723,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-4,mitigates,3 +724,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-4,mitigates,3 +725,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-4,mitigates,3 +726,,T1574.010,Services File Permissions Weakness,[],[],,AC-4,mitigates,3 +727,,T1598,Phishing for Information,[],[],,AC-4,mitigates,3 +728,,T1598.001,Spearphishing Service,[],[],,AC-4,mitigates,3 +729,,T1598.002,Spearphishing Attachment,[],[],,AC-4,mitigates,3 +730,,T1598.003,Spearphishing Link,[],[],,AC-4,mitigates,3 +731,,T1599,Network Boundary Bridging,[],[],,AC-4,mitigates,3 +732,,T1599.001,Network Address Translation Traversal,[],[],,AC-4,mitigates,3 +733,,T1601,Modify System Image,[],[],,AC-4,mitigates,3 +734,,T1601.001,Patch System Image,[],[],,AC-4,mitigates,3 +735,,T1601.002,Downgrade System Image,[],[],,AC-4,mitigates,3 +736,,T1602,Data from Configuration Repository,[],[],,AC-4,mitigates,3 +737,,T1602.001,SNMP (MIB Dump),[],[],,AC-4,mitigates,3 +738,,T1602.002,Network Device Configuration Dump,[],[],,AC-4,mitigates,3 +739,,T1611,Escape to Host,[],[],,AC-4,mitigates,3 +740,,T1003,OS Credential Dumping,[],[],,AC-5,mitigates,3 +741,,T1003.001,LSASS Memory,[],[],,AC-5,mitigates,3 +742,,T1003.002,Security Account Manager,[],[],,AC-5,mitigates,3 +743,,T1003.003,NTDS,[],[],,AC-5,mitigates,3 +744,,T1003.004,LSA Secrets,[],[],,AC-5,mitigates,3 +745,,T1003.005,Cached Domain Credentials,[],[],,AC-5,mitigates,3 +746,,T1003.006,DCSync,[],[],,AC-5,mitigates,3 +747,,T1003.007,Proc Filesystem,[],[],,AC-5,mitigates,3 +748,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-5,mitigates,3 +749,,T1021,Remote Services,[],[],,AC-5,mitigates,3 +750,,T1021.001,Remote Desktop Protocol,[],[],,AC-5,mitigates,3 +751,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-5,mitigates,3 +752,,T1021.003,Distributed Component Object Model,[],[],,AC-5,mitigates,3 +753,,T1021.004,SSH,[],[],,AC-5,mitigates,3 +754,,T1021.006,Windows Remote Management,[],[],,AC-5,mitigates,3 +755,,T1047,Windows Management Instrumentation,[],[],,AC-5,mitigates,3 +756,,T1053,Scheduled Task/Job,[],[],,AC-5,mitigates,3 +757,,T1053.001,At (Linux),[],[],,AC-5,mitigates,3 +758,,T1053.002,At (Windows),[],[],,AC-5,mitigates,3 +759,,T1053.003,Cron,[],[],,AC-5,mitigates,3 +760,,T1053.004,Launchd,[],[],,AC-5,mitigates,3 +761,,T1053.005,Scheduled Task,[],[],,AC-5,mitigates,3 +762,,T1053.006,Systemd Timers,[],[],,AC-5,mitigates,3 +763,,T1053.007,Container Orchestration Job,[],[],,AC-5,mitigates,3 +764,,T1055,Process Injection,[],[],,AC-5,mitigates,3 +765,,T1055.008,Ptrace System Calls,[],[],,AC-5,mitigates,3 +766,,T1056.003,Web Portal Capture,[],[],,AC-5,mitigates,3 +767,,T1059,Command and Scripting Interpreter,[],[],,AC-5,mitigates,3 +768,,T1059.001,PowerShell,[],[],,AC-5,mitigates,3 +769,,T1059.008,Network Device CLI,[],[],,AC-5,mitigates,3 +770,,T1070,Indicator Removal on Host,[],[],,AC-5,mitigates,3 +771,,T1070.001,Clear Windows Event Logs,[],[],,AC-5,mitigates,3 +772,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-5,mitigates,3 +773,,T1070.003,Clear Command History,[],[],,AC-5,mitigates,3 +774,,T1072,Software Deployment Tools,[],[],,AC-5,mitigates,3 +775,,T1078,Valid Accounts,[],[],,AC-5,mitigates,3 +776,,T1078.001,Default Accounts,[],[],,AC-5,mitigates,3 +777,,T1078.002,Domain Accounts,[],[],,AC-5,mitigates,3 +778,,T1078.003,Local Accounts,[],[],,AC-5,mitigates,3 +779,,T1078.004,Cloud Accounts,[],[],,AC-5,mitigates,3 +780,,T1087.004,Cloud Account,[],[],,AC-5,mitigates,3 +781,,T1098,Account Manipulation,[],[],,AC-5,mitigates,3 +782,,T1098.001,Additional Cloud Credentials,[],[],,AC-5,mitigates,3 +783,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-5,mitigates,3 +784,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-5,mitigates,3 +785,,T1110,Brute Force,[],[],,AC-5,mitigates,3 +786,,T1110.001,Password Guessing,[],[],,AC-5,mitigates,3 +787,,T1110.002,Password Cracking,[],[],,AC-5,mitigates,3 +788,,T1110.003,Password Spraying,[],[],,AC-5,mitigates,3 +789,,T1110.004,Credential Stuffing,[],[],,AC-5,mitigates,3 +790,,T1134,Access Token Manipulation,[],[],,AC-5,mitigates,3 +791,,T1134.001,Token Impersonation/Theft,[],[],,AC-5,mitigates,3 +792,,T1134.002,Create Process with Token,[],[],,AC-5,mitigates,3 +793,,T1134.003,Make and Impersonate Token,[],[],,AC-5,mitigates,3 +794,,T1134.005,SID-History Injection,[],[],,AC-5,mitigates,3 +795,,T1136,Create Account,[],[],,AC-5,mitigates,3 +796,,T1136.001,Local Account,[],[],,AC-5,mitigates,3 +797,,T1136.002,Domain Account,[],[],,AC-5,mitigates,3 +798,,T1136.003,Cloud Account,[],[],,AC-5,mitigates,3 +799,,T1185,Man in the Browser,[],[],,AC-5,mitigates,3 +800,,T1190,Exploit Public-Facing Application,[],[],,AC-5,mitigates,3 +801,,T1197,BITS Jobs,[],[],,AC-5,mitigates,3 +802,,T1210,Exploitation of Remote Services,[],[],,AC-5,mitigates,3 +803,,T1213,Data from Information Repositories,[],[],,AC-5,mitigates,3 +804,,T1213.001,Confluence,[],[],,AC-5,mitigates,3 +805,,T1213.002,Sharepoint,[],[],,AC-5,mitigates,3 +806,,T1218,Signed Binary Proxy Execution,[],[],,AC-5,mitigates,3 +807,,T1218.007,Msiexec,[],[],,AC-5,mitigates,3 +808,,T1222,File and Directory Permissions Modification,[],[],,AC-5,mitigates,3 +809,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-5,mitigates,3 +810,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-5,mitigates,3 +811,,T1484,Domain Policy Modification,[],[],,AC-5,mitigates,3 +812,,T1489,Service Stop,[],[],,AC-5,mitigates,3 +813,,T1495,Firmware Corruption,[],[],,AC-5,mitigates,3 +814,,T1505,Server Software Component,[],[],,AC-5,mitigates,3 +815,,T1505.001,SQL Stored Procedures,[],[],,AC-5,mitigates,3 +816,,T1505.002,Transport Agent,[],[],,AC-5,mitigates,3 +817,,T1525,Implant Internal Image,[],[],,AC-5,mitigates,3 +818,,T1528,Steal Application Access Token,[],[],,AC-5,mitigates,3 +819,,T1530,Data from Cloud Storage Object,[],[],,AC-5,mitigates,3 +820,,T1537,Transfer Data to Cloud Account,[],[],,AC-5,mitigates,3 +821,,T1538,Cloud Service Dashboard,[],[],,AC-5,mitigates,3 +822,,T1542,Pre-OS Boot,[],[],,AC-5,mitigates,3 +823,,T1542.001,System Firmware,[],[],,AC-5,mitigates,3 +824,,T1542.003,Bootkit,[],[],,AC-5,mitigates,3 +825,,T1542.005,TFTP Boot,[],[],,AC-5,mitigates,3 +826,,T1543,Create or Modify System Process,[],[],,AC-5,mitigates,3 +827,,T1543.001,Launch Agent,[],[],,AC-5,mitigates,3 +828,,T1543.002,Systemd Service,[],[],,AC-5,mitigates,3 +829,,T1543.003,Windows Service,[],[],,AC-5,mitigates,3 +830,,T1543.004,Launch Daemon,[],[],,AC-5,mitigates,3 +831,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-5,mitigates,3 +832,,T1547.004,Winlogon Helper DLL,[],[],,AC-5,mitigates,3 +833,,T1547.006,Kernel Modules and Extensions,[],[],,AC-5,mitigates,3 +834,,T1547.009,Shortcut Modification,[],[],,AC-5,mitigates,3 +835,,T1547.012,Print Processors,[],[],,AC-5,mitigates,3 +836,,T1547.013,XDG Autostart Entries,[],[],,AC-5,mitigates,3 +837,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-5,mitigates,3 +838,,T1548.002,Bypass User Account Control,[],[],,AC-5,mitigates,3 +839,,T1548.003,Sudo and Sudo Caching,[],[],,AC-5,mitigates,3 +840,,T1550,Use Alternate Authentication Material,[],[],,AC-5,mitigates,3 +841,,T1550.002,Pass the Hash,[],[],,AC-5,mitigates,3 +842,,T1550.003,Pass the Ticket,[],[],,AC-5,mitigates,3 +843,,T1552,Unsecured Credentials,[],[],,AC-5,mitigates,3 +844,,T1552.001,Credentials In Files,[],[],,AC-5,mitigates,3 +845,,T1552.002,Credentials in Registry,[],[],,AC-5,mitigates,3 +846,,T1552.006,Group Policy Preferences,[],[],,AC-5,mitigates,3 +847,,T1552.007,Container API,[],[],,AC-5,mitigates,3 +848,,T1556,Modify Authentication Process,[],[],,AC-5,mitigates,3 +849,,T1556.001,Domain Controller Authentication,[],[],,AC-5,mitigates,3 +850,,T1556.003,Pluggable Authentication Modules,[],[],,AC-5,mitigates,3 +851,,T1556.004,Network Device Authentication,[],[],,AC-5,mitigates,3 +852,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-5,mitigates,3 +853,,T1558.001,Golden Ticket,[],[],,AC-5,mitigates,3 +854,,T1558.002,Silver Ticket,[],[],,AC-5,mitigates,3 +855,,T1558.003,Kerberoasting,[],[],,AC-5,mitigates,3 +856,,T1559,Inter-Process Communication,[],[],,AC-5,mitigates,3 +857,,T1559.001,Component Object Model,[],[],,AC-5,mitigates,3 +858,,T1562,Impair Defenses,[],[],,AC-5,mitigates,3 +859,,T1562.001,Disable or Modify Tools,[],[],,AC-5,mitigates,3 +860,,T1562.002,Disable Windows Event Logging,[],[],,AC-5,mitigates,3 +861,,T1562.004,Disable or Modify System Firewall,[],[],,AC-5,mitigates,3 +862,,T1562.006,Indicator Blocking,[],[],,AC-5,mitigates,3 +863,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-5,mitigates,3 +864,,T1562.008,Disable Cloud Logs,[],[],,AC-5,mitigates,3 +865,,T1563,Remote Service Session Hijacking,[],[],,AC-5,mitigates,3 +866,,T1563.001,SSH Hijacking,[],[],,AC-5,mitigates,3 +867,,T1563.002,RDP Hijacking,[],[],,AC-5,mitigates,3 +868,,T1569,System Services,[],[],,AC-5,mitigates,3 +869,,T1569.001,Launchctl,[],[],,AC-5,mitigates,3 +870,,T1569.002,Service Execution,[],[],,AC-5,mitigates,3 +871,,T1574,Hijack Execution Flow,[],[],,AC-5,mitigates,3 +872,,T1574.004,Dylib Hijacking,[],[],,AC-5,mitigates,3 +873,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-5,mitigates,3 +874,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-5,mitigates,3 +875,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-5,mitigates,3 +876,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-5,mitigates,3 +877,,T1574.010,Services File Permissions Weakness,[],[],,AC-5,mitigates,3 +878,,T1574.012,COR_PROFILER,[],[],,AC-5,mitigates,3 +879,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-5,mitigates,3 +880,,T1578.001,Create Snapshot,[],[],,AC-5,mitigates,3 +881,,T1578.002,Create Cloud Instance,[],[],,AC-5,mitigates,3 +882,,T1578.003,Delete Cloud Instance,[],[],,AC-5,mitigates,3 +883,,T1580,Cloud Infrastructure Discovery,[],[],,AC-5,mitigates,3 +884,,T1599,Network Boundary Bridging,[],[],,AC-5,mitigates,3 +885,,T1599.001,Network Address Translation Traversal,[],[],,AC-5,mitigates,3 +886,,T1601,Modify System Image,[],[],,AC-5,mitigates,3 +887,,T1601.001,Patch System Image,[],[],,AC-5,mitigates,3 +888,,T1601.002,Downgrade System Image,[],[],,AC-5,mitigates,3 +889,,T1611,Escape to Host,[],[],,AC-5,mitigates,3 +890,,T1003,OS Credential Dumping,[],[],,AC-6,mitigates,3 +891,,T1003.001,LSASS Memory,[],[],,AC-6,mitigates,3 +892,,T1003.002,Security Account Manager,[],[],,AC-6,mitigates,3 +893,,T1003.003,NTDS,[],[],,AC-6,mitigates,3 +894,,T1003.004,LSA Secrets,[],[],,AC-6,mitigates,3 +895,,T1003.005,Cached Domain Credentials,[],[],,AC-6,mitigates,3 +896,,T1003.006,DCSync,[],[],,AC-6,mitigates,3 +897,,T1003.007,Proc Filesystem,[],[],,AC-6,mitigates,3 +898,,T1003.008,/etc/passwd and /etc/shadow,[],[],,AC-6,mitigates,3 +899,,T1021,Remote Services,[],[],,AC-6,mitigates,3 +900,,T1021.001,Remote Desktop Protocol,[],[],,AC-6,mitigates,3 +901,,T1021.002,SMB/Windows Admin Shares,[],[],,AC-6,mitigates,3 +902,,T1021.003,Distributed Component Object Model,[],[],,AC-6,mitigates,3 +903,,T1021.004,SSH,[],[],,AC-6,mitigates,3 +904,,T1021.005,VNC,[],[],,AC-6,mitigates,3 +905,,T1021.006,Windows Remote Management,[],[],,AC-6,mitigates,3 +906,,T1036,Masquerading,[],[],,AC-6,mitigates,3 +907,,T1036.003,Rename System Utilities,[],[],,AC-6,mitigates,3 +908,,T1036.005,Match Legitimate Name or Location,[],[],,AC-6,mitigates,3 +909,,T1047,Windows Management Instrumentation,[],[],,AC-6,mitigates,3 +910,,T1052,Exfiltration Over Physical Medium,[],[],,AC-6,mitigates,3 +911,,T1052.001,Exfiltration over USB,[],[],,AC-6,mitigates,3 +912,,T1053,Scheduled Task/Job,[],[],,AC-6,mitigates,3 +913,,T1053.001,At (Linux),[],[],,AC-6,mitigates,3 +914,,T1053.002,At (Windows),[],[],,AC-6,mitigates,3 +915,,T1053.003,Cron,[],[],,AC-6,mitigates,3 +916,,T1053.004,Launchd,[],[],,AC-6,mitigates,3 +917,,T1053.005,Scheduled Task,[],[],,AC-6,mitigates,3 +918,,T1053.006,Systemd Timers,[],[],,AC-6,mitigates,3 +919,,T1053.007,Container Orchestration Job,[],[],,AC-6,mitigates,3 +920,,T1055,Process Injection,[],[],,AC-6,mitigates,3 +921,,T1055.001,Dynamic-link Library Injection,[],[],,AC-6,mitigates,3 +922,,T1055.002,Portable Executable Injection,[],[],,AC-6,mitigates,3 +923,,T1055.003,Thread Execution Hijacking,[],[],,AC-6,mitigates,3 +924,,T1055.004,Asynchronous Procedure Call,[],[],,AC-6,mitigates,3 +925,,T1055.005,Thread Local Storage,[],[],,AC-6,mitigates,3 +926,,T1055.008,Ptrace System Calls,[],[],,AC-6,mitigates,3 +927,,T1055.009,Proc Memory,[],[],,AC-6,mitigates,3 +928,,T1055.011,Extra Window Memory Injection,[],[],,AC-6,mitigates,3 +929,,T1055.012,Process Hollowing,[],[],,AC-6,mitigates,3 +930,,T1055.013,Process Doppelgänging,[],[],,AC-6,mitigates,3 +931,,T1055.014,VDSO Hijacking,[],[],,AC-6,mitigates,3 +932,,T1056.003,Web Portal Capture,[],[],,AC-6,mitigates,3 +933,,T1059,Command and Scripting Interpreter,[],[],,AC-6,mitigates,3 +934,,T1059.001,PowerShell,[],[],,AC-6,mitigates,3 +935,,T1059.006,Python,[],[],,AC-6,mitigates,3 +936,,T1059.008,Network Device CLI,[],[],,AC-6,mitigates,3 +937,,T1068,Exploitation for Privilege Escalation,[],[],,AC-6,mitigates,3 +938,,T1070,Indicator Removal on Host,[],[],,AC-6,mitigates,3 +939,,T1070.001,Clear Windows Event Logs,[],[],,AC-6,mitigates,3 +940,,T1070.002,Clear Linux or Mac System Logs,[],[],,AC-6,mitigates,3 +941,,T1070.003,Clear Command History,[],[],,AC-6,mitigates,3 +942,,T1072,Software Deployment Tools,[],[],,AC-6,mitigates,3 +943,,T1078,Valid Accounts,[],[],,AC-6,mitigates,3 +944,,T1078.001,Default Accounts,[],[],,AC-6,mitigates,3 +945,,T1078.002,Domain Accounts,[],[],,AC-6,mitigates,3 +946,,T1078.003,Local Accounts,[],[],,AC-6,mitigates,3 +947,,T1078.004,Cloud Accounts,[],[],,AC-6,mitigates,3 +948,,T1087.004,Cloud Account,[],[],,AC-6,mitigates,3 +949,,T1091,Replication Through Removable Media,[],[],,AC-6,mitigates,3 +950,,T1098,Account Manipulation,[],[],,AC-6,mitigates,3 +951,,T1098.001,Additional Cloud Credentials,[],[],,AC-6,mitigates,3 +952,,T1098.002,Exchange Email Delegate Permissions,[],[],,AC-6,mitigates,3 +953,,T1098.003,Add Office 365 Global Administrator Role,[],[],,AC-6,mitigates,3 +954,,T1110,Brute Force,[],[],,AC-6,mitigates,3 +955,,T1110.001,Password Guessing,[],[],,AC-6,mitigates,3 +956,,T1110.002,Password Cracking,[],[],,AC-6,mitigates,3 +957,,T1110.003,Password Spraying,[],[],,AC-6,mitigates,3 +958,,T1110.004,Credential Stuffing,[],[],,AC-6,mitigates,3 +959,,T1112,Modify Registry,[],[],,AC-6,mitigates,3 +960,,T1133,External Remote Services,[],[],,AC-6,mitigates,3 +961,,T1134,Access Token Manipulation,[],[],,AC-6,mitigates,3 +962,,T1134.001,Token Impersonation/Theft,[],[],,AC-6,mitigates,3 +963,,T1134.002,Create Process with Token,[],[],,AC-6,mitigates,3 +964,,T1134.003,Make and Impersonate Token,[],[],,AC-6,mitigates,3 +965,,T1134.005,SID-History Injection,[],[],,AC-6,mitigates,3 +966,,T1136,Create Account,[],[],,AC-6,mitigates,3 +967,,T1136.001,Local Account,[],[],,AC-6,mitigates,3 +968,,T1136.002,Domain Account,[],[],,AC-6,mitigates,3 +969,,T1136.003,Cloud Account,[],[],,AC-6,mitigates,3 +970,,T1137.002,Office Test,[],[],,AC-6,mitigates,3 +971,,T1176,Browser Extensions,[],[],,AC-6,mitigates,3 +972,,T1185,Man in the Browser,[],[],,AC-6,mitigates,3 +973,,T1189,Drive-by Compromise,[],[],,AC-6,mitigates,3 +974,,T1190,Exploit Public-Facing Application,[],[],,AC-6,mitigates,3 +975,,T1197,BITS Jobs,[],[],,AC-6,mitigates,3 +976,,T1199,Trusted Relationship,[],[],,AC-6,mitigates,3 +977,,T1200,Hardware Additions,[],[],,AC-6,mitigates,3 +978,,T1203,Exploitation for Client Execution,[],[],,AC-6,mitigates,3 +979,,T1210,Exploitation of Remote Services,[],[],,AC-6,mitigates,3 +980,,T1211,Exploitation for Defense Evasion,[],[],,AC-6,mitigates,3 +981,,T1212,Exploitation for Credential Access,[],[],,AC-6,mitigates,3 +982,,T1213,Data from Information Repositories,[],[],,AC-6,mitigates,3 +983,,T1213.001,Confluence,[],[],,AC-6,mitigates,3 +984,,T1213.002,Sharepoint,[],[],,AC-6,mitigates,3 +985,,T1218,Signed Binary Proxy Execution,[],[],,AC-6,mitigates,3 +986,,T1218.007,Msiexec,[],[],,AC-6,mitigates,3 +987,,T1222,File and Directory Permissions Modification,[],[],,AC-6,mitigates,3 +988,,T1222.001,Windows File and Directory Permissions Modification,[],[],,AC-6,mitigates,3 +989,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,AC-6,mitigates,3 +990,,T1484,Domain Policy Modification,[],[],,AC-6,mitigates,3 +991,,T1485,Data Destruction,[],[],,AC-6,mitigates,3 +992,,T1486,Data Encrypted for Impact,[],[],,AC-6,mitigates,3 +993,,T1489,Service Stop,[],[],,AC-6,mitigates,3 +994,,T1490,Inhibit System Recovery,[],[],,AC-6,mitigates,3 +995,,T1491,Defacement,[],[],,AC-6,mitigates,3 +996,,T1491.001,Internal Defacement,[],[],,AC-6,mitigates,3 +997,,T1491.002,External Defacement,[],[],,AC-6,mitigates,3 +998,,T1495,Firmware Corruption,[],[],,AC-6,mitigates,3 +999,,T1505,Server Software Component,[],[],,AC-6,mitigates,3 +1000,,T1505.001,SQL Stored Procedures,[],[],,AC-6,mitigates,3 +1001,,T1505.002,Transport Agent,[],[],,AC-6,mitigates,3 +1002,,T1525,Implant Internal Image,[],[],,AC-6,mitigates,3 +1003,,T1528,Steal Application Access Token,[],[],,AC-6,mitigates,3 +1004,,T1530,Data from Cloud Storage Object,[],[],,AC-6,mitigates,3 +1005,,T1537,Transfer Data to Cloud Account,[],[],,AC-6,mitigates,3 +1006,,T1538,Cloud Service Dashboard,[],[],,AC-6,mitigates,3 +1007,,T1539,Steal Web Session Cookie,[],[],,AC-6,mitigates,3 +1008,,T1542,Pre-OS Boot,[],[],,AC-6,mitigates,3 +1009,,T1542.001,System Firmware,[],[],,AC-6,mitigates,3 +1010,,T1542.003,Bootkit,[],[],,AC-6,mitigates,3 +1011,,T1542.004,ROMMONkit,[],[],,AC-6,mitigates,3 +1012,,T1542.005,TFTP Boot,[],[],,AC-6,mitigates,3 +1013,,T1543,Create or Modify System Process,[],[],,AC-6,mitigates,3 +1014,,T1543.001,Launch Agent,[],[],,AC-6,mitigates,3 +1015,,T1543.002,Systemd Service,[],[],,AC-6,mitigates,3 +1016,,T1543.003,Windows Service,[],[],,AC-6,mitigates,3 +1017,,T1543.004,Launch Daemon,[],[],,AC-6,mitigates,3 +1018,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,AC-6,mitigates,3 +1019,,T1546.004,Unix Shell Configuration Modification,[],[],,AC-6,mitigates,3 +1020,,T1546.011,Application Shimming,[],[],,AC-6,mitigates,3 +1021,,T1546.013,PowerShell Profile,[],[],,AC-6,mitigates,3 +1022,,T1547.003,Time Providers,[],[],,AC-6,mitigates,3 +1023,,T1547.004,Winlogon Helper DLL,[],[],,AC-6,mitigates,3 +1024,,T1547.006,Kernel Modules and Extensions,[],[],,AC-6,mitigates,3 +1025,,T1547.009,Shortcut Modification,[],[],,AC-6,mitigates,3 +1026,,T1547.011,Plist Modification,[],[],,AC-6,mitigates,3 +1027,,T1547.012,Print Processors,[],[],,AC-6,mitigates,3 +1028,,T1547.013,XDG Autostart Entries,[],[],,AC-6,mitigates,3 +1029,,T1548,Abuse Elevation Control Mechanism,[],[],,AC-6,mitigates,3 +1030,,T1548.002,Bypass User Account Control,[],[],,AC-6,mitigates,3 +1031,,T1548.003,Sudo and Sudo Caching,[],[],,AC-6,mitigates,3 +1032,,T1550,Use Alternate Authentication Material,[],[],,AC-6,mitigates,3 +1033,,T1550.002,Pass the Hash,[],[],,AC-6,mitigates,3 +1034,,T1550.003,Pass the Ticket,[],[],,AC-6,mitigates,3 +1035,,T1552,Unsecured Credentials,[],[],,AC-6,mitigates,3 +1036,,T1552.001,Credentials In Files,[],[],,AC-6,mitigates,3 +1037,,T1552.002,Credentials in Registry,[],[],,AC-6,mitigates,3 +1038,,T1552.006,Group Policy Preferences,[],[],,AC-6,mitigates,3 +1039,,T1552.007,Container API,[],[],,AC-6,mitigates,3 +1040,,T1553,Subvert Trust Controls,[],[],,AC-6,mitigates,3 +1041,,T1553.003,SIP and Trust Provider Hijacking,[],[],,AC-6,mitigates,3 +1042,,T1553.006,Code Signing Policy Modification,[],[],,AC-6,mitigates,3 +1043,,T1556,Modify Authentication Process,[],[],,AC-6,mitigates,3 +1044,,T1556.001,Domain Controller Authentication,[],[],,AC-6,mitigates,3 +1045,,T1556.003,Pluggable Authentication Modules,[],[],,AC-6,mitigates,3 +1046,,T1556.004,Network Device Authentication,[],[],,AC-6,mitigates,3 +1047,,T1558,Steal or Forge Kerberos Tickets,[],[],,AC-6,mitigates,3 +1048,,T1558.001,Golden Ticket,[],[],,AC-6,mitigates,3 +1049,,T1558.002,Silver Ticket,[],[],,AC-6,mitigates,3 +1050,,T1558.003,Kerberoasting,[],[],,AC-6,mitigates,3 +1051,,T1559,Inter-Process Communication,[],[],,AC-6,mitigates,3 +1052,,T1559.001,Component Object Model,[],[],,AC-6,mitigates,3 +1053,,T1559.002,Dynamic Data Exchange,[],[],,AC-6,mitigates,3 +1054,,T1561,Disk Wipe,[],[],,AC-6,mitigates,3 +1055,,T1561.001,Disk Content Wipe,[],[],,AC-6,mitigates,3 +1056,,T1561.002,Disk Structure Wipe,[],[],,AC-6,mitigates,3 +1057,,T1562,Impair Defenses,[],[],,AC-6,mitigates,3 +1058,,T1562.001,Disable or Modify Tools,[],[],,AC-6,mitigates,3 +1059,,T1562.002,Disable Windows Event Logging,[],[],,AC-6,mitigates,3 +1060,,T1562.004,Disable or Modify System Firewall,[],[],,AC-6,mitigates,3 +1061,,T1562.006,Indicator Blocking,[],[],,AC-6,mitigates,3 +1062,,T1562.007,Disable or Modify Cloud Firewall,[],[],,AC-6,mitigates,3 +1063,,T1562.008,Disable Cloud Logs,[],[],,AC-6,mitigates,3 +1064,,T1563,Remote Service Session Hijacking,[],[],,AC-6,mitigates,3 +1065,,T1563.001,SSH Hijacking,[],[],,AC-6,mitigates,3 +1066,,T1563.002,RDP Hijacking,[],[],,AC-6,mitigates,3 +1067,,T1569,System Services,[],[],,AC-6,mitigates,3 +1068,,T1569.001,Launchctl,[],[],,AC-6,mitigates,3 +1069,,T1569.002,Service Execution,[],[],,AC-6,mitigates,3 +1070,,T1574,Hijack Execution Flow,[],[],,AC-6,mitigates,3 +1071,,T1574.004,Dylib Hijacking,[],[],,AC-6,mitigates,3 +1072,,T1574.005,Executable Installer File Permissions Weakness,[],[],,AC-6,mitigates,3 +1073,,T1574.007,Path Interception by PATH Environment Variable,[],[],,AC-6,mitigates,3 +1074,,T1574.008,Path Interception by Search Order Hijacking,[],[],,AC-6,mitigates,3 +1075,,T1574.009,Path Interception by Unquoted Path,[],[],,AC-6,mitigates,3 +1076,,T1574.010,Services File Permissions Weakness,[],[],,AC-6,mitigates,3 +1077,,T1574.011,Services Registry Permissions Weakness,[],[],,AC-6,mitigates,3 +1078,,T1574.012,COR_PROFILER,[],[],,AC-6,mitigates,3 +1079,,T1578,Modify Cloud Compute Infrastructure,[],[],,AC-6,mitigates,3 +1080,,T1578.001,Create Snapshot,[],[],,AC-6,mitigates,3 +1081,,T1578.002,Create Cloud Instance,[],[],,AC-6,mitigates,3 +1082,,T1578.003,Delete Cloud Instance,[],[],,AC-6,mitigates,3 +1083,,T1580,Cloud Infrastructure Discovery,[],[],,AC-6,mitigates,3 +1084,,T1599,Network Boundary Bridging,[],[],,AC-6,mitigates,3 +1085,,T1599.001,Network Address Translation Traversal,[],[],,AC-6,mitigates,3 +1086,,T1601,Modify System Image,[],[],,AC-6,mitigates,3 +1087,,T1601.001,Patch System Image,[],[],,AC-6,mitigates,3 +1088,,T1601.002,Downgrade System Image,[],[],,AC-6,mitigates,3 +1089,,T1609,Container Administration Command,[],[],,AC-6,mitigates,3 +1090,,T1610,Deploy Container,[],[],,AC-6,mitigates,3 +1091,,T1611,Escape to Host,[],[],,AC-6,mitigates,3 +1092,,T1612,Build Image on Host,[],[],,AC-6,mitigates,3 +1093,,T1613,Container and Resource Discovery,[],[],,AC-6,mitigates,3 +1094,,T1021,Remote Services,[],[],,AC-7,mitigates,3 +1095,,T1021.001,Remote Desktop Protocol,[],[],,AC-7,mitigates,3 +1096,,T1021.004,SSH,[],[],,AC-7,mitigates,3 +1097,,T1078.002,Domain Accounts,[],[],,AC-7,mitigates,3 +1098,,T1078.004,Cloud Accounts,[],[],,AC-7,mitigates,3 +1099,,T1110,Brute Force,[],[],,AC-7,mitigates,3 +1100,,T1110.001,Password Guessing,[],[],,AC-7,mitigates,3 +1101,,T1110.002,Password Cracking,[],[],,AC-7,mitigates,3 +1102,,T1110.003,Password Spraying,[],[],,AC-7,mitigates,3 +1103,,T1110.004,Credential Stuffing,[],[],,AC-7,mitigates,3 +1104,,T1133,External Remote Services,[],[],,AC-7,mitigates,3 +1105,,T1530,Data from Cloud Storage Object,[],[],,AC-7,mitigates,3 +1106,,T1556,Modify Authentication Process,[],[],,AC-7,mitigates,3 +1107,,T1556.001,Domain Controller Authentication,[],[],,AC-7,mitigates,3 +1108,,T1556.003,Pluggable Authentication Modules,[],[],,AC-7,mitigates,3 +1109,,T1556.004,Network Device Authentication,[],[],,AC-7,mitigates,3 +1110,,T1199,Trusted Relationship,[],[],,AC-8,mitigates,3 +1111,,T1190,Exploit Public-Facing Application,[],[],,CA-2,mitigates,3 +1112,,T1195,Supply Chain Compromise,[],[],,CA-2,mitigates,3 +1113,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-2,mitigates,3 +1114,,T1195.002,Compromise Software Supply Chain,[],[],,CA-2,mitigates,3 +1115,,T1210,Exploitation of Remote Services,[],[],,CA-2,mitigates,3 +1116,,T1001,Data Obfuscation,[],[],,CA-7,mitigates,3 +1117,,T1001.001,Junk Data,[],[],,CA-7,mitigates,3 +1118,,T1001.002,Steganography,[],[],,CA-7,mitigates,3 +1119,,T1001.003,Protocol Impersonation,[],[],,CA-7,mitigates,3 +1120,,T1003,OS Credential Dumping,[],[],,CA-7,mitigates,3 +1121,,T1003.001,LSASS Memory,[],[],,CA-7,mitigates,3 +1122,,T1003.002,Security Account Manager,[],[],,CA-7,mitigates,3 +1123,,T1003.003,NTDS,[],[],,CA-7,mitigates,3 +1124,,T1003.004,LSA Secrets,[],[],,CA-7,mitigates,3 +1125,,T1003.005,Cached Domain Credentials,[],[],,CA-7,mitigates,3 +1126,,T1003.006,DCSync,[],[],,CA-7,mitigates,3 +1127,,T1003.007,Proc Filesystem,[],[],,CA-7,mitigates,3 +1128,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CA-7,mitigates,3 +1129,,T1008,Fallback Channels,[],[],,CA-7,mitigates,3 +1130,,T1021.002,SMB/Windows Admin Shares,[],[],,CA-7,mitigates,3 +1131,,T1021.005,VNC,[],[],,CA-7,mitigates,3 +1132,,T1029,Scheduled Transfer,[],[],,CA-7,mitigates,3 +1133,,T1030,Data Transfer Size Limits,[],[],,CA-7,mitigates,3 +1134,,T1036,Masquerading,[],[],,CA-7,mitigates,3 +1135,,T1036.003,Rename System Utilities,[],[],,CA-7,mitigates,3 +1136,,T1036.005,Match Legitimate Name or Location,[],[],,CA-7,mitigates,3 +1137,,T1037,Boot or Logon Initialization Scripts,[],[],,CA-7,mitigates,3 +1138,,T1037.002,Logon Script (Mac),[],[],,CA-7,mitigates,3 +1139,,T1037.003,Network Logon Script,[],[],,CA-7,mitigates,3 +1140,,T1037.004,RC Scripts,[],[],,CA-7,mitigates,3 +1141,,T1037.005,Startup Items,[],[],,CA-7,mitigates,3 +1142,,T1041,Exfiltration Over C2 Channel,[],[],,CA-7,mitigates,3 +1143,,T1046,Network Service Scanning,[],[],,CA-7,mitigates,3 +1144,,T1048,Exfiltration Over Alternative Protocol,[],[],,CA-7,mitigates,3 +1145,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,3 +1146,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CA-7,mitigates,3 +1147,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CA-7,mitigates,3 +1148,,T1053.006,Systemd Timers,[],[],,CA-7,mitigates,3 +1149,,T1055.009,Proc Memory,[],[],,CA-7,mitigates,3 +1150,,T1056.002,GUI Input Capture,[],[],,CA-7,mitigates,3 +1151,,T1068,Exploitation for Privilege Escalation,[],[],,CA-7,mitigates,3 +1152,,T1070,Indicator Removal on Host,[],[],,CA-7,mitigates,3 +1153,,T1070.001,Clear Windows Event Logs,[],[],,CA-7,mitigates,3 +1154,,T1070.002,Clear Linux or Mac System Logs,[],[],,CA-7,mitigates,3 +1155,,T1070.003,Clear Command History,[],[],,CA-7,mitigates,3 +1156,,T1071,Application Layer Protocol,[],[],,CA-7,mitigates,3 +1157,,T1071.001,Web Protocols,[],[],,CA-7,mitigates,3 +1158,,T1071.002,File Transfer Protocols,[],[],,CA-7,mitigates,3 +1159,,T1071.003,Mail Protocols,[],[],,CA-7,mitigates,3 +1160,,T1071.004,DNS,[],[],,CA-7,mitigates,3 +1161,,T1072,Software Deployment Tools,[],[],,CA-7,mitigates,3 +1162,,T1078,Valid Accounts,[],[],,CA-7,mitigates,3 +1163,,T1078.001,Default Accounts,[],[],,CA-7,mitigates,3 +1164,,T1078.003,Local Accounts,[],[],,CA-7,mitigates,3 +1165,,T1078.004,Cloud Accounts,[],[],,CA-7,mitigates,3 +1166,,T1080,Taint Shared Content,[],[],,CA-7,mitigates,3 +1167,,T1090,Proxy,[],[],,CA-7,mitigates,3 +1168,,T1090.001,Internal Proxy,[],[],,CA-7,mitigates,3 +1169,,T1090.002,External Proxy,[],[],,CA-7,mitigates,3 +1170,,T1090.003,Multi-hop Proxy,[],[],,CA-7,mitigates,3 +1171,,T1095,Non-Application Layer Protocol,[],[],,CA-7,mitigates,3 +1172,,T1102,Web Service,[],[],,CA-7,mitigates,3 +1173,,T1102.001,Dead Drop Resolver,[],[],,CA-7,mitigates,3 +1174,,T1102.002,Bidirectional Communication,[],[],,CA-7,mitigates,3 +1175,,T1102.003,One-Way Communication,[],[],,CA-7,mitigates,3 +1176,,T1104,Multi-Stage Channels,[],[],,CA-7,mitigates,3 +1177,,T1105,Ingress Tool Transfer,[],[],,CA-7,mitigates,3 +1178,,T1110,Brute Force,[],[],,CA-7,mitigates,3 +1179,,T1110.001,Password Guessing,[],[],,CA-7,mitigates,3 +1180,,T1110.002,Password Cracking,[],[],,CA-7,mitigates,3 +1181,,T1110.003,Password Spraying,[],[],,CA-7,mitigates,3 +1182,,T1110.004,Credential Stuffing,[],[],,CA-7,mitigates,3 +1183,,T1111,Two-Factor Authentication Interception,[],[],,CA-7,mitigates,3 +1184,,T1132,Data Encoding,[],[],,CA-7,mitigates,3 +1185,,T1132.001,Standard Encoding,[],[],,CA-7,mitigates,3 +1186,,T1132.002,Non-Standard Encoding,[],[],,CA-7,mitigates,3 +1187,,T1176,Browser Extensions,[],[],,CA-7,mitigates,3 +1188,,T1185,Man in the Browser,[],[],,CA-7,mitigates,3 +1189,,T1187,Forced Authentication,[],[],,CA-7,mitigates,3 +1190,,T1189,Drive-by Compromise,[],[],,CA-7,mitigates,3 +1191,,T1190,Exploit Public-Facing Application,[],[],,CA-7,mitigates,3 +1192,,T1195,Supply Chain Compromise,[],[],,CA-7,mitigates,3 +1193,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CA-7,mitigates,3 +1194,,T1195.002,Compromise Software Supply Chain,[],[],,CA-7,mitigates,3 +1195,,T1197,BITS Jobs,[],[],,CA-7,mitigates,3 +1196,,T1201,Password Policy Discovery,[],[],,CA-7,mitigates,3 +1197,,T1203,Exploitation for Client Execution,[],[],,CA-7,mitigates,3 +1198,,T1204,User Execution,[],[],,CA-7,mitigates,3 +1199,,T1204.001,Malicious Link,[],[],,CA-7,mitigates,3 +1200,,T1204.002,Malicious File,[],[],,CA-7,mitigates,3 +1201,,T1204.003,Malicious Image,[],[],,CA-7,mitigates,3 +1202,,T1205,Traffic Signaling,[],[],,CA-7,mitigates,3 +1203,,T1205.001,Port Knocking,[],[],,CA-7,mitigates,3 +1204,,T1210,Exploitation of Remote Services,[],[],,CA-7,mitigates,3 +1205,,T1211,Exploitation for Defense Evasion,[],[],,CA-7,mitigates,3 +1206,,T1212,Exploitation for Credential Access,[],[],,CA-7,mitigates,3 +1207,,T1213,Data from Information Repositories,[],[],,CA-7,mitigates,3 +1208,,T1213.001,Confluence,[],[],,CA-7,mitigates,3 +1209,,T1213.002,Sharepoint,[],[],,CA-7,mitigates,3 +1210,,T1218,Signed Binary Proxy Execution,[],[],,CA-7,mitigates,3 +1211,,T1218.002,Control Panel,[],[],,CA-7,mitigates,3 +1212,,T1218.010,Regsvr32,[],[],,CA-7,mitigates,3 +1213,,T1218.011,Rundll32,[],[],,CA-7,mitigates,3 +1214,,T1218.012,Verclsid,[],[],,CA-7,mitigates,3 +1215,,T1219,Remote Access Software,[],[],,CA-7,mitigates,3 +1216,,T1221,Template Injection,[],[],,CA-7,mitigates,3 +1217,,T1222,File and Directory Permissions Modification,[],[],,CA-7,mitigates,3 +1218,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CA-7,mitigates,3 +1219,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CA-7,mitigates,3 +1220,,T1489,Service Stop,[],[],,CA-7,mitigates,3 +1221,,T1498,Network Denial of Service,[],[],,CA-7,mitigates,3 +1222,,T1498.001,Direct Network Flood,[],[],,CA-7,mitigates,3 +1223,,T1498.002,Reflection Amplification,[],[],,CA-7,mitigates,3 +1224,,T1499,Endpoint Denial of Service,[],[],,CA-7,mitigates,3 +1225,,T1499.001,OS Exhaustion Flood,[],[],,CA-7,mitigates,3 +1226,,T1499.002,Service Exhaustion Flood,[],[],,CA-7,mitigates,3 +1227,,T1499.003,Application Exhaustion Flood,[],[],,CA-7,mitigates,3 +1228,,T1499.004,Application or System Exploitation,[],[],,CA-7,mitigates,3 +1229,,T1528,Steal Application Access Token,[],[],,CA-7,mitigates,3 +1230,,T1530,Data from Cloud Storage Object,[],[],,CA-7,mitigates,3 +1231,,T1537,Transfer Data to Cloud Account,[],[],,CA-7,mitigates,3 +1232,,T1539,Steal Web Session Cookie,[],[],,CA-7,mitigates,3 +1233,,T1542.004,ROMMONkit,[],[],,CA-7,mitigates,3 +1234,,T1542.005,TFTP Boot,[],[],,CA-7,mitigates,3 +1235,,T1543,Create or Modify System Process,[],[],,CA-7,mitigates,3 +1236,,T1543.002,Systemd Service,[],[],,CA-7,mitigates,3 +1237,,T1546.004,Unix Shell Configuration Modification,[],[],,CA-7,mitigates,3 +1238,,T1546.013,PowerShell Profile,[],[],,CA-7,mitigates,3 +1239,,T1547.003,Time Providers,[],[],,CA-7,mitigates,3 +1240,,T1547.011,Plist Modification,[],[],,CA-7,mitigates,3 +1241,,T1547.013,XDG Autostart Entries,[],[],,CA-7,mitigates,3 +1242,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-7,mitigates,3 +1243,,T1548.003,Sudo and Sudo Caching,[],[],,CA-7,mitigates,3 +1244,,T1550.003,Pass the Ticket,[],[],,CA-7,mitigates,3 +1245,,T1552,Unsecured Credentials,[],[],,CA-7,mitigates,3 +1246,,T1552.001,Credentials In Files,[],[],,CA-7,mitigates,3 +1247,,T1552.002,Credentials in Registry,[],[],,CA-7,mitigates,3 +1248,,T1552.004,Private Keys,[],[],,CA-7,mitigates,3 +1249,,T1552.005,Cloud Instance Metadata API,[],[],,CA-7,mitigates,3 +1250,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CA-7,mitigates,3 +1251,,T1555,Credentials from Password Stores,[],[],,CA-7,mitigates,3 +1252,,T1555.001,Keychain,[],[],,CA-7,mitigates,3 +1253,,T1555.002,Securityd Memory,[],[],,CA-7,mitigates,3 +1254,,T1556,Modify Authentication Process,[],[],,CA-7,mitigates,3 +1255,,T1556.001,Domain Controller Authentication,[],[],,CA-7,mitigates,3 +1256,,T1557,Man-in-the-Middle,[],[],,CA-7,mitigates,3 +1257,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CA-7,mitigates,3 +1258,,T1557.002,ARP Cache Poisoning,[],[],,CA-7,mitigates,3 +1259,,T1558,Steal or Forge Kerberos Tickets,[],[],,CA-7,mitigates,3 +1260,,T1558.002,Silver Ticket,[],[],,CA-7,mitigates,3 +1261,,T1558.003,Kerberoasting,[],[],,CA-7,mitigates,3 +1262,,T1558.004,AS-REP Roasting,[],[],,CA-7,mitigates,3 +1263,,T1562,Impair Defenses,[],[],,CA-7,mitigates,3 +1264,,T1562.001,Disable or Modify Tools,[],[],,CA-7,mitigates,3 +1265,,T1562.002,Disable Windows Event Logging,[],[],,CA-7,mitigates,3 +1266,,T1562.004,Disable or Modify System Firewall,[],[],,CA-7,mitigates,3 +1267,,T1562.006,Indicator Blocking,[],[],,CA-7,mitigates,3 +1268,,T1563.001,SSH Hijacking,[],[],,CA-7,mitigates,3 +1269,,T1564.004,NTFS File Attributes,[],[],,CA-7,mitigates,3 +1270,,T1565,Data Manipulation,[],[],,CA-7,mitigates,3 +1271,,T1565.001,Stored Data Manipulation,[],[],,CA-7,mitigates,3 +1272,,T1565.003,Runtime Data Manipulation,[],[],,CA-7,mitigates,3 +1273,,T1566,Phishing,[],[],,CA-7,mitigates,3 +1274,,T1566.001,Spearphishing Attachment,[],[],,CA-7,mitigates,3 +1275,,T1566.002,Spearphishing Link,[],[],,CA-7,mitigates,3 +1276,,T1566.003,Spearphishing via Service,[],[],,CA-7,mitigates,3 +1277,,T1568,Dynamic Resolution,[],[],,CA-7,mitigates,3 +1278,,T1568.002,Domain Generation Algorithms,[],[],,CA-7,mitigates,3 +1279,,T1569,System Services,[],[],,CA-7,mitigates,3 +1280,,T1569.002,Service Execution,[],[],,CA-7,mitigates,3 +1281,,T1570,Lateral Tool Transfer,[],[],,CA-7,mitigates,3 +1282,,T1571,Non-Standard Port,[],[],,CA-7,mitigates,3 +1283,,T1572,Protocol Tunneling,[],[],,CA-7,mitigates,3 +1284,,T1573,Encrypted Channel,[],[],,CA-7,mitigates,3 +1285,,T1573.001,Symmetric Cryptography,[],[],,CA-7,mitigates,3 +1286,,T1573.002,Asymmetric Cryptography,[],[],,CA-7,mitigates,3 +1287,,T1574,Hijack Execution Flow,[],[],,CA-7,mitigates,3 +1288,,T1574.004,Dylib Hijacking,[],[],,CA-7,mitigates,3 +1289,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-7,mitigates,3 +1290,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-7,mitigates,3 +1291,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-7,mitigates,3 +1292,,T1598,Phishing for Information,[],[],,CA-7,mitigates,3 +1293,,T1598.001,Spearphishing Service,[],[],,CA-7,mitigates,3 +1294,,T1598.002,Spearphishing Attachment,[],[],,CA-7,mitigates,3 +1295,,T1598.003,Spearphishing Link,[],[],,CA-7,mitigates,3 +1296,,T1599,Network Boundary Bridging,[],[],,CA-7,mitigates,3 +1297,,T1599.001,Network Address Translation Traversal,[],[],,CA-7,mitigates,3 +1298,,T1602,Data from Configuration Repository,[],[],,CA-7,mitigates,3 +1299,,T1602.001,SNMP (MIB Dump),[],[],,CA-7,mitigates,3 +1300,,T1602.002,Network Device Configuration Dump,[],[],,CA-7,mitigates,3 +1301,,T1021.001,Remote Desktop Protocol,[],[],,CA-8,mitigates,3 +1302,,T1021.005,VNC,[],[],,CA-8,mitigates,3 +1303,,T1053,Scheduled Task/Job,[],[],,CA-8,mitigates,3 +1304,,T1053.001,At (Linux),[],[],,CA-8,mitigates,3 +1305,,T1053.002,At (Windows),[],[],,CA-8,mitigates,3 +1306,,T1053.003,Cron,[],[],,CA-8,mitigates,3 +1307,,T1053.004,Launchd,[],[],,CA-8,mitigates,3 +1308,,T1053.005,Scheduled Task,[],[],,CA-8,mitigates,3 +1309,,T1059,Command and Scripting Interpreter,[],[],,CA-8,mitigates,3 +1310,,T1068,Exploitation for Privilege Escalation,[],[],,CA-8,mitigates,3 +1311,,T1078,Valid Accounts,[],[],,CA-8,mitigates,3 +1312,,T1176,Browser Extensions,[],[],,CA-8,mitigates,3 +1313,,T1195.003,Compromise Hardware Supply Chain,[],[],,CA-8,mitigates,3 +1314,,T1204.003,Malicious Image,[],[],,CA-8,mitigates,3 +1315,,T1210,Exploitation of Remote Services,[],[],,CA-8,mitigates,3 +1316,,T1211,Exploitation for Defense Evasion,[],[],,CA-8,mitigates,3 +1317,,T1212,Exploitation for Credential Access,[],[],,CA-8,mitigates,3 +1318,,T1213,Data from Information Repositories,[],[],,CA-8,mitigates,3 +1319,,T1213.001,Confluence,[],[],,CA-8,mitigates,3 +1320,,T1213.002,Sharepoint,[],[],,CA-8,mitigates,3 +1321,,T1482,Domain Trust Discovery,[],[],,CA-8,mitigates,3 +1322,,T1484,Domain Policy Modification,[],[],,CA-8,mitigates,3 +1323,,T1495,Firmware Corruption,[],[],,CA-8,mitigates,3 +1324,,T1505,Server Software Component,[],[],,CA-8,mitigates,3 +1325,,T1505.001,SQL Stored Procedures,[],[],,CA-8,mitigates,3 +1326,,T1505.002,Transport Agent,[],[],,CA-8,mitigates,3 +1327,,T1525,Implant Internal Image,[],[],,CA-8,mitigates,3 +1328,,T1528,Steal Application Access Token,[],[],,CA-8,mitigates,3 +1329,,T1530,Data from Cloud Storage Object,[],[],,CA-8,mitigates,3 +1330,,T1542,Pre-OS Boot,[],[],,CA-8,mitigates,3 +1331,,T1542.001,System Firmware,[],[],,CA-8,mitigates,3 +1332,,T1542.003,Bootkit,[],[],,CA-8,mitigates,3 +1333,,T1542.004,ROMMONkit,[],[],,CA-8,mitigates,3 +1334,,T1542.005,TFTP Boot,[],[],,CA-8,mitigates,3 +1335,,T1543,Create or Modify System Process,[],[],,CA-8,mitigates,3 +1336,,T1543.003,Windows Service,[],[],,CA-8,mitigates,3 +1337,,T1548,Abuse Elevation Control Mechanism,[],[],,CA-8,mitigates,3 +1338,,T1548.002,Bypass User Account Control,[],[],,CA-8,mitigates,3 +1339,,T1550.001,Application Access Token,[],[],,CA-8,mitigates,3 +1340,,T1552,Unsecured Credentials,[],[],,CA-8,mitigates,3 +1341,,T1552.001,Credentials In Files,[],[],,CA-8,mitigates,3 +1342,,T1552.002,Credentials in Registry,[],[],,CA-8,mitigates,3 +1343,,T1552.004,Private Keys,[],[],,CA-8,mitigates,3 +1344,,T1552.006,Group Policy Preferences,[],[],,CA-8,mitigates,3 +1345,,T1553,Subvert Trust Controls,[],[],,CA-8,mitigates,3 +1346,,T1553.006,Code Signing Policy Modification,[],[],,CA-8,mitigates,3 +1347,,T1554,Compromise Client Software Binary,[],[],,CA-8,mitigates,3 +1348,,T1558.004,AS-REP Roasting,[],[],,CA-8,mitigates,3 +1349,,T1560,Archive Collected Data,[],[],,CA-8,mitigates,3 +1350,,T1560.001,Archive via Utility,[],[],,CA-8,mitigates,3 +1351,,T1562,Impair Defenses,[],[],,CA-8,mitigates,3 +1352,,T1563,Remote Service Session Hijacking,[],[],,CA-8,mitigates,3 +1353,,T1574,Hijack Execution Flow,[],[],,CA-8,mitigates,3 +1354,,T1574.001,DLL Search Order Hijacking,[],[],,CA-8,mitigates,3 +1355,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CA-8,mitigates,3 +1356,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CA-8,mitigates,3 +1357,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CA-8,mitigates,3 +1358,,T1574.009,Path Interception by Unquoted Path,[],[],,CA-8,mitigates,3 +1359,,T1574.010,Services File Permissions Weakness,[],[],,CA-8,mitigates,3 +1360,,T1578,Modify Cloud Compute Infrastructure,[],[],,CA-8,mitigates,3 +1361,,T1578.001,Create Snapshot,[],[],,CA-8,mitigates,3 +1362,,T1578.002,Create Cloud Instance,[],[],,CA-8,mitigates,3 +1363,,T1578.003,Delete Cloud Instance,[],[],,CA-8,mitigates,3 +1364,,T1601,Modify System Image,[],[],,CA-8,mitigates,3 +1365,,T1601.001,Patch System Image,[],[],,CA-8,mitigates,3 +1366,,T1601.002,Downgrade System Image,[],[],,CA-8,mitigates,3 +1367,,T1612,Build Image on Host,[],[],,CA-8,mitigates,3 +1368,,T1546.008,Accessibility Features,[],[],,CM-10,mitigates,3 +1369,,T1546.013,PowerShell Profile,[],[],,CM-10,mitigates,3 +1370,,T1550.001,Application Access Token,[],[],,CM-10,mitigates,3 +1371,,T1553,Subvert Trust Controls,[],[],,CM-10,mitigates,3 +1372,,T1553.004,Install Root Certificate,[],[],,CM-10,mitigates,3 +1373,,T1559,Inter-Process Communication,[],[],,CM-10,mitigates,3 +1374,,T1559.002,Dynamic Data Exchange,[],[],,CM-10,mitigates,3 +1375,,T1021.005,VNC,[],[],,CM-11,mitigates,3 +1376,,T1059,Command and Scripting Interpreter,[],[],,CM-11,mitigates,3 +1377,,T1059.006,Python,[],[],,CM-11,mitigates,3 +1378,,T1176,Browser Extensions,[],[],,CM-11,mitigates,3 +1379,,T1195,Supply Chain Compromise,[],[],,CM-11,mitigates,3 +1380,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-11,mitigates,3 +1381,,T1195.002,Compromise Software Supply Chain,[],[],,CM-11,mitigates,3 +1382,,T1505,Server Software Component,[],[],,CM-11,mitigates,3 +1383,,T1505.001,SQL Stored Procedures,[],[],,CM-11,mitigates,3 +1384,,T1505.002,Transport Agent,[],[],,CM-11,mitigates,3 +1385,,T1543,Create or Modify System Process,[],[],,CM-11,mitigates,3 +1386,,T1543.001,Launch Agent,[],[],,CM-11,mitigates,3 +1387,,T1543.002,Systemd Service,[],[],,CM-11,mitigates,3 +1388,,T1543.003,Windows Service,[],[],,CM-11,mitigates,3 +1389,,T1543.004,Launch Daemon,[],[],,CM-11,mitigates,3 +1390,,T1547.013,XDG Autostart Entries,[],[],,CM-11,mitigates,3 +1391,,T1550.001,Application Access Token,[],[],,CM-11,mitigates,3 +1392,,T1569,System Services,[],[],,CM-11,mitigates,3 +1393,,T1569.001,Launchctl,[],[],,CM-11,mitigates,3 +1394,,T1001,Data Obfuscation,[],[],,CM-2,mitigates,3 +1395,,T1001.001,Junk Data,[],[],,CM-2,mitigates,3 +1396,,T1001.002,Steganography,[],[],,CM-2,mitigates,3 +1397,,T1001.003,Protocol Impersonation,[],[],,CM-2,mitigates,3 +1398,,T1003,OS Credential Dumping,[],[],,CM-2,mitigates,3 +1399,,T1003.001,LSASS Memory,[],[],,CM-2,mitigates,3 +1400,,T1003.002,Security Account Manager,[],[],,CM-2,mitigates,3 +1401,,T1003.003,NTDS,[],[],,CM-2,mitigates,3 +1402,,T1003.004,LSA Secrets,[],[],,CM-2,mitigates,3 +1403,,T1003.005,Cached Domain Credentials,[],[],,CM-2,mitigates,3 +1404,,T1003.006,DCSync,[],[],,CM-2,mitigates,3 +1405,,T1003.007,Proc Filesystem,[],[],,CM-2,mitigates,3 +1406,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-2,mitigates,3 +1407,,T1008,Fallback Channels,[],[],,CM-2,mitigates,3 +1408,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-2,mitigates,3 +1409,,T1020.001,Traffic Duplication,[],[],,CM-2,mitigates,3 +1410,,T1021.001,Remote Desktop Protocol,[],[],,CM-2,mitigates,3 +1411,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-2,mitigates,3 +1412,,T1021.003,Distributed Component Object Model,[],[],,CM-2,mitigates,3 +1413,,T1021.004,SSH,[],[],,CM-2,mitigates,3 +1414,,T1021.005,VNC,[],[],,CM-2,mitigates,3 +1415,,T1021.006,Windows Remote Management,[],[],,CM-2,mitigates,3 +1416,,T1029,Scheduled Transfer,[],[],,CM-2,mitigates,3 +1417,,T1030,Data Transfer Size Limits,[],[],,CM-2,mitigates,3 +1418,,T1036,Masquerading,[],[],,CM-2,mitigates,3 +1419,,T1036.001,Invalid Code Signature,[],[],,CM-2,mitigates,3 +1420,,T1036.003,Rename System Utilities,[],[],,CM-2,mitigates,3 +1421,,T1036.005,Match Legitimate Name or Location,[],[],,CM-2,mitigates,3 +1422,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-2,mitigates,3 +1423,,T1037.002,Logon Script (Mac),[],[],,CM-2,mitigates,3 +1424,,T1037.003,Network Logon Script,[],[],,CM-2,mitigates,3 +1425,,T1037.004,RC Scripts,[],[],,CM-2,mitigates,3 +1426,,T1037.005,Startup Items,[],[],,CM-2,mitigates,3 +1427,,T1046,Network Service Scanning,[],[],,CM-2,mitigates,3 +1428,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-2,mitigates,3 +1429,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,3 +1430,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-2,mitigates,3 +1431,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-2,mitigates,3 +1432,,T1052,Exfiltration Over Physical Medium,[],[],,CM-2,mitigates,3 +1433,,T1052.001,Exfiltration over USB,[],[],,CM-2,mitigates,3 +1434,,T1053,Scheduled Task/Job,[],[],,CM-2,mitigates,3 +1435,,T1053.002,At (Windows),[],[],,CM-2,mitigates,3 +1436,,T1053.005,Scheduled Task,[],[],,CM-2,mitigates,3 +1437,,T1059,Command and Scripting Interpreter,[],[],,CM-2,mitigates,3 +1438,,T1059.001,PowerShell,[],[],,CM-2,mitigates,3 +1439,,T1059.002,AppleScript,[],[],,CM-2,mitigates,3 +1440,,T1059.005,Visual Basic,[],[],,CM-2,mitigates,3 +1441,,T1059.007,JavaScript,[],[],,CM-2,mitigates,3 +1442,,T1068,Exploitation for Privilege Escalation,[],[],,CM-2,mitigates,3 +1443,,T1070,Indicator Removal on Host,[],[],,CM-2,mitigates,3 +1444,,T1070.001,Clear Windows Event Logs,[],[],,CM-2,mitigates,3 +1445,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-2,mitigates,3 +1446,,T1070.003,Clear Command History,[],[],,CM-2,mitigates,3 +1447,,T1071,Application Layer Protocol,[],[],,CM-2,mitigates,3 +1448,,T1071.001,Web Protocols,[],[],,CM-2,mitigates,3 +1449,,T1071.002,File Transfer Protocols,[],[],,CM-2,mitigates,3 +1450,,T1071.003,Mail Protocols,[],[],,CM-2,mitigates,3 +1451,,T1071.004,DNS,[],[],,CM-2,mitigates,3 +1452,,T1072,Software Deployment Tools,[],[],,CM-2,mitigates,3 +1453,,T1080,Taint Shared Content,[],[],,CM-2,mitigates,3 +1454,,T1090,Proxy,[],[],,CM-2,mitigates,3 +1455,,T1090.001,Internal Proxy,[],[],,CM-2,mitigates,3 +1456,,T1090.002,External Proxy,[],[],,CM-2,mitigates,3 +1457,,T1091,Replication Through Removable Media,[],[],,CM-2,mitigates,3 +1458,,T1092,Communication Through Removable Media,[],[],,CM-2,mitigates,3 +1459,,T1095,Non-Application Layer Protocol,[],[],,CM-2,mitigates,3 +1460,,T1098.004,SSH Authorized Keys,[],[],,CM-2,mitigates,3 +1461,,T1102,Web Service,[],[],,CM-2,mitigates,3 +1462,,T1102.001,Dead Drop Resolver,[],[],,CM-2,mitigates,3 +1463,,T1102.002,Bidirectional Communication,[],[],,CM-2,mitigates,3 +1464,,T1102.003,One-Way Communication,[],[],,CM-2,mitigates,3 +1465,,T1104,Multi-Stage Channels,[],[],,CM-2,mitigates,3 +1466,,T1105,Ingress Tool Transfer,[],[],,CM-2,mitigates,3 +1467,,T1110,Brute Force,[],[],,CM-2,mitigates,3 +1468,,T1110.001,Password Guessing,[],[],,CM-2,mitigates,3 +1469,,T1110.002,Password Cracking,[],[],,CM-2,mitigates,3 +1470,,T1110.003,Password Spraying,[],[],,CM-2,mitigates,3 +1471,,T1110.004,Credential Stuffing,[],[],,CM-2,mitigates,3 +1472,,T1111,Two-Factor Authentication Interception,[],[],,CM-2,mitigates,3 +1473,,T1114,Email Collection,[],[],,CM-2,mitigates,3 +1474,,T1114.002,Remote Email Collection,[],[],,CM-2,mitigates,3 +1475,,T1119,Automated Collection,[],[],,CM-2,mitigates,3 +1476,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-2,mitigates,3 +1477,,T1127.001,MSBuild,[],[],,CM-2,mitigates,3 +1478,,T1129,Shared Modules,[],[],,CM-2,mitigates,3 +1479,,T1132,Data Encoding,[],[],,CM-2,mitigates,3 +1480,,T1132.001,Standard Encoding,[],[],,CM-2,mitigates,3 +1481,,T1132.002,Non-Standard Encoding,[],[],,CM-2,mitigates,3 +1482,,T1133,External Remote Services,[],[],,CM-2,mitigates,3 +1483,,T1134.005,SID-History Injection,[],[],,CM-2,mitigates,3 +1484,,T1137,Office Application Startup,[],[],,CM-2,mitigates,3 +1485,,T1137.001,Office Template Macros,[],[],,CM-2,mitigates,3 +1486,,T1137.002,Office Test,[],[],,CM-2,mitigates,3 +1487,,T1137.003,Outlook Forms,[],[],,CM-2,mitigates,3 +1488,,T1137.004,Outlook Home Page,[],[],,CM-2,mitigates,3 +1489,,T1137.005,Outlook Rules,[],[],,CM-2,mitigates,3 +1490,,T1176,Browser Extensions,[],[],,CM-2,mitigates,3 +1491,,T1185,Man in the Browser,[],[],,CM-2,mitigates,3 +1492,,T1187,Forced Authentication,[],[],,CM-2,mitigates,3 +1493,,T1189,Drive-by Compromise,[],[],,CM-2,mitigates,3 +1494,,T1201,Password Policy Discovery,[],[],,CM-2,mitigates,3 +1495,,T1204,User Execution,[],[],,CM-2,mitigates,3 +1496,,T1204.001,Malicious Link,[],[],,CM-2,mitigates,3 +1497,,T1204.002,Malicious File,[],[],,CM-2,mitigates,3 +1498,,T1204.003,Malicious Image,[],[],,CM-2,mitigates,3 +1499,,T1205,Traffic Signaling,[],[],,CM-2,mitigates,3 +1500,,T1210,Exploitation of Remote Services,[],[],,CM-2,mitigates,3 +1501,,T1211,Exploitation for Defense Evasion,[],[],,CM-2,mitigates,3 +1502,,T1212,Exploitation for Credential Access,[],[],,CM-2,mitigates,3 +1503,,T1213,Data from Information Repositories,[],[],,CM-2,mitigates,3 +1504,,T1213.001,Confluence,[],[],,CM-2,mitigates,3 +1505,,T1213.002,Sharepoint,[],[],,CM-2,mitigates,3 +1506,,T1216,Signed Script Proxy Execution,[],[],,CM-2,mitigates,3 +1507,,T1216.001,PubPrn,[],[],,CM-2,mitigates,3 +1508,,T1218,Signed Binary Proxy Execution,[],[],,CM-2,mitigates,3 +1509,,T1218.001,Compiled HTML File,[],[],,CM-2,mitigates,3 +1510,,T1218.002,Control Panel,[],[],,CM-2,mitigates,3 +1511,,T1218.003,CMSTP,[],[],,CM-2,mitigates,3 +1512,,T1218.004,InstallUtil,[],[],,CM-2,mitigates,3 +1513,,T1218.005,Mshta,[],[],,CM-2,mitigates,3 +1514,,T1218.007,Msiexec,[],[],,CM-2,mitigates,3 +1515,,T1218.008,Odbcconf,[],[],,CM-2,mitigates,3 +1516,,T1218.009,Regsvcs/Regasm,[],[],,CM-2,mitigates,3 +1517,,T1218.012,Verclsid,[],[],,CM-2,mitigates,3 +1518,,T1219,Remote Access Software,[],[],,CM-2,mitigates,3 +1519,,T1220,XSL Script Processing,[],[],,CM-2,mitigates,3 +1520,,T1221,Template Injection,[],[],,CM-2,mitigates,3 +1521,,T1484,Domain Policy Modification,[],[],,CM-2,mitigates,3 +1522,,T1485,Data Destruction,[],[],,CM-2,mitigates,3 +1523,,T1486,Data Encrypted for Impact,[],[],,CM-2,mitigates,3 +1524,,T1490,Inhibit System Recovery,[],[],,CM-2,mitigates,3 +1525,,T1491,Defacement,[],[],,CM-2,mitigates,3 +1526,,T1491.001,Internal Defacement,[],[],,CM-2,mitigates,3 +1527,,T1491.002,External Defacement,[],[],,CM-2,mitigates,3 +1528,,T1505,Server Software Component,[],[],,CM-2,mitigates,3 +1529,,T1505.001,SQL Stored Procedures,[],[],,CM-2,mitigates,3 +1530,,T1505.002,Transport Agent,[],[],,CM-2,mitigates,3 +1531,,T1525,Implant Internal Image,[],[],,CM-2,mitigates,3 +1532,,T1528,Steal Application Access Token,[],[],,CM-2,mitigates,3 +1533,,T1530,Data from Cloud Storage Object,[],[],,CM-2,mitigates,3 +1534,,T1539,Steal Web Session Cookie,[],[],,CM-2,mitigates,3 +1535,,T1542.004,ROMMONkit,[],[],,CM-2,mitigates,3 +1536,,T1542.005,TFTP Boot,[],[],,CM-2,mitigates,3 +1537,,T1543,Create or Modify System Process,[],[],,CM-2,mitigates,3 +1538,,T1543.002,Systemd Service,[],[],,CM-2,mitigates,3 +1539,,T1543.003,Windows Service,[],[],,CM-2,mitigates,3 +1540,,T1546,Event Triggered Execution,[],[],,CM-2,mitigates,3 +1541,,T1546.002,Screensaver,[],[],,CM-2,mitigates,3 +1542,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-2,mitigates,3 +1543,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-2,mitigates,3 +1544,,T1546.010,AppInit DLLs,[],[],,CM-2,mitigates,3 +1545,,T1546.013,PowerShell Profile,[],[],,CM-2,mitigates,3 +1546,,T1546.014,Emond,[],[],,CM-2,mitigates,3 +1547,,T1547.003,Time Providers,[],[],,CM-2,mitigates,3 +1548,,T1547.007,Re-opened Applications,[],[],,CM-2,mitigates,3 +1549,,T1547.008,LSASS Driver,[],[],,CM-2,mitigates,3 +1550,,T1547.011,Plist Modification,[],[],,CM-2,mitigates,3 +1551,,T1547.013,XDG Autostart Entries,[],[],,CM-2,mitigates,3 +1552,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-2,mitigates,3 +1553,,T1548.002,Bypass User Account Control,[],[],,CM-2,mitigates,3 +1554,,T1548.003,Sudo and Sudo Caching,[],[],,CM-2,mitigates,3 +1555,,T1548.004,Elevated Execution with Prompt,[],[],,CM-2,mitigates,3 +1556,,T1550.001,Application Access Token,[],[],,CM-2,mitigates,3 +1557,,T1550.003,Pass the Ticket,[],[],,CM-2,mitigates,3 +1558,,T1552,Unsecured Credentials,[],[],,CM-2,mitigates,3 +1559,,T1552.001,Credentials In Files,[],[],,CM-2,mitigates,3 +1560,,T1552.004,Private Keys,[],[],,CM-2,mitigates,3 +1561,,T1552.006,Group Policy Preferences,[],[],,CM-2,mitigates,3 +1562,,T1553,Subvert Trust Controls,[],[],,CM-2,mitigates,3 +1563,,T1553.001,Gatekeeper Bypass,[],[],,CM-2,mitigates,3 +1564,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-2,mitigates,3 +1565,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-2,mitigates,3 +1566,,T1554,Compromise Client Software Binary,[],[],,CM-2,mitigates,3 +1567,,T1555.004,Windows Credential Manager,[],[],,CM-2,mitigates,3 +1568,,T1555.005,Password Managers,[],[],,CM-2,mitigates,3 +1569,,T1556,Modify Authentication Process,[],[],,CM-2,mitigates,3 +1570,,T1556.004,Network Device Authentication,[],[],,CM-2,mitigates,3 +1571,,T1557,Man-in-the-Middle,[],[],,CM-2,mitigates,3 +1572,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-2,mitigates,3 +1573,,T1557.002,ARP Cache Poisoning,[],[],,CM-2,mitigates,3 +1574,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-2,mitigates,3 +1575,,T1558.001,Golden Ticket,[],[],,CM-2,mitigates,3 +1576,,T1558.002,Silver Ticket,[],[],,CM-2,mitigates,3 +1577,,T1558.003,Kerberoasting,[],[],,CM-2,mitigates,3 +1578,,T1558.004,AS-REP Roasting,[],[],,CM-2,mitigates,3 +1579,,T1559,Inter-Process Communication,[],[],,CM-2,mitigates,3 +1580,,T1559.001,Component Object Model,[],[],,CM-2,mitigates,3 +1581,,T1559.002,Dynamic Data Exchange,[],[],,CM-2,mitigates,3 +1582,,T1561,Disk Wipe,[],[],,CM-2,mitigates,3 +1583,,T1561.001,Disk Content Wipe,[],[],,CM-2,mitigates,3 +1584,,T1561.002,Disk Structure Wipe,[],[],,CM-2,mitigates,3 +1585,,T1562,Impair Defenses,[],[],,CM-2,mitigates,3 +1586,,T1562.001,Disable or Modify Tools,[],[],,CM-2,mitigates,3 +1587,,T1562.002,Disable Windows Event Logging,[],[],,CM-2,mitigates,3 +1588,,T1562.003,Impair Command History Logging,[],[],,CM-2,mitigates,3 +1589,,T1562.004,Disable or Modify System Firewall,[],[],,CM-2,mitigates,3 +1590,,T1562.006,Indicator Blocking,[],[],,CM-2,mitigates,3 +1591,,T1563,Remote Service Session Hijacking,[],[],,CM-2,mitigates,3 +1592,,T1563.001,SSH Hijacking,[],[],,CM-2,mitigates,3 +1593,,T1563.002,RDP Hijacking,[],[],,CM-2,mitigates,3 +1594,,T1564.006,Run Virtual Instance,[],[],,CM-2,mitigates,3 +1595,,T1564.007,VBA Stomping,[],[],,CM-2,mitigates,3 +1596,,T1565,Data Manipulation,[],[],,CM-2,mitigates,3 +1597,,T1565.001,Stored Data Manipulation,[],[],,CM-2,mitigates,3 +1598,,T1565.002,Transmitted Data Manipulation,[],[],,CM-2,mitigates,3 +1599,,T1566,Phishing,[],[],,CM-2,mitigates,3 +1600,,T1566.001,Spearphishing Attachment,[],[],,CM-2,mitigates,3 +1601,,T1566.002,Spearphishing Link,[],[],,CM-2,mitigates,3 +1602,,T1569,System Services,[],[],,CM-2,mitigates,3 +1603,,T1569.002,Service Execution,[],[],,CM-2,mitigates,3 +1604,,T1570,Lateral Tool Transfer,[],[],,CM-2,mitigates,3 +1605,,T1571,Non-Standard Port,[],[],,CM-2,mitigates,3 +1606,,T1572,Protocol Tunneling,[],[],,CM-2,mitigates,3 +1607,,T1573,Encrypted Channel,[],[],,CM-2,mitigates,3 +1608,,T1573.001,Symmetric Cryptography,[],[],,CM-2,mitigates,3 +1609,,T1573.002,Asymmetric Cryptography,[],[],,CM-2,mitigates,3 +1610,,T1574,Hijack Execution Flow,[],[],,CM-2,mitigates,3 +1611,,T1574.001,DLL Search Order Hijacking,[],[],,CM-2,mitigates,3 +1612,,T1574.004,Dylib Hijacking,[],[],,CM-2,mitigates,3 +1613,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-2,mitigates,3 +1614,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-2,mitigates,3 +1615,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-2,mitigates,3 +1616,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-2,mitigates,3 +1617,,T1574.010,Services File Permissions Weakness,[],[],,CM-2,mitigates,3 +1618,,T1598,Phishing for Information,[],[],,CM-2,mitigates,3 +1619,,T1598.002,Spearphishing Attachment,[],[],,CM-2,mitigates,3 +1620,,T1598.003,Spearphishing Link,[],[],,CM-2,mitigates,3 +1621,,T1599,Network Boundary Bridging,[],[],,CM-2,mitigates,3 +1622,,T1599.001,Network Address Translation Traversal,[],[],,CM-2,mitigates,3 +1623,,T1601,Modify System Image,[],[],,CM-2,mitigates,3 +1624,,T1601.001,Patch System Image,[],[],,CM-2,mitigates,3 +1625,,T1601.002,Downgrade System Image,[],[],,CM-2,mitigates,3 +1626,,T1602,Data from Configuration Repository,[],[],,CM-2,mitigates,3 +1627,,T1602.001,SNMP (MIB Dump),[],[],,CM-2,mitigates,3 +1628,,T1602.002,Network Device Configuration Dump,[],[],,CM-2,mitigates,3 +1629,,T1021.005,VNC,[],[],,CM-3,mitigates,3 +1630,,T1059.006,Python,[],[],,CM-3,mitigates,3 +1631,,T1176,Browser Extensions,[],[],,CM-3,mitigates,3 +1632,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-3,mitigates,3 +1633,,T1213,Data from Information Repositories,[],[],,CM-3,mitigates,3 +1634,,T1213.001,Confluence,[],[],,CM-3,mitigates,3 +1635,,T1213.002,Sharepoint,[],[],,CM-3,mitigates,3 +1636,,T1495,Firmware Corruption,[],[],,CM-3,mitigates,3 +1637,,T1542,Pre-OS Boot,[],[],,CM-3,mitigates,3 +1638,,T1542.001,System Firmware,[],[],,CM-3,mitigates,3 +1639,,T1542.003,Bootkit,[],[],,CM-3,mitigates,3 +1640,,T1542.004,ROMMONkit,[],[],,CM-3,mitigates,3 +1641,,T1542.005,TFTP Boot,[],[],,CM-3,mitigates,3 +1642,,T1543,Create or Modify System Process,[],[],,CM-3,mitigates,3 +1643,,T1543.002,Systemd Service,[],[],,CM-3,mitigates,3 +1644,,T1547.007,Re-opened Applications,[],[],,CM-3,mitigates,3 +1645,,T1547.011,Plist Modification,[],[],,CM-3,mitigates,3 +1646,,T1547.013,XDG Autostart Entries,[],[],,CM-3,mitigates,3 +1647,,T1553,Subvert Trust Controls,[],[],,CM-3,mitigates,3 +1648,,T1553.006,Code Signing Policy Modification,[],[],,CM-3,mitigates,3 +1649,,T1601,Modify System Image,[],[],,CM-3,mitigates,3 +1650,,T1601.001,Patch System Image,[],[],,CM-3,mitigates,3 +1651,,T1601.002,Downgrade System Image,[],[],,CM-3,mitigates,3 +1652,,T1003,OS Credential Dumping,[],[],,CM-5,mitigates,3 +1653,,T1003.001,LSASS Memory,[],[],,CM-5,mitigates,3 +1654,,T1003.002,Security Account Manager,[],[],,CM-5,mitigates,3 +1655,,T1003.003,NTDS,[],[],,CM-5,mitigates,3 +1656,,T1003.004,LSA Secrets,[],[],,CM-5,mitigates,3 +1657,,T1003.005,Cached Domain Credentials,[],[],,CM-5,mitigates,3 +1658,,T1003.006,DCSync,[],[],,CM-5,mitigates,3 +1659,,T1003.007,Proc Filesystem,[],[],,CM-5,mitigates,3 +1660,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-5,mitigates,3 +1661,,T1021,Remote Services,[],[],,CM-5,mitigates,3 +1662,,T1021.001,Remote Desktop Protocol,[],[],,CM-5,mitigates,3 +1663,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-5,mitigates,3 +1664,,T1021.003,Distributed Component Object Model,[],[],,CM-5,mitigates,3 +1665,,T1021.004,SSH,[],[],,CM-5,mitigates,3 +1666,,T1021.005,VNC,[],[],,CM-5,mitigates,3 +1667,,T1021.006,Windows Remote Management,[],[],,CM-5,mitigates,3 +1668,,T1047,Windows Management Instrumentation,[],[],,CM-5,mitigates,3 +1669,,T1053,Scheduled Task/Job,[],[],,CM-5,mitigates,3 +1670,,T1053.001,At (Linux),[],[],,CM-5,mitigates,3 +1671,,T1053.002,At (Windows),[],[],,CM-5,mitigates,3 +1672,,T1053.003,Cron,[],[],,CM-5,mitigates,3 +1673,,T1053.004,Launchd,[],[],,CM-5,mitigates,3 +1674,,T1053.005,Scheduled Task,[],[],,CM-5,mitigates,3 +1675,,T1053.006,Systemd Timers,[],[],,CM-5,mitigates,3 +1676,,T1053.007,Container Orchestration Job,[],[],,CM-5,mitigates,3 +1677,,T1055,Process Injection,[],[],,CM-5,mitigates,3 +1678,,T1055.008,Ptrace System Calls,[],[],,CM-5,mitigates,3 +1679,,T1056.003,Web Portal Capture,[],[],,CM-5,mitigates,3 +1680,,T1059,Command and Scripting Interpreter,[],[],,CM-5,mitigates,3 +1681,,T1059.001,PowerShell,[],[],,CM-5,mitigates,3 +1682,,T1059.006,Python,[],[],,CM-5,mitigates,3 +1683,,T1059.008,Network Device CLI,[],[],,CM-5,mitigates,3 +1684,,T1072,Software Deployment Tools,[],[],,CM-5,mitigates,3 +1685,,T1078,Valid Accounts,[],[],,CM-5,mitigates,3 +1686,,T1078.002,Domain Accounts,[],[],,CM-5,mitigates,3 +1687,,T1078.003,Local Accounts,[],[],,CM-5,mitigates,3 +1688,,T1078.004,Cloud Accounts,[],[],,CM-5,mitigates,3 +1689,,T1098,Account Manipulation,[],[],,CM-5,mitigates,3 +1690,,T1098.001,Additional Cloud Credentials,[],[],,CM-5,mitigates,3 +1691,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-5,mitigates,3 +1692,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-5,mitigates,3 +1693,,T1134,Access Token Manipulation,[],[],,CM-5,mitigates,3 +1694,,T1134.001,Token Impersonation/Theft,[],[],,CM-5,mitigates,3 +1695,,T1134.002,Create Process with Token,[],[],,CM-5,mitigates,3 +1696,,T1134.003,Make and Impersonate Token,[],[],,CM-5,mitigates,3 +1697,,T1136,Create Account,[],[],,CM-5,mitigates,3 +1698,,T1136.001,Local Account,[],[],,CM-5,mitigates,3 +1699,,T1136.002,Domain Account,[],[],,CM-5,mitigates,3 +1700,,T1136.003,Cloud Account,[],[],,CM-5,mitigates,3 +1701,,T1137.002,Office Test,[],[],,CM-5,mitigates,3 +1702,,T1176,Browser Extensions,[],[],,CM-5,mitigates,3 +1703,,T1185,Man in the Browser,[],[],,CM-5,mitigates,3 +1704,,T1190,Exploit Public-Facing Application,[],[],,CM-5,mitigates,3 +1705,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-5,mitigates,3 +1706,,T1197,BITS Jobs,[],[],,CM-5,mitigates,3 +1707,,T1210,Exploitation of Remote Services,[],[],,CM-5,mitigates,3 +1708,,T1213,Data from Information Repositories,[],[],,CM-5,mitigates,3 +1709,,T1213.001,Confluence,[],[],,CM-5,mitigates,3 +1710,,T1213.002,Sharepoint,[],[],,CM-5,mitigates,3 +1711,,T1218,Signed Binary Proxy Execution,[],[],,CM-5,mitigates,3 +1712,,T1218.007,Msiexec,[],[],,CM-5,mitigates,3 +1713,,T1222,File and Directory Permissions Modification,[],[],,CM-5,mitigates,3 +1714,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-5,mitigates,3 +1715,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-5,mitigates,3 +1716,,T1484,Domain Policy Modification,[],[],,CM-5,mitigates,3 +1717,,T1489,Service Stop,[],[],,CM-5,mitigates,3 +1718,,T1495,Firmware Corruption,[],[],,CM-5,mitigates,3 +1719,,T1505,Server Software Component,[],[],,CM-5,mitigates,3 +1720,,T1505.001,SQL Stored Procedures,[],[],,CM-5,mitigates,3 +1721,,T1505.002,Transport Agent,[],[],,CM-5,mitigates,3 +1722,,T1525,Implant Internal Image,[],[],,CM-5,mitigates,3 +1723,,T1528,Steal Application Access Token,[],[],,CM-5,mitigates,3 +1724,,T1530,Data from Cloud Storage Object,[],[],,CM-5,mitigates,3 +1725,,T1537,Transfer Data to Cloud Account,[],[],,CM-5,mitigates,3 +1726,,T1542,Pre-OS Boot,[],[],,CM-5,mitigates,3 +1727,,T1542.001,System Firmware,[],[],,CM-5,mitigates,3 +1728,,T1542.003,Bootkit,[],[],,CM-5,mitigates,3 +1729,,T1542.004,ROMMONkit,[],[],,CM-5,mitigates,3 +1730,,T1542.005,TFTP Boot,[],[],,CM-5,mitigates,3 +1731,,T1543,Create or Modify System Process,[],[],,CM-5,mitigates,3 +1732,,T1543.001,Launch Agent,[],[],,CM-5,mitigates,3 +1733,,T1543.002,Systemd Service,[],[],,CM-5,mitigates,3 +1734,,T1543.003,Windows Service,[],[],,CM-5,mitigates,3 +1735,,T1543.004,Launch Daemon,[],[],,CM-5,mitigates,3 +1736,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-5,mitigates,3 +1737,,T1547.003,Time Providers,[],[],,CM-5,mitigates,3 +1738,,T1547.004,Winlogon Helper DLL,[],[],,CM-5,mitigates,3 +1739,,T1547.006,Kernel Modules and Extensions,[],[],,CM-5,mitigates,3 +1740,,T1547.007,Re-opened Applications,[],[],,CM-5,mitigates,3 +1741,,T1547.009,Shortcut Modification,[],[],,CM-5,mitigates,3 +1742,,T1547.011,Plist Modification,[],[],,CM-5,mitigates,3 +1743,,T1547.012,Print Processors,[],[],,CM-5,mitigates,3 +1744,,T1547.013,XDG Autostart Entries,[],[],,CM-5,mitigates,3 +1745,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-5,mitigates,3 +1746,,T1548.002,Bypass User Account Control,[],[],,CM-5,mitigates,3 +1747,,T1548.003,Sudo and Sudo Caching,[],[],,CM-5,mitigates,3 +1748,,T1550,Use Alternate Authentication Material,[],[],,CM-5,mitigates,3 +1749,,T1550.002,Pass the Hash,[],[],,CM-5,mitigates,3 +1750,,T1550.003,Pass the Ticket,[],[],,CM-5,mitigates,3 +1751,,T1552,Unsecured Credentials,[],[],,CM-5,mitigates,3 +1752,,T1552.002,Credentials in Registry,[],[],,CM-5,mitigates,3 +1753,,T1552.007,Container API,[],[],,CM-5,mitigates,3 +1754,,T1553,Subvert Trust Controls,[],[],,CM-5,mitigates,3 +1755,,T1553.006,Code Signing Policy Modification,[],[],,CM-5,mitigates,3 +1756,,T1556,Modify Authentication Process,[],[],,CM-5,mitigates,3 +1757,,T1556.001,Domain Controller Authentication,[],[],,CM-5,mitigates,3 +1758,,T1556.003,Pluggable Authentication Modules,[],[],,CM-5,mitigates,3 +1759,,T1556.004,Network Device Authentication,[],[],,CM-5,mitigates,3 +1760,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-5,mitigates,3 +1761,,T1558.001,Golden Ticket,[],[],,CM-5,mitigates,3 +1762,,T1558.002,Silver Ticket,[],[],,CM-5,mitigates,3 +1763,,T1558.003,Kerberoasting,[],[],,CM-5,mitigates,3 +1764,,T1559,Inter-Process Communication,[],[],,CM-5,mitigates,3 +1765,,T1559.001,Component Object Model,[],[],,CM-5,mitigates,3 +1766,,T1562,Impair Defenses,[],[],,CM-5,mitigates,3 +1767,,T1562.001,Disable or Modify Tools,[],[],,CM-5,mitigates,3 +1768,,T1562.002,Disable Windows Event Logging,[],[],,CM-5,mitigates,3 +1769,,T1562.004,Disable or Modify System Firewall,[],[],,CM-5,mitigates,3 +1770,,T1562.006,Indicator Blocking,[],[],,CM-5,mitigates,3 +1771,,T1562.007,Disable or Modify Cloud Firewall,[],[],,CM-5,mitigates,3 +1772,,T1562.008,Disable Cloud Logs,[],[],,CM-5,mitigates,3 +1773,,T1563,Remote Service Session Hijacking,[],[],,CM-5,mitigates,3 +1774,,T1563.001,SSH Hijacking,[],[],,CM-5,mitigates,3 +1775,,T1563.002,RDP Hijacking,[],[],,CM-5,mitigates,3 +1776,,T1569,System Services,[],[],,CM-5,mitigates,3 +1777,,T1569.001,Launchctl,[],[],,CM-5,mitigates,3 +1778,,T1569.002,Service Execution,[],[],,CM-5,mitigates,3 +1779,,T1574,Hijack Execution Flow,[],[],,CM-5,mitigates,3 +1780,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-5,mitigates,3 +1781,,T1574.010,Services File Permissions Weakness,[],[],,CM-5,mitigates,3 +1782,,T1574.011,Services Registry Permissions Weakness,[],[],,CM-5,mitigates,3 +1783,,T1574.012,COR_PROFILER,[],[],,CM-5,mitigates,3 +1784,,T1578,Modify Cloud Compute Infrastructure,[],[],,CM-5,mitigates,3 +1785,,T1578.001,Create Snapshot,[],[],,CM-5,mitigates,3 +1786,,T1578.002,Create Cloud Instance,[],[],,CM-5,mitigates,3 +1787,,T1578.003,Delete Cloud Instance,[],[],,CM-5,mitigates,3 +1788,,T1599,Network Boundary Bridging,[],[],,CM-5,mitigates,3 +1789,,T1599.001,Network Address Translation Traversal,[],[],,CM-5,mitigates,3 +1790,,T1601,Modify System Image,[],[],,CM-5,mitigates,3 +1791,,T1601.001,Patch System Image,[],[],,CM-5,mitigates,3 +1792,,T1601.002,Downgrade System Image,[],[],,CM-5,mitigates,3 +1793,,T1611,Escape to Host,[],[],,CM-5,mitigates,3 +1794,,T1001,Data Obfuscation,[],[],,CM-6,mitigates,3 +1795,,T1001.001,Junk Data,[],[],,CM-6,mitigates,3 +1796,,T1001.002,Steganography,[],[],,CM-6,mitigates,3 +1797,,T1001.003,Protocol Impersonation,[],[],,CM-6,mitigates,3 +1798,,T1003,OS Credential Dumping,[],[],,CM-6,mitigates,3 +1799,,T1003.001,LSASS Memory,[],[],,CM-6,mitigates,3 +1800,,T1003.002,Security Account Manager,[],[],,CM-6,mitigates,3 +1801,,T1003.003,NTDS,[],[],,CM-6,mitigates,3 +1802,,T1003.004,LSA Secrets,[],[],,CM-6,mitigates,3 +1803,,T1003.005,Cached Domain Credentials,[],[],,CM-6,mitigates,3 +1804,,T1003.006,DCSync,[],[],,CM-6,mitigates,3 +1805,,T1003.007,Proc Filesystem,[],[],,CM-6,mitigates,3 +1806,,T1003.008,/etc/passwd and /etc/shadow,[],[],,CM-6,mitigates,3 +1807,,T1008,Fallback Channels,[],[],,CM-6,mitigates,3 +1808,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-6,mitigates,3 +1809,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-6,mitigates,3 +1810,,T1020.001,Traffic Duplication,[],[],,CM-6,mitigates,3 +1811,,T1021,Remote Services,[],[],,CM-6,mitigates,3 +1812,,T1021.001,Remote Desktop Protocol,[],[],,CM-6,mitigates,3 +1813,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-6,mitigates,3 +1814,,T1021.003,Distributed Component Object Model,[],[],,CM-6,mitigates,3 +1815,,T1021.004,SSH,[],[],,CM-6,mitigates,3 +1816,,T1021.005,VNC,[],[],,CM-6,mitigates,3 +1817,,T1021.006,Windows Remote Management,[],[],,CM-6,mitigates,3 +1818,,T1029,Scheduled Transfer,[],[],,CM-6,mitigates,3 +1819,,T1030,Data Transfer Size Limits,[],[],,CM-6,mitigates,3 +1820,,T1036,Masquerading,[],[],,CM-6,mitigates,3 +1821,,T1036.001,Invalid Code Signature,[],[],,CM-6,mitigates,3 +1822,,T1036.003,Rename System Utilities,[],[],,CM-6,mitigates,3 +1823,,T1036.005,Match Legitimate Name or Location,[],[],,CM-6,mitigates,3 +1824,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-6,mitigates,3 +1825,,T1037.002,Logon Script (Mac),[],[],,CM-6,mitigates,3 +1826,,T1037.003,Network Logon Script,[],[],,CM-6,mitigates,3 +1827,,T1037.004,RC Scripts,[],[],,CM-6,mitigates,3 +1828,,T1037.005,Startup Items,[],[],,CM-6,mitigates,3 +1829,,T1046,Network Service Scanning,[],[],,CM-6,mitigates,3 +1830,,T1047,Windows Management Instrumentation,[],[],,CM-6,mitigates,3 +1831,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-6,mitigates,3 +1832,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,3 +1833,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-6,mitigates,3 +1834,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-6,mitigates,3 +1835,,T1052,Exfiltration Over Physical Medium,[],[],,CM-6,mitigates,3 +1836,,T1052.001,Exfiltration over USB,[],[],,CM-6,mitigates,3 +1837,,T1053,Scheduled Task/Job,[],[],,CM-6,mitigates,3 +1838,,T1053.002,At (Windows),[],[],,CM-6,mitigates,3 +1839,,T1053.005,Scheduled Task,[],[],,CM-6,mitigates,3 +1840,,T1055,Process Injection,[],[],,CM-6,mitigates,3 +1841,,T1055.008,Ptrace System Calls,[],[],,CM-6,mitigates,3 +1842,,T1056.003,Web Portal Capture,[],[],,CM-6,mitigates,3 +1843,,T1059,Command and Scripting Interpreter,[],[],,CM-6,mitigates,3 +1844,,T1059.001,PowerShell,[],[],,CM-6,mitigates,3 +1845,,T1059.002,AppleScript,[],[],,CM-6,mitigates,3 +1846,,T1059.005,Visual Basic,[],[],,CM-6,mitigates,3 +1847,,T1059.007,JavaScript,[],[],,CM-6,mitigates,3 +1848,,T1059.008,Network Device CLI,[],[],,CM-6,mitigates,3 +1849,,T1068,Exploitation for Privilege Escalation,[],[],,CM-6,mitigates,3 +1850,,T1070,Indicator Removal on Host,[],[],,CM-6,mitigates,3 +1851,,T1070.001,Clear Windows Event Logs,[],[],,CM-6,mitigates,3 +1852,,T1070.002,Clear Linux or Mac System Logs,[],[],,CM-6,mitigates,3 +1853,,T1070.003,Clear Command History,[],[],,CM-6,mitigates,3 +1854,,T1071,Application Layer Protocol,[],[],,CM-6,mitigates,3 +1855,,T1071.001,Web Protocols,[],[],,CM-6,mitigates,3 +1856,,T1071.002,File Transfer Protocols,[],[],,CM-6,mitigates,3 +1857,,T1071.003,Mail Protocols,[],[],,CM-6,mitigates,3 +1858,,T1071.004,DNS,[],[],,CM-6,mitigates,3 +1859,,T1072,Software Deployment Tools,[],[],,CM-6,mitigates,3 +1860,,T1078,Valid Accounts,[],[],,CM-6,mitigates,3 +1861,,T1078.002,Domain Accounts,[],[],,CM-6,mitigates,3 +1862,,T1078.003,Local Accounts,[],[],,CM-6,mitigates,3 +1863,,T1078.004,Cloud Accounts,[],[],,CM-6,mitigates,3 +1864,,T1087,Account Discovery,[],[],,CM-6,mitigates,3 +1865,,T1087.001,Local Account,[],[],,CM-6,mitigates,3 +1866,,T1087.002,Domain Account,[],[],,CM-6,mitigates,3 +1867,,T1090,Proxy,[],[],,CM-6,mitigates,3 +1868,,T1090.001,Internal Proxy,[],[],,CM-6,mitigates,3 +1869,,T1090.002,External Proxy,[],[],,CM-6,mitigates,3 +1870,,T1090.003,Multi-hop Proxy,[],[],,CM-6,mitigates,3 +1871,,T1091,Replication Through Removable Media,[],[],,CM-6,mitigates,3 +1872,,T1092,Communication Through Removable Media,[],[],,CM-6,mitigates,3 +1873,,T1095,Non-Application Layer Protocol,[],[],,CM-6,mitigates,3 +1874,,T1098,Account Manipulation,[],[],,CM-6,mitigates,3 +1875,,T1098.001,Additional Cloud Credentials,[],[],,CM-6,mitigates,3 +1876,,T1098.002,Exchange Email Delegate Permissions,[],[],,CM-6,mitigates,3 +1877,,T1098.003,Add Office 365 Global Administrator Role,[],[],,CM-6,mitigates,3 +1878,,T1098.004,SSH Authorized Keys,[],[],,CM-6,mitigates,3 +1879,,T1102,Web Service,[],[],,CM-6,mitigates,3 +1880,,T1102.001,Dead Drop Resolver,[],[],,CM-6,mitigates,3 +1881,,T1102.002,Bidirectional Communication,[],[],,CM-6,mitigates,3 +1882,,T1102.003,One-Way Communication,[],[],,CM-6,mitigates,3 +1883,,T1104,Multi-Stage Channels,[],[],,CM-6,mitigates,3 +1884,,T1105,Ingress Tool Transfer,[],[],,CM-6,mitigates,3 +1885,,T1110,Brute Force,[],[],,CM-6,mitigates,3 +1886,,T1110.001,Password Guessing,[],[],,CM-6,mitigates,3 +1887,,T1110.002,Password Cracking,[],[],,CM-6,mitigates,3 +1888,,T1110.003,Password Spraying,[],[],,CM-6,mitigates,3 +1889,,T1110.004,Credential Stuffing,[],[],,CM-6,mitigates,3 +1890,,T1111,Two-Factor Authentication Interception,[],[],,CM-6,mitigates,3 +1891,,T1114,Email Collection,[],[],,CM-6,mitigates,3 +1892,,T1114.002,Remote Email Collection,[],[],,CM-6,mitigates,3 +1893,,T1119,Automated Collection,[],[],,CM-6,mitigates,3 +1894,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-6,mitigates,3 +1895,,T1127.001,MSBuild,[],[],,CM-6,mitigates,3 +1896,,T1132,Data Encoding,[],[],,CM-6,mitigates,3 +1897,,T1132.001,Standard Encoding,[],[],,CM-6,mitigates,3 +1898,,T1132.002,Non-Standard Encoding,[],[],,CM-6,mitigates,3 +1899,,T1133,External Remote Services,[],[],,CM-6,mitigates,3 +1900,,T1134,Access Token Manipulation,[],[],,CM-6,mitigates,3 +1901,,T1134.001,Token Impersonation/Theft,[],[],,CM-6,mitigates,3 +1902,,T1134.002,Create Process with Token,[],[],,CM-6,mitigates,3 +1903,,T1134.003,Make and Impersonate Token,[],[],,CM-6,mitigates,3 +1904,,T1134.005,SID-History Injection,[],[],,CM-6,mitigates,3 +1905,,T1135,Network Share Discovery,[],[],,CM-6,mitigates,3 +1906,,T1136,Create Account,[],[],,CM-6,mitigates,3 +1907,,T1136.001,Local Account,[],[],,CM-6,mitigates,3 +1908,,T1136.002,Domain Account,[],[],,CM-6,mitigates,3 +1909,,T1136.003,Cloud Account,[],[],,CM-6,mitigates,3 +1910,,T1137,Office Application Startup,[],[],,CM-6,mitigates,3 +1911,,T1137.001,Office Template Macros,[],[],,CM-6,mitigates,3 +1912,,T1176,Browser Extensions,[],[],,CM-6,mitigates,3 +1913,,T1187,Forced Authentication,[],[],,CM-6,mitigates,3 +1914,,T1189,Drive-by Compromise,[],[],,CM-6,mitigates,3 +1915,,T1190,Exploit Public-Facing Application,[],[],,CM-6,mitigates,3 +1916,,T1197,BITS Jobs,[],[],,CM-6,mitigates,3 +1917,,T1199,Trusted Relationship,[],[],,CM-6,mitigates,3 +1918,,T1201,Password Policy Discovery,[],[],,CM-6,mitigates,3 +1919,,T1204,User Execution,[],[],,CM-6,mitigates,3 +1920,,T1204.001,Malicious Link,[],[],,CM-6,mitigates,3 +1921,,T1204.002,Malicious File,[],[],,CM-6,mitigates,3 +1922,,T1204.003,Malicious Image,[],[],,CM-6,mitigates,3 +1923,,T1205,Traffic Signaling,[],[],,CM-6,mitigates,3 +1924,,T1205.001,Port Knocking,[],[],,CM-6,mitigates,3 +1925,,T1210,Exploitation of Remote Services,[],[],,CM-6,mitigates,3 +1926,,T1211,Exploitation for Defense Evasion,[],[],,CM-6,mitigates,3 +1927,,T1212,Exploitation for Credential Access,[],[],,CM-6,mitigates,3 +1928,,T1213,Data from Information Repositories,[],[],,CM-6,mitigates,3 +1929,,T1213.001,Confluence,[],[],,CM-6,mitigates,3 +1930,,T1213.002,Sharepoint,[],[],,CM-6,mitigates,3 +1931,,T1216,Signed Script Proxy Execution,[],[],,CM-6,mitigates,3 +1932,,T1216.001,PubPrn,[],[],,CM-6,mitigates,3 +1933,,T1218,Signed Binary Proxy Execution,[],[],,CM-6,mitigates,3 +1934,,T1218.001,Compiled HTML File,[],[],,CM-6,mitigates,3 +1935,,T1218.002,Control Panel,[],[],,CM-6,mitigates,3 +1936,,T1218.003,CMSTP,[],[],,CM-6,mitigates,3 +1937,,T1218.004,InstallUtil,[],[],,CM-6,mitigates,3 +1938,,T1218.005,Mshta,[],[],,CM-6,mitigates,3 +1939,,T1218.007,Msiexec,[],[],,CM-6,mitigates,3 +1940,,T1218.008,Odbcconf,[],[],,CM-6,mitigates,3 +1941,,T1218.009,Regsvcs/Regasm,[],[],,CM-6,mitigates,3 +1942,,T1218.012,Verclsid,[],[],,CM-6,mitigates,3 +1943,,T1219,Remote Access Software,[],[],,CM-6,mitigates,3 +1944,,T1220,XSL Script Processing,[],[],,CM-6,mitigates,3 +1945,,T1221,Template Injection,[],[],,CM-6,mitigates,3 +1946,,T1222,File and Directory Permissions Modification,[],[],,CM-6,mitigates,3 +1947,,T1222.001,Windows File and Directory Permissions Modification,[],[],,CM-6,mitigates,3 +1948,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,CM-6,mitigates,3 +1949,,T1482,Domain Trust Discovery,[],[],,CM-6,mitigates,3 +1950,,T1484,Domain Policy Modification,[],[],,CM-6,mitigates,3 +1951,,T1489,Service Stop,[],[],,CM-6,mitigates,3 +1952,,T1490,Inhibit System Recovery,[],[],,CM-6,mitigates,3 +1953,,T1495,Firmware Corruption,[],[],,CM-6,mitigates,3 +1954,,T1498,Network Denial of Service,[],[],,CM-6,mitigates,3 +1955,,T1498.001,Direct Network Flood,[],[],,CM-6,mitigates,3 +1956,,T1498.002,Reflection Amplification,[],[],,CM-6,mitigates,3 +1957,,T1499,Endpoint Denial of Service,[],[],,CM-6,mitigates,3 +1958,,T1499.001,OS Exhaustion Flood,[],[],,CM-6,mitigates,3 +1959,,T1499.002,Service Exhaustion Flood,[],[],,CM-6,mitigates,3 +1960,,T1499.003,Application Exhaustion Flood,[],[],,CM-6,mitigates,3 +1961,,T1499.004,Application or System Exploitation,[],[],,CM-6,mitigates,3 +1962,,T1505,Server Software Component,[],[],,CM-6,mitigates,3 +1963,,T1505.001,SQL Stored Procedures,[],[],,CM-6,mitigates,3 +1964,,T1505.002,Transport Agent,[],[],,CM-6,mitigates,3 +1965,,T1525,Implant Internal Image,[],[],,CM-6,mitigates,3 +1966,,T1528,Steal Application Access Token,[],[],,CM-6,mitigates,3 +1967,,T1530,Data from Cloud Storage Object,[],[],,CM-6,mitigates,3 +1968,,T1537,Transfer Data to Cloud Account,[],[],,CM-6,mitigates,3 +1969,,T1539,Steal Web Session Cookie,[],[],,CM-6,mitigates,3 +1970,,T1542,Pre-OS Boot,[],[],,CM-6,mitigates,3 +1971,,T1542.001,System Firmware,[],[],,CM-6,mitigates,3 +1972,,T1542.003,Bootkit,[],[],,CM-6,mitigates,3 +1973,,T1542.004,ROMMONkit,[],[],,CM-6,mitigates,3 +1974,,T1542.005,TFTP Boot,[],[],,CM-6,mitigates,3 +1975,,T1543,Create or Modify System Process,[],[],,CM-6,mitigates,3 +1976,,T1543.002,Systemd Service,[],[],,CM-6,mitigates,3 +1977,,T1543.003,Windows Service,[],[],,CM-6,mitigates,3 +1978,,T1546,Event Triggered Execution,[],[],,CM-6,mitigates,3 +1979,,T1546.002,Screensaver,[],[],,CM-6,mitigates,3 +1980,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,CM-6,mitigates,3 +1981,,T1546.004,Unix Shell Configuration Modification,[],[],,CM-6,mitigates,3 +1982,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-6,mitigates,3 +1983,,T1546.008,Accessibility Features,[],[],,CM-6,mitigates,3 +1984,,T1546.013,PowerShell Profile,[],[],,CM-6,mitigates,3 +1985,,T1546.014,Emond,[],[],,CM-6,mitigates,3 +1986,,T1547.002,Authentication Package,[],[],,CM-6,mitigates,3 +1987,,T1547.003,Time Providers,[],[],,CM-6,mitigates,3 +1988,,T1547.005,Security Support Provider,[],[],,CM-6,mitigates,3 +1989,,T1547.006,Kernel Modules and Extensions,[],[],,CM-6,mitigates,3 +1990,,T1547.007,Re-opened Applications,[],[],,CM-6,mitigates,3 +1991,,T1547.008,LSASS Driver,[],[],,CM-6,mitigates,3 +1992,,T1547.011,Plist Modification,[],[],,CM-6,mitigates,3 +1993,,T1547.013,XDG Autostart Entries,[],[],,CM-6,mitigates,3 +1994,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-6,mitigates,3 +1995,,T1548.001,Setuid and Setgid,[],[],,CM-6,mitigates,3 +1996,,T1548.002,Bypass User Account Control,[],[],,CM-6,mitigates,3 +1997,,T1548.003,Sudo and Sudo Caching,[],[],,CM-6,mitigates,3 +1998,,T1548.004,Elevated Execution with Prompt,[],[],,CM-6,mitigates,3 +1999,,T1550,Use Alternate Authentication Material,[],[],,CM-6,mitigates,3 +2000,,T1550.001,Application Access Token,[],[],,CM-6,mitigates,3 +2001,,T1550.002,Pass the Hash,[],[],,CM-6,mitigates,3 +2002,,T1550.003,Pass the Ticket,[],[],,CM-6,mitigates,3 +2003,,T1552,Unsecured Credentials,[],[],,CM-6,mitigates,3 +2004,,T1552.001,Credentials In Files,[],[],,CM-6,mitigates,3 +2005,,T1552.002,Credentials in Registry,[],[],,CM-6,mitigates,3 +2006,,T1552.003,Bash History,[],[],,CM-6,mitigates,3 +2007,,T1552.004,Private Keys,[],[],,CM-6,mitigates,3 +2008,,T1552.005,Cloud Instance Metadata API,[],[],,CM-6,mitigates,3 +2009,,T1552.006,Group Policy Preferences,[],[],,CM-6,mitigates,3 +2010,,T1552.007,Container API,[],[],,CM-6,mitigates,3 +2011,,T1553,Subvert Trust Controls,[],[],,CM-6,mitigates,3 +2012,,T1553.001,Gatekeeper Bypass,[],[],,CM-6,mitigates,3 +2013,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-6,mitigates,3 +2014,,T1553.004,Install Root Certificate,[],[],,CM-6,mitigates,3 +2015,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-6,mitigates,3 +2016,,T1554,Compromise Client Software Binary,[],[],,CM-6,mitigates,3 +2017,,T1555.004,Windows Credential Manager,[],[],,CM-6,mitigates,3 +2018,,T1555.005,Password Managers,[],[],,CM-6,mitigates,3 +2019,,T1556,Modify Authentication Process,[],[],,CM-6,mitigates,3 +2020,,T1556.001,Domain Controller Authentication,[],[],,CM-6,mitigates,3 +2021,,T1556.002,Password Filter DLL,[],[],,CM-6,mitigates,3 +2022,,T1556.003,Pluggable Authentication Modules,[],[],,CM-6,mitigates,3 +2023,,T1556.004,Network Device Authentication,[],[],,CM-6,mitigates,3 +2024,,T1557,Man-in-the-Middle,[],[],,CM-6,mitigates,3 +2025,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-6,mitigates,3 +2026,,T1557.002,ARP Cache Poisoning,[],[],,CM-6,mitigates,3 +2027,,T1558,Steal or Forge Kerberos Tickets,[],[],,CM-6,mitigates,3 +2028,,T1558.001,Golden Ticket,[],[],,CM-6,mitigates,3 +2029,,T1558.002,Silver Ticket,[],[],,CM-6,mitigates,3 +2030,,T1558.003,Kerberoasting,[],[],,CM-6,mitigates,3 +2031,,T1558.004,AS-REP Roasting,[],[],,CM-6,mitigates,3 +2032,,T1559,Inter-Process Communication,[],[],,CM-6,mitigates,3 +2033,,T1559.001,Component Object Model,[],[],,CM-6,mitigates,3 +2034,,T1559.002,Dynamic Data Exchange,[],[],,CM-6,mitigates,3 +2035,,T1562,Impair Defenses,[],[],,CM-6,mitigates,3 +2036,,T1562.001,Disable or Modify Tools,[],[],,CM-6,mitigates,3 +2037,,T1562.002,Disable Windows Event Logging,[],[],,CM-6,mitigates,3 +2038,,T1562.003,Impair Command History Logging,[],[],,CM-6,mitigates,3 +2039,,T1562.004,Disable or Modify System Firewall,[],[],,CM-6,mitigates,3 +2040,,T1562.006,Indicator Blocking,[],[],,CM-6,mitigates,3 +2041,,T1563,Remote Service Session Hijacking,[],[],,CM-6,mitigates,3 +2042,,T1563.001,SSH Hijacking,[],[],,CM-6,mitigates,3 +2043,,T1563.002,RDP Hijacking,[],[],,CM-6,mitigates,3 +2044,,T1564.002,Hidden Users,[],[],,CM-6,mitigates,3 +2045,,T1564.006,Run Virtual Instance,[],[],,CM-6,mitigates,3 +2046,,T1564.007,VBA Stomping,[],[],,CM-6,mitigates,3 +2047,,T1565,Data Manipulation,[],[],,CM-6,mitigates,3 +2048,,T1565.001,Stored Data Manipulation,[],[],,CM-6,mitigates,3 +2049,,T1565.002,Transmitted Data Manipulation,[],[],,CM-6,mitigates,3 +2050,,T1565.003,Runtime Data Manipulation,[],[],,CM-6,mitigates,3 +2051,,T1566,Phishing,[],[],,CM-6,mitigates,3 +2052,,T1566.001,Spearphishing Attachment,[],[],,CM-6,mitigates,3 +2053,,T1566.002,Spearphishing Link,[],[],,CM-6,mitigates,3 +2054,,T1569,System Services,[],[],,CM-6,mitigates,3 +2055,,T1569.002,Service Execution,[],[],,CM-6,mitigates,3 +2056,,T1570,Lateral Tool Transfer,[],[],,CM-6,mitigates,3 +2057,,T1571,Non-Standard Port,[],[],,CM-6,mitigates,3 +2058,,T1572,Protocol Tunneling,[],[],,CM-6,mitigates,3 +2059,,T1573,Encrypted Channel,[],[],,CM-6,mitigates,3 +2060,,T1573.001,Symmetric Cryptography,[],[],,CM-6,mitigates,3 +2061,,T1573.002,Asymmetric Cryptography,[],[],,CM-6,mitigates,3 +2062,,T1574,Hijack Execution Flow,[],[],,CM-6,mitigates,3 +2063,,T1574.001,DLL Search Order Hijacking,[],[],,CM-6,mitigates,3 +2064,,T1574.004,Dylib Hijacking,[],[],,CM-6,mitigates,3 +2065,,T1574.005,Executable Installer File Permissions Weakness,[],[],,CM-6,mitigates,3 +2066,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-6,mitigates,3 +2067,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-6,mitigates,3 +2068,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-6,mitigates,3 +2069,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-6,mitigates,3 +2070,,T1574.010,Services File Permissions Weakness,[],[],,CM-6,mitigates,3 +2071,,T1598,Phishing for Information,[],[],,CM-6,mitigates,3 +2072,,T1598.002,Spearphishing Attachment,[],[],,CM-6,mitigates,3 +2073,,T1598.003,Spearphishing Link,[],[],,CM-6,mitigates,3 +2074,,T1599,Network Boundary Bridging,[],[],,CM-6,mitigates,3 +2075,,T1599.001,Network Address Translation Traversal,[],[],,CM-6,mitigates,3 +2076,,T1601,Modify System Image,[],[],,CM-6,mitigates,3 +2077,,T1601.001,Patch System Image,[],[],,CM-6,mitigates,3 +2078,,T1601.002,Downgrade System Image,[],[],,CM-6,mitigates,3 +2079,,T1602,Data from Configuration Repository,[],[],,CM-6,mitigates,3 +2080,,T1602.001,SNMP (MIB Dump),[],[],,CM-6,mitigates,3 +2081,,T1602.002,Network Device Configuration Dump,[],[],,CM-6,mitigates,3 +2082,,T1609,Container Administration Command,[],[],,CM-6,mitigates,3 +2083,,T1610,Deploy Container,[],[],,CM-6,mitigates,3 +2084,,T1611,Escape to Host,[],[],,CM-6,mitigates,3 +2085,,T1612,Build Image on Host,[],[],,CM-6,mitigates,3 +2086,,T1613,Container and Resource Discovery,[],[],,CM-6,mitigates,3 +2087,,T1003,OS Credential Dumping,[],[],,CM-7,mitigates,3 +2088,,T1003.001,LSASS Memory,[],[],,CM-7,mitigates,3 +2089,,T1003.002,Security Account Manager,[],[],,CM-7,mitigates,3 +2090,,T1003.005,Cached Domain Credentials,[],[],,CM-7,mitigates,3 +2091,,T1008,Fallback Channels,[],[],,CM-7,mitigates,3 +2092,,T1011,Exfiltration Over Other Network Medium,[],[],,CM-7,mitigates,3 +2093,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-7,mitigates,3 +2094,,T1021.001,Remote Desktop Protocol,[],[],,CM-7,mitigates,3 +2095,,T1021.002,SMB/Windows Admin Shares,[],[],,CM-7,mitigates,3 +2096,,T1021.003,Distributed Component Object Model,[],[],,CM-7,mitigates,3 +2097,,T1021.005,VNC,[],[],,CM-7,mitigates,3 +2098,,T1021.006,Windows Remote Management,[],[],,CM-7,mitigates,3 +2099,,T1036,Masquerading,[],[],,CM-7,mitigates,3 +2100,,T1036.005,Match Legitimate Name or Location,[],[],,CM-7,mitigates,3 +2101,,T1037,Boot or Logon Initialization Scripts,[],[],,CM-7,mitigates,3 +2102,,T1037.001,Logon Script (Windows),[],[],,CM-7,mitigates,3 +2103,,T1046,Network Service Scanning,[],[],,CM-7,mitigates,3 +2104,,T1048,Exfiltration Over Alternative Protocol,[],[],,CM-7,mitigates,3 +2105,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,3 +2106,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,CM-7,mitigates,3 +2107,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,CM-7,mitigates,3 +2108,,T1053,Scheduled Task/Job,[],[],,CM-7,mitigates,3 +2109,,T1053.002,At (Windows),[],[],,CM-7,mitigates,3 +2110,,T1053.005,Scheduled Task,[],[],,CM-7,mitigates,3 +2111,,T1059,Command and Scripting Interpreter,[],[],,CM-7,mitigates,3 +2112,,T1059.002,AppleScript,[],[],,CM-7,mitigates,3 +2113,,T1059.003,Windows Command Shell,[],[],,CM-7,mitigates,3 +2114,,T1059.004,Unix Shell,[],[],,CM-7,mitigates,3 +2115,,T1059.005,Visual Basic,[],[],,CM-7,mitigates,3 +2116,,T1059.006,Python,[],[],,CM-7,mitigates,3 +2117,,T1059.007,JavaScript,[],[],,CM-7,mitigates,3 +2118,,T1068,Exploitation for Privilege Escalation,[],[],,CM-7,mitigates,3 +2119,,T1071,Application Layer Protocol,[],[],,CM-7,mitigates,3 +2120,,T1071.001,Web Protocols,[],[],,CM-7,mitigates,3 +2121,,T1071.002,File Transfer Protocols,[],[],,CM-7,mitigates,3 +2122,,T1071.003,Mail Protocols,[],[],,CM-7,mitigates,3 +2123,,T1071.004,DNS,[],[],,CM-7,mitigates,3 +2124,,T1072,Software Deployment Tools,[],[],,CM-7,mitigates,3 +2125,,T1080,Taint Shared Content,[],[],,CM-7,mitigates,3 +2126,,T1087,Account Discovery,[],[],,CM-7,mitigates,3 +2127,,T1087.001,Local Account,[],[],,CM-7,mitigates,3 +2128,,T1087.002,Domain Account,[],[],,CM-7,mitigates,3 +2129,,T1090,Proxy,[],[],,CM-7,mitigates,3 +2130,,T1090.001,Internal Proxy,[],[],,CM-7,mitigates,3 +2131,,T1090.002,External Proxy,[],[],,CM-7,mitigates,3 +2132,,T1090.003,Multi-hop Proxy,[],[],,CM-7,mitigates,3 +2133,,T1092,Communication Through Removable Media,[],[],,CM-7,mitigates,3 +2134,,T1095,Non-Application Layer Protocol,[],[],,CM-7,mitigates,3 +2135,,T1098,Account Manipulation,[],[],,CM-7,mitigates,3 +2136,,T1098.001,Additional Cloud Credentials,[],[],,CM-7,mitigates,3 +2137,,T1098.004,SSH Authorized Keys,[],[],,CM-7,mitigates,3 +2138,,T1102,Web Service,[],[],,CM-7,mitigates,3 +2139,,T1102.001,Dead Drop Resolver,[],[],,CM-7,mitigates,3 +2140,,T1102.002,Bidirectional Communication,[],[],,CM-7,mitigates,3 +2141,,T1102.003,One-Way Communication,[],[],,CM-7,mitigates,3 +2142,,T1104,Multi-Stage Channels,[],[],,CM-7,mitigates,3 +2143,,T1105,Ingress Tool Transfer,[],[],,CM-7,mitigates,3 +2144,,T1106,Native API,[],[],,CM-7,mitigates,3 +2145,,T1112,Modify Registry,[],[],,CM-7,mitigates,3 +2146,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-7,mitigates,3 +2147,,T1129,Shared Modules,[],[],,CM-7,mitigates,3 +2148,,T1133,External Remote Services,[],[],,CM-7,mitigates,3 +2149,,T1135,Network Share Discovery,[],[],,CM-7,mitigates,3 +2150,,T1136,Create Account,[],[],,CM-7,mitigates,3 +2151,,T1136.002,Domain Account,[],[],,CM-7,mitigates,3 +2152,,T1136.003,Cloud Account,[],[],,CM-7,mitigates,3 +2153,,T1176,Browser Extensions,[],[],,CM-7,mitigates,3 +2154,,T1187,Forced Authentication,[],[],,CM-7,mitigates,3 +2155,,T1190,Exploit Public-Facing Application,[],[],,CM-7,mitigates,3 +2156,,T1195,Supply Chain Compromise,[],[],,CM-7,mitigates,3 +2157,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,CM-7,mitigates,3 +2158,,T1195.002,Compromise Software Supply Chain,[],[],,CM-7,mitigates,3 +2159,,T1197,BITS Jobs,[],[],,CM-7,mitigates,3 +2160,,T1199,Trusted Relationship,[],[],,CM-7,mitigates,3 +2161,,T1204,User Execution,[],[],,CM-7,mitigates,3 +2162,,T1204.001,Malicious Link,[],[],,CM-7,mitigates,3 +2163,,T1204.002,Malicious File,[],[],,CM-7,mitigates,3 +2164,,T1204.003,Malicious Image,[],[],,CM-7,mitigates,3 +2165,,T1205,Traffic Signaling,[],[],,CM-7,mitigates,3 +2166,,T1205.001,Port Knocking,[],[],,CM-7,mitigates,3 +2167,,T1210,Exploitation of Remote Services,[],[],,CM-7,mitigates,3 +2168,,T1213,Data from Information Repositories,[],[],,CM-7,mitigates,3 +2169,,T1213.001,Confluence,[],[],,CM-7,mitigates,3 +2170,,T1213.002,Sharepoint,[],[],,CM-7,mitigates,3 +2171,,T1216,Signed Script Proxy Execution,[],[],,CM-7,mitigates,3 +2172,,T1216.001,PubPrn,[],[],,CM-7,mitigates,3 +2173,,T1218,Signed Binary Proxy Execution,[],[],,CM-7,mitigates,3 +2174,,T1218.001,Compiled HTML File,[],[],,CM-7,mitigates,3 +2175,,T1218.002,Control Panel,[],[],,CM-7,mitigates,3 +2176,,T1218.003,CMSTP,[],[],,CM-7,mitigates,3 +2177,,T1218.004,InstallUtil,[],[],,CM-7,mitigates,3 +2178,,T1218.005,Mshta,[],[],,CM-7,mitigates,3 +2179,,T1218.007,Msiexec,[],[],,CM-7,mitigates,3 +2180,,T1218.008,Odbcconf,[],[],,CM-7,mitigates,3 +2181,,T1218.009,Regsvcs/Regasm,[],[],,CM-7,mitigates,3 +2182,,T1218.012,Verclsid,[],[],,CM-7,mitigates,3 +2183,,T1219,Remote Access Software,[],[],,CM-7,mitigates,3 +2184,,T1220,XSL Script Processing,[],[],,CM-7,mitigates,3 +2185,,T1221,Template Injection,[],[],,CM-7,mitigates,3 +2186,,T1482,Domain Trust Discovery,[],[],,CM-7,mitigates,3 +2187,,T1484,Domain Policy Modification,[],[],,CM-7,mitigates,3 +2188,,T1489,Service Stop,[],[],,CM-7,mitigates,3 +2189,,T1490,Inhibit System Recovery,[],[],,CM-7,mitigates,3 +2190,,T1498,Network Denial of Service,[],[],,CM-7,mitigates,3 +2191,,T1498.001,Direct Network Flood,[],[],,CM-7,mitigates,3 +2192,,T1498.002,Reflection Amplification,[],[],,CM-7,mitigates,3 +2193,,T1499,Endpoint Denial of Service,[],[],,CM-7,mitigates,3 +2194,,T1499.001,OS Exhaustion Flood,[],[],,CM-7,mitigates,3 +2195,,T1499.002,Service Exhaustion Flood,[],[],,CM-7,mitigates,3 +2196,,T1499.003,Application Exhaustion Flood,[],[],,CM-7,mitigates,3 +2197,,T1499.004,Application or System Exploitation,[],[],,CM-7,mitigates,3 +2198,,T1525,Implant Internal Image,[],[],,CM-7,mitigates,3 +2199,,T1530,Data from Cloud Storage Object,[],[],,CM-7,mitigates,3 +2200,,T1537,Transfer Data to Cloud Account,[],[],,CM-7,mitigates,3 +2201,,T1542.004,ROMMONkit,[],[],,CM-7,mitigates,3 +2202,,T1542.005,TFTP Boot,[],[],,CM-7,mitigates,3 +2203,,T1543,Create or Modify System Process,[],[],,CM-7,mitigates,3 +2204,,T1543.003,Windows Service,[],[],,CM-7,mitigates,3 +2205,,T1546.002,Screensaver,[],[],,CM-7,mitigates,3 +2206,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-7,mitigates,3 +2207,,T1546.008,Accessibility Features,[],[],,CM-7,mitigates,3 +2208,,T1546.009,AppCert DLLs,[],[],,CM-7,mitigates,3 +2209,,T1546.010,AppInit DLLs,[],[],,CM-7,mitigates,3 +2210,,T1547.004,Winlogon Helper DLL,[],[],,CM-7,mitigates,3 +2211,,T1547.006,Kernel Modules and Extensions,[],[],,CM-7,mitigates,3 +2212,,T1547.007,Re-opened Applications,[],[],,CM-7,mitigates,3 +2213,,T1547.011,Plist Modification,[],[],,CM-7,mitigates,3 +2214,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-7,mitigates,3 +2215,,T1548.001,Setuid and Setgid,[],[],,CM-7,mitigates,3 +2216,,T1548.003,Sudo and Sudo Caching,[],[],,CM-7,mitigates,3 +2217,,T1548.004,Elevated Execution with Prompt,[],[],,CM-7,mitigates,3 +2218,,T1552,Unsecured Credentials,[],[],,CM-7,mitigates,3 +2219,,T1552.003,Bash History,[],[],,CM-7,mitigates,3 +2220,,T1552.005,Cloud Instance Metadata API,[],[],,CM-7,mitigates,3 +2221,,T1552.007,Container API,[],[],,CM-7,mitigates,3 +2222,,T1553,Subvert Trust Controls,[],[],,CM-7,mitigates,3 +2223,,T1553.001,Gatekeeper Bypass,[],[],,CM-7,mitigates,3 +2224,,T1553.003,SIP and Trust Provider Hijacking,[],[],,CM-7,mitigates,3 +2225,,T1553.004,Install Root Certificate,[],[],,CM-7,mitigates,3 +2226,,T1553.005,Mark-of-the-Web Bypass,[],[],,CM-7,mitigates,3 +2227,,T1553.006,Code Signing Policy Modification,[],[],,CM-7,mitigates,3 +2228,,T1555.004,Windows Credential Manager,[],[],,CM-7,mitigates,3 +2229,,T1556,Modify Authentication Process,[],[],,CM-7,mitigates,3 +2230,,T1556.002,Password Filter DLL,[],[],,CM-7,mitigates,3 +2231,,T1557,Man-in-the-Middle,[],[],,CM-7,mitigates,3 +2232,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-7,mitigates,3 +2233,,T1557.002,ARP Cache Poisoning,[],[],,CM-7,mitigates,3 +2234,,T1559,Inter-Process Communication,[],[],,CM-7,mitigates,3 +2235,,T1559.002,Dynamic Data Exchange,[],[],,CM-7,mitigates,3 +2236,,T1562,Impair Defenses,[],[],,CM-7,mitigates,3 +2237,,T1562.001,Disable or Modify Tools,[],[],,CM-7,mitigates,3 +2238,,T1562.002,Disable Windows Event Logging,[],[],,CM-7,mitigates,3 +2239,,T1562.003,Impair Command History Logging,[],[],,CM-7,mitigates,3 +2240,,T1562.004,Disable or Modify System Firewall,[],[],,CM-7,mitigates,3 +2241,,T1563,Remote Service Session Hijacking,[],[],,CM-7,mitigates,3 +2242,,T1563.001,SSH Hijacking,[],[],,CM-7,mitigates,3 +2243,,T1563.002,RDP Hijacking,[],[],,CM-7,mitigates,3 +2244,,T1564.002,Hidden Users,[],[],,CM-7,mitigates,3 +2245,,T1564.003,Hidden Window,[],[],,CM-7,mitigates,3 +2246,,T1564.006,Run Virtual Instance,[],[],,CM-7,mitigates,3 +2247,,T1565,Data Manipulation,[],[],,CM-7,mitigates,3 +2248,,T1565.003,Runtime Data Manipulation,[],[],,CM-7,mitigates,3 +2249,,T1569,System Services,[],[],,CM-7,mitigates,3 +2250,,T1569.002,Service Execution,[],[],,CM-7,mitigates,3 +2251,,T1570,Lateral Tool Transfer,[],[],,CM-7,mitigates,3 +2252,,T1571,Non-Standard Port,[],[],,CM-7,mitigates,3 +2253,,T1572,Protocol Tunneling,[],[],,CM-7,mitigates,3 +2254,,T1573,Encrypted Channel,[],[],,CM-7,mitigates,3 +2255,,T1573.001,Symmetric Cryptography,[],[],,CM-7,mitigates,3 +2256,,T1573.002,Asymmetric Cryptography,[],[],,CM-7,mitigates,3 +2257,,T1574,Hijack Execution Flow,[],[],,CM-7,mitigates,3 +2258,,T1574.001,DLL Search Order Hijacking,[],[],,CM-7,mitigates,3 +2259,,T1574.006,Dynamic Linker Hijacking,[],[],,CM-7,mitigates,3 +2260,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-7,mitigates,3 +2261,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-7,mitigates,3 +2262,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-7,mitigates,3 +2263,,T1574.012,COR_PROFILER,[],[],,CM-7,mitigates,3 +2264,,T1599,Network Boundary Bridging,[],[],,CM-7,mitigates,3 +2265,,T1599.001,Network Address Translation Traversal,[],[],,CM-7,mitigates,3 +2266,,T1601,Modify System Image,[],[],,CM-7,mitigates,3 +2267,,T1601.001,Patch System Image,[],[],,CM-7,mitigates,3 +2268,,T1601.002,Downgrade System Image,[],[],,CM-7,mitigates,3 +2269,,T1602,Data from Configuration Repository,[],[],,CM-7,mitigates,3 +2270,,T1602.001,SNMP (MIB Dump),[],[],,CM-7,mitigates,3 +2271,,T1602.002,Network Device Configuration Dump,[],[],,CM-7,mitigates,3 +2272,,T1609,Container Administration Command,[],[],,CM-7,mitigates,3 +2273,,T1610,Deploy Container,[],[],,CM-7,mitigates,3 +2274,,T1611,Escape to Host,[],[],,CM-7,mitigates,3 +2275,,T1612,Build Image on Host,[],[],,CM-7,mitigates,3 +2276,,T1613,Container and Resource Discovery,[],[],,CM-7,mitigates,3 +2277,,T1011.001,Exfiltration Over Bluetooth,[],[],,CM-8,mitigates,3 +2278,,T1020.001,Traffic Duplication,[],[],,CM-8,mitigates,3 +2279,,T1021.001,Remote Desktop Protocol,[],[],,CM-8,mitigates,3 +2280,,T1021.003,Distributed Component Object Model,[],[],,CM-8,mitigates,3 +2281,,T1021.004,SSH,[],[],,CM-8,mitigates,3 +2282,,T1021.005,VNC,[],[],,CM-8,mitigates,3 +2283,,T1021.006,Windows Remote Management,[],[],,CM-8,mitigates,3 +2284,,T1046,Network Service Scanning,[],[],,CM-8,mitigates,3 +2285,,T1052,Exfiltration Over Physical Medium,[],[],,CM-8,mitigates,3 +2286,,T1052.001,Exfiltration over USB,[],[],,CM-8,mitigates,3 +2287,,T1053,Scheduled Task/Job,[],[],,CM-8,mitigates,3 +2288,,T1053.002,At (Windows),[],[],,CM-8,mitigates,3 +2289,,T1053.005,Scheduled Task,[],[],,CM-8,mitigates,3 +2290,,T1059,Command and Scripting Interpreter,[],[],,CM-8,mitigates,3 +2291,,T1059.001,PowerShell,[],[],,CM-8,mitigates,3 +2292,,T1059.005,Visual Basic,[],[],,CM-8,mitigates,3 +2293,,T1059.007,JavaScript,[],[],,CM-8,mitigates,3 +2294,,T1068,Exploitation for Privilege Escalation,[],[],,CM-8,mitigates,3 +2295,,T1072,Software Deployment Tools,[],[],,CM-8,mitigates,3 +2296,,T1091,Replication Through Removable Media,[],[],,CM-8,mitigates,3 +2297,,T1092,Communication Through Removable Media,[],[],,CM-8,mitigates,3 +2298,,T1098.004,SSH Authorized Keys,[],[],,CM-8,mitigates,3 +2299,,T1119,Automated Collection,[],[],,CM-8,mitigates,3 +2300,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,CM-8,mitigates,3 +2301,,T1127.001,MSBuild,[],[],,CM-8,mitigates,3 +2302,,T1133,External Remote Services,[],[],,CM-8,mitigates,3 +2303,,T1137,Office Application Startup,[],[],,CM-8,mitigates,3 +2304,,T1137.001,Office Template Macros,[],[],,CM-8,mitigates,3 +2305,,T1189,Drive-by Compromise,[],[],,CM-8,mitigates,3 +2306,,T1190,Exploit Public-Facing Application,[],[],,CM-8,mitigates,3 +2307,,T1195.003,Compromise Hardware Supply Chain,[],[],,CM-8,mitigates,3 +2308,,T1203,Exploitation for Client Execution,[],[],,CM-8,mitigates,3 +2309,,T1210,Exploitation of Remote Services,[],[],,CM-8,mitigates,3 +2310,,T1211,Exploitation for Defense Evasion,[],[],,CM-8,mitigates,3 +2311,,T1212,Exploitation for Credential Access,[],[],,CM-8,mitigates,3 +2312,,T1213,Data from Information Repositories,[],[],,CM-8,mitigates,3 +2313,,T1213.001,Confluence,[],[],,CM-8,mitigates,3 +2314,,T1213.002,Sharepoint,[],[],,CM-8,mitigates,3 +2315,,T1218,Signed Binary Proxy Execution,[],[],,CM-8,mitigates,3 +2316,,T1218.003,CMSTP,[],[],,CM-8,mitigates,3 +2317,,T1218.004,InstallUtil,[],[],,CM-8,mitigates,3 +2318,,T1218.005,Mshta,[],[],,CM-8,mitigates,3 +2319,,T1218.008,Odbcconf,[],[],,CM-8,mitigates,3 +2320,,T1218.009,Regsvcs/Regasm,[],[],,CM-8,mitigates,3 +2321,,T1218.012,Verclsid,[],[],,CM-8,mitigates,3 +2322,,T1221,Template Injection,[],[],,CM-8,mitigates,3 +2323,,T1495,Firmware Corruption,[],[],,CM-8,mitigates,3 +2324,,T1505,Server Software Component,[],[],,CM-8,mitigates,3 +2325,,T1505.001,SQL Stored Procedures,[],[],,CM-8,mitigates,3 +2326,,T1505.002,Transport Agent,[],[],,CM-8,mitigates,3 +2327,,T1530,Data from Cloud Storage Object,[],[],,CM-8,mitigates,3 +2328,,T1542,Pre-OS Boot,[],[],,CM-8,mitigates,3 +2329,,T1542.001,System Firmware,[],[],,CM-8,mitigates,3 +2330,,T1542.003,Bootkit,[],[],,CM-8,mitigates,3 +2331,,T1542.004,ROMMONkit,[],[],,CM-8,mitigates,3 +2332,,T1542.005,TFTP Boot,[],[],,CM-8,mitigates,3 +2333,,T1546.002,Screensaver,[],[],,CM-8,mitigates,3 +2334,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,CM-8,mitigates,3 +2335,,T1546.014,Emond,[],[],,CM-8,mitigates,3 +2336,,T1547.007,Re-opened Applications,[],[],,CM-8,mitigates,3 +2337,,T1548,Abuse Elevation Control Mechanism,[],[],,CM-8,mitigates,3 +2338,,T1548.004,Elevated Execution with Prompt,[],[],,CM-8,mitigates,3 +2339,,T1553,Subvert Trust Controls,[],[],,CM-8,mitigates,3 +2340,,T1553.006,Code Signing Policy Modification,[],[],,CM-8,mitigates,3 +2341,,T1557,Man-in-the-Middle,[],[],,CM-8,mitigates,3 +2342,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,CM-8,mitigates,3 +2343,,T1557.002,ARP Cache Poisoning,[],[],,CM-8,mitigates,3 +2344,,T1559,Inter-Process Communication,[],[],,CM-8,mitigates,3 +2345,,T1559.002,Dynamic Data Exchange,[],[],,CM-8,mitigates,3 +2346,,T1563,Remote Service Session Hijacking,[],[],,CM-8,mitigates,3 +2347,,T1563.001,SSH Hijacking,[],[],,CM-8,mitigates,3 +2348,,T1563.002,RDP Hijacking,[],[],,CM-8,mitigates,3 +2349,,T1564.006,Run Virtual Instance,[],[],,CM-8,mitigates,3 +2350,,T1564.007,VBA Stomping,[],[],,CM-8,mitigates,3 +2351,,T1565,Data Manipulation,[],[],,CM-8,mitigates,3 +2352,,T1565.001,Stored Data Manipulation,[],[],,CM-8,mitigates,3 +2353,,T1565.002,Transmitted Data Manipulation,[],[],,CM-8,mitigates,3 +2354,,T1574,Hijack Execution Flow,[],[],,CM-8,mitigates,3 +2355,,T1574.004,Dylib Hijacking,[],[],,CM-8,mitigates,3 +2356,,T1574.007,Path Interception by PATH Environment Variable,[],[],,CM-8,mitigates,3 +2357,,T1574.008,Path Interception by Search Order Hijacking,[],[],,CM-8,mitigates,3 +2358,,T1574.009,Path Interception by Unquoted Path,[],[],,CM-8,mitigates,3 +2359,,T1601,Modify System Image,[],[],,CM-8,mitigates,3 +2360,,T1601.001,Patch System Image,[],[],,CM-8,mitigates,3 +2361,,T1601.002,Downgrade System Image,[],[],,CM-8,mitigates,3 +2362,,T1602,Data from Configuration Repository,[],[],,CM-8,mitigates,3 +2363,,T1602.001,SNMP (MIB Dump),[],[],,CM-8,mitigates,3 +2364,,T1602.002,Network Device Configuration Dump,[],[],,CM-8,mitigates,3 +2365,,T1485,Data Destruction,[],[],,CP-10,mitigates,3 +2366,,T1486,Data Encrypted for Impact,[],[],,CP-10,mitigates,3 +2367,,T1490,Inhibit System Recovery,[],[],,CP-10,mitigates,3 +2368,,T1491,Defacement,[],[],,CP-10,mitigates,3 +2369,,T1491.001,Internal Defacement,[],[],,CP-10,mitigates,3 +2370,,T1491.002,External Defacement,[],[],,CP-10,mitigates,3 +2371,,T1561,Disk Wipe,[],[],,CP-10,mitigates,3 +2372,,T1561.001,Disk Content Wipe,[],[],,CP-10,mitigates,3 +2373,,T1561.002,Disk Structure Wipe,[],[],,CP-10,mitigates,3 +2374,,T1565,Data Manipulation,[],[],,CP-10,mitigates,3 +2375,,T1565.001,Stored Data Manipulation,[],[],,CP-10,mitigates,3 +2376,,T1485,Data Destruction,[],[],,CP-2,mitigates,3 +2377,,T1486,Data Encrypted for Impact,[],[],,CP-2,mitigates,3 +2378,,T1490,Inhibit System Recovery,[],[],,CP-2,mitigates,3 +2379,,T1491,Defacement,[],[],,CP-2,mitigates,3 +2380,,T1491.001,Internal Defacement,[],[],,CP-2,mitigates,3 +2381,,T1491.002,External Defacement,[],[],,CP-2,mitigates,3 +2382,,T1561,Disk Wipe,[],[],,CP-2,mitigates,3 +2383,,T1561.001,Disk Content Wipe,[],[],,CP-2,mitigates,3 +2384,,T1561.002,Disk Structure Wipe,[],[],,CP-2,mitigates,3 +2385,,T1070,Indicator Removal on Host,[],[],,CP-6,mitigates,3 +2386,,T1070.001,Clear Windows Event Logs,[],[],,CP-6,mitigates,3 +2387,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-6,mitigates,3 +2388,,T1119,Automated Collection,[],[],,CP-6,mitigates,3 +2389,,T1486,Data Encrypted for Impact,[],[],,CP-6,mitigates,3 +2390,,T1565,Data Manipulation,[],[],,CP-6,mitigates,3 +2391,,T1565.001,Stored Data Manipulation,[],[],,CP-6,mitigates,3 +2392,,T1070,Indicator Removal on Host,[],[],,CP-7,mitigates,3 +2393,,T1070.001,Clear Windows Event Logs,[],[],,CP-7,mitigates,3 +2394,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-7,mitigates,3 +2395,,T1119,Automated Collection,[],[],,CP-7,mitigates,3 +2396,,T1485,Data Destruction,[],[],,CP-7,mitigates,3 +2397,,T1486,Data Encrypted for Impact,[],[],,CP-7,mitigates,3 +2398,,T1490,Inhibit System Recovery,[],[],,CP-7,mitigates,3 +2399,,T1491,Defacement,[],[],,CP-7,mitigates,3 +2400,,T1491.001,Internal Defacement,[],[],,CP-7,mitigates,3 +2401,,T1491.002,External Defacement,[],[],,CP-7,mitigates,3 +2402,,T1561,Disk Wipe,[],[],,CP-7,mitigates,3 +2403,,T1561.001,Disk Content Wipe,[],[],,CP-7,mitigates,3 +2404,,T1561.002,Disk Structure Wipe,[],[],,CP-7,mitigates,3 +2405,,T1565,Data Manipulation,[],[],,CP-7,mitigates,3 +2406,,T1565.001,Stored Data Manipulation,[],[],,CP-7,mitigates,3 +2407,,T1003,OS Credential Dumping,[],[],,CP-9,mitigates,3 +2408,,T1003.003,NTDS,[],[],,CP-9,mitigates,3 +2409,,T1070,Indicator Removal on Host,[],[],,CP-9,mitigates,3 +2410,,T1070.001,Clear Windows Event Logs,[],[],,CP-9,mitigates,3 +2411,,T1070.002,Clear Linux or Mac System Logs,[],[],,CP-9,mitigates,3 +2412,,T1119,Automated Collection,[],[],,CP-9,mitigates,3 +2413,,T1485,Data Destruction,[],[],,CP-9,mitigates,3 +2414,,T1486,Data Encrypted for Impact,[],[],,CP-9,mitigates,3 +2415,,T1490,Inhibit System Recovery,[],[],,CP-9,mitigates,3 +2416,,T1491,Defacement,[],[],,CP-9,mitigates,3 +2417,,T1491.001,Internal Defacement,[],[],,CP-9,mitigates,3 +2418,,T1491.002,External Defacement,[],[],,CP-9,mitigates,3 +2419,,T1561,Disk Wipe,[],[],,CP-9,mitigates,3 +2420,,T1561.001,Disk Content Wipe,[],[],,CP-9,mitigates,3 +2421,,T1561.002,Disk Structure Wipe,[],[],,CP-9,mitigates,3 +2422,,T1565,Data Manipulation,[],[],,CP-9,mitigates,3 +2423,,T1565.001,Stored Data Manipulation,[],[],,CP-9,mitigates,3 +2424,,T1565.003,Runtime Data Manipulation,[],[],,CP-9,mitigates,3 +2425,,T1110,Brute Force,[],[],,IA-11,mitigates,3 +2426,,T1110.001,Password Guessing,[],[],,IA-11,mitigates,3 +2427,,T1110.002,Password Cracking,[],[],,IA-11,mitigates,3 +2428,,T1110.003,Password Spraying,[],[],,IA-11,mitigates,3 +2429,,T1110.004,Credential Stuffing,[],[],,IA-11,mitigates,3 +2430,,T1078,Valid Accounts,[],[],,IA-12,mitigates,3 +2431,,T1078.002,Domain Accounts,[],[],,IA-12,mitigates,3 +2432,,T1078.003,Local Accounts,[],[],,IA-12,mitigates,3 +2433,,T1078.004,Cloud Accounts,[],[],,IA-12,mitigates,3 +2434,,T1003,OS Credential Dumping,[],[],,IA-2,mitigates,3 +2435,,T1003.001,LSASS Memory,[],[],,IA-2,mitigates,3 +2436,,T1003.002,Security Account Manager,[],[],,IA-2,mitigates,3 +2437,,T1003.003,NTDS,[],[],,IA-2,mitigates,3 +2438,,T1003.004,LSA Secrets,[],[],,IA-2,mitigates,3 +2439,,T1003.005,Cached Domain Credentials,[],[],,IA-2,mitigates,3 +2440,,T1003.006,DCSync,[],[],,IA-2,mitigates,3 +2441,,T1003.007,Proc Filesystem,[],[],,IA-2,mitigates,3 +2442,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-2,mitigates,3 +2443,,T1021,Remote Services,[],[],,IA-2,mitigates,3 +2444,,T1021.001,Remote Desktop Protocol,[],[],,IA-2,mitigates,3 +2445,,T1021.002,SMB/Windows Admin Shares,[],[],,IA-2,mitigates,3 +2446,,T1021.003,Distributed Component Object Model,[],[],,IA-2,mitigates,3 +2447,,T1021.004,SSH,[],[],,IA-2,mitigates,3 +2448,,T1021.005,VNC,[],[],,IA-2,mitigates,3 +2449,,T1021.006,Windows Remote Management,[],[],,IA-2,mitigates,3 +2450,,T1040,Network Sniffing,[],[],,IA-2,mitigates,3 +2451,,T1047,Windows Management Instrumentation,[],[],,IA-2,mitigates,3 +2452,,T1053,Scheduled Task/Job,[],[],,IA-2,mitigates,3 +2453,,T1053.001,At (Linux),[],[],,IA-2,mitigates,3 +2454,,T1053.002,At (Windows),[],[],,IA-2,mitigates,3 +2455,,T1053.003,Cron,[],[],,IA-2,mitigates,3 +2456,,T1053.004,Launchd,[],[],,IA-2,mitigates,3 +2457,,T1053.005,Scheduled Task,[],[],,IA-2,mitigates,3 +2458,,T1053.006,Systemd Timers,[],[],,IA-2,mitigates,3 +2459,,T1053.007,Container Orchestration Job,[],[],,IA-2,mitigates,3 +2460,,T1055,Process Injection,[],[],,IA-2,mitigates,3 +2461,,T1055.008,Ptrace System Calls,[],[],,IA-2,mitigates,3 +2462,,T1056.003,Web Portal Capture,[],[],,IA-2,mitigates,3 +2463,,T1059,Command and Scripting Interpreter,[],[],,IA-2,mitigates,3 +2464,,T1059.001,PowerShell,[],[],,IA-2,mitigates,3 +2465,,T1059.008,Network Device CLI,[],[],,IA-2,mitigates,3 +2466,,T1072,Software Deployment Tools,[],[],,IA-2,mitigates,3 +2467,,T1078,Valid Accounts,[],[],,IA-2,mitigates,3 +2468,,T1078.002,Domain Accounts,[],[],,IA-2,mitigates,3 +2469,,T1078.003,Local Accounts,[],[],,IA-2,mitigates,3 +2470,,T1078.004,Cloud Accounts,[],[],,IA-2,mitigates,3 +2471,,T1087.004,Cloud Account,[],[],,IA-2,mitigates,3 +2472,,T1098,Account Manipulation,[],[],,IA-2,mitigates,3 +2473,,T1098.001,Additional Cloud Credentials,[],[],,IA-2,mitigates,3 +2474,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-2,mitigates,3 +2475,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-2,mitigates,3 +2476,,T1110,Brute Force,[],[],,IA-2,mitigates,3 +2477,,T1110.001,Password Guessing,[],[],,IA-2,mitigates,3 +2478,,T1110.002,Password Cracking,[],[],,IA-2,mitigates,3 +2479,,T1110.003,Password Spraying,[],[],,IA-2,mitigates,3 +2480,,T1110.004,Credential Stuffing,[],[],,IA-2,mitigates,3 +2481,,T1111,Two-Factor Authentication Interception,[],[],,IA-2,mitigates,3 +2482,,T1114,Email Collection,[],[],,IA-2,mitigates,3 +2483,,T1114.002,Remote Email Collection,[],[],,IA-2,mitigates,3 +2484,,T1133,External Remote Services,[],[],,IA-2,mitigates,3 +2485,,T1134,Access Token Manipulation,[],[],,IA-2,mitigates,3 +2486,,T1134.001,Token Impersonation/Theft,[],[],,IA-2,mitigates,3 +2487,,T1134.002,Create Process with Token,[],[],,IA-2,mitigates,3 +2488,,T1134.003,Make and Impersonate Token,[],[],,IA-2,mitigates,3 +2489,,T1136,Create Account,[],[],,IA-2,mitigates,3 +2490,,T1136.001,Local Account,[],[],,IA-2,mitigates,3 +2491,,T1136.002,Domain Account,[],[],,IA-2,mitigates,3 +2492,,T1136.003,Cloud Account,[],[],,IA-2,mitigates,3 +2493,,T1185,Man in the Browser,[],[],,IA-2,mitigates,3 +2494,,T1190,Exploit Public-Facing Application,[],[],,IA-2,mitigates,3 +2495,,T1197,BITS Jobs,[],[],,IA-2,mitigates,3 +2496,,T1210,Exploitation of Remote Services,[],[],,IA-2,mitigates,3 +2497,,T1213,Data from Information Repositories,[],[],,IA-2,mitigates,3 +2498,,T1213.001,Confluence,[],[],,IA-2,mitigates,3 +2499,,T1213.002,Sharepoint,[],[],,IA-2,mitigates,3 +2500,,T1218,Signed Binary Proxy Execution,[],[],,IA-2,mitigates,3 +2501,,T1218.007,Msiexec,[],[],,IA-2,mitigates,3 +2502,,T1222,File and Directory Permissions Modification,[],[],,IA-2,mitigates,3 +2503,,T1222.001,Windows File and Directory Permissions Modification,[],[],,IA-2,mitigates,3 +2504,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,IA-2,mitigates,3 +2505,,T1484,Domain Policy Modification,[],[],,IA-2,mitigates,3 +2506,,T1489,Service Stop,[],[],,IA-2,mitigates,3 +2507,,T1495,Firmware Corruption,[],[],,IA-2,mitigates,3 +2508,,T1505,Server Software Component,[],[],,IA-2,mitigates,3 +2509,,T1505.001,SQL Stored Procedures,[],[],,IA-2,mitigates,3 +2510,,T1505.002,Transport Agent,[],[],,IA-2,mitigates,3 +2511,,T1525,Implant Internal Image,[],[],,IA-2,mitigates,3 +2512,,T1528,Steal Application Access Token,[],[],,IA-2,mitigates,3 +2513,,T1530,Data from Cloud Storage Object,[],[],,IA-2,mitigates,3 +2514,,T1537,Transfer Data to Cloud Account,[],[],,IA-2,mitigates,3 +2515,,T1538,Cloud Service Dashboard,[],[],,IA-2,mitigates,3 +2516,,T1539,Steal Web Session Cookie,[],[],,IA-2,mitigates,3 +2517,,T1542,Pre-OS Boot,[],[],,IA-2,mitigates,3 +2518,,T1542.001,System Firmware,[],[],,IA-2,mitigates,3 +2519,,T1542.003,Bootkit,[],[],,IA-2,mitigates,3 +2520,,T1542.005,TFTP Boot,[],[],,IA-2,mitigates,3 +2521,,T1543,Create or Modify System Process,[],[],,IA-2,mitigates,3 +2522,,T1543.001,Launch Agent,[],[],,IA-2,mitigates,3 +2523,,T1543.002,Systemd Service,[],[],,IA-2,mitigates,3 +2524,,T1543.003,Windows Service,[],[],,IA-2,mitigates,3 +2525,,T1543.004,Launch Daemon,[],[],,IA-2,mitigates,3 +2526,,T1546.003,Windows Management Instrumentation Event Subscription,[],[],,IA-2,mitigates,3 +2527,,T1547.004,Winlogon Helper DLL,[],[],,IA-2,mitigates,3 +2528,,T1547.006,Kernel Modules and Extensions,[],[],,IA-2,mitigates,3 +2529,,T1547.009,Shortcut Modification,[],[],,IA-2,mitigates,3 +2530,,T1547.012,Print Processors,[],[],,IA-2,mitigates,3 +2531,,T1547.013,XDG Autostart Entries,[],[],,IA-2,mitigates,3 +2532,,T1548,Abuse Elevation Control Mechanism,[],[],,IA-2,mitigates,3 +2533,,T1548.002,Bypass User Account Control,[],[],,IA-2,mitigates,3 +2534,,T1548.003,Sudo and Sudo Caching,[],[],,IA-2,mitigates,3 +2535,,T1550,Use Alternate Authentication Material,[],[],,IA-2,mitigates,3 +2536,,T1550.001,Application Access Token,[],[],,IA-2,mitigates,3 +2537,,T1550.002,Pass the Hash,[],[],,IA-2,mitigates,3 +2538,,T1550.003,Pass the Ticket,[],[],,IA-2,mitigates,3 +2539,,T1552,Unsecured Credentials,[],[],,IA-2,mitigates,3 +2540,,T1552.001,Credentials In Files,[],[],,IA-2,mitigates,3 +2541,,T1552.002,Credentials in Registry,[],[],,IA-2,mitigates,3 +2542,,T1552.004,Private Keys,[],[],,IA-2,mitigates,3 +2543,,T1552.006,Group Policy Preferences,[],[],,IA-2,mitigates,3 +2544,,T1552.007,Container API,[],[],,IA-2,mitigates,3 +2545,,T1555.005,Password Managers,[],[],,IA-2,mitigates,3 +2546,,T1556,Modify Authentication Process,[],[],,IA-2,mitigates,3 +2547,,T1556.001,Domain Controller Authentication,[],[],,IA-2,mitigates,3 +2548,,T1556.003,Pluggable Authentication Modules,[],[],,IA-2,mitigates,3 +2549,,T1556.004,Network Device Authentication,[],[],,IA-2,mitigates,3 +2550,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-2,mitigates,3 +2551,,T1558.001,Golden Ticket,[],[],,IA-2,mitigates,3 +2552,,T1558.002,Silver Ticket,[],[],,IA-2,mitigates,3 +2553,,T1558.003,Kerberoasting,[],[],,IA-2,mitigates,3 +2554,,T1558.004,AS-REP Roasting,[],[],,IA-2,mitigates,3 +2555,,T1559,Inter-Process Communication,[],[],,IA-2,mitigates,3 +2556,,T1559.001,Component Object Model,[],[],,IA-2,mitigates,3 +2557,,T1562,Impair Defenses,[],[],,IA-2,mitigates,3 +2558,,T1562.001,Disable or Modify Tools,[],[],,IA-2,mitigates,3 +2559,,T1562.002,Disable Windows Event Logging,[],[],,IA-2,mitigates,3 +2560,,T1562.004,Disable or Modify System Firewall,[],[],,IA-2,mitigates,3 +2561,,T1562.006,Indicator Blocking,[],[],,IA-2,mitigates,3 +2562,,T1562.007,Disable or Modify Cloud Firewall,[],[],,IA-2,mitigates,3 +2563,,T1562.008,Disable Cloud Logs,[],[],,IA-2,mitigates,3 +2564,,T1563,Remote Service Session Hijacking,[],[],,IA-2,mitigates,3 +2565,,T1563.001,SSH Hijacking,[],[],,IA-2,mitigates,3 +2566,,T1563.002,RDP Hijacking,[],[],,IA-2,mitigates,3 +2567,,T1569,System Services,[],[],,IA-2,mitigates,3 +2568,,T1569.001,Launchctl,[],[],,IA-2,mitigates,3 +2569,,T1569.002,Service Execution,[],[],,IA-2,mitigates,3 +2570,,T1574,Hijack Execution Flow,[],[],,IA-2,mitigates,3 +2571,,T1574.005,Executable Installer File Permissions Weakness,[],[],,IA-2,mitigates,3 +2572,,T1574.010,Services File Permissions Weakness,[],[],,IA-2,mitigates,3 +2573,,T1574.012,COR_PROFILER,[],[],,IA-2,mitigates,3 +2574,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-2,mitigates,3 +2575,,T1578.001,Create Snapshot,[],[],,IA-2,mitigates,3 +2576,,T1578.002,Create Cloud Instance,[],[],,IA-2,mitigates,3 +2577,,T1578.003,Delete Cloud Instance,[],[],,IA-2,mitigates,3 +2578,,T1580,Cloud Infrastructure Discovery,[],[],,IA-2,mitigates,3 +2579,,T1599,Network Boundary Bridging,[],[],,IA-2,mitigates,3 +2580,,T1599.001,Network Address Translation Traversal,[],[],,IA-2,mitigates,3 +2581,,T1601,Modify System Image,[],[],,IA-2,mitigates,3 +2582,,T1601.001,Patch System Image,[],[],,IA-2,mitigates,3 +2583,,T1601.002,Downgrade System Image,[],[],,IA-2,mitigates,3 +2584,,T1610,Deploy Container,[],[],,IA-2,mitigates,3 +2585,,T1611,Escape to Host,[],[],,IA-2,mitigates,3 +2586,,T1613,Container and Resource Discovery,[],[],,IA-2,mitigates,3 +2587,,T1530,Data from Cloud Storage Object,[],[],,IA-3,mitigates,3 +2588,,T1537,Transfer Data to Cloud Account,[],[],,IA-3,mitigates,3 +2589,,T1552,Unsecured Credentials,[],[],,IA-3,mitigates,3 +2590,,T1552.005,Cloud Instance Metadata API,[],[],,IA-3,mitigates,3 +2591,,T1602,Data from Configuration Repository,[],[],,IA-3,mitigates,3 +2592,,T1602.001,SNMP (MIB Dump),[],[],,IA-3,mitigates,3 +2593,,T1602.002,Network Device Configuration Dump,[],[],,IA-3,mitigates,3 +2594,,T1003,OS Credential Dumping,[],[],,IA-4,mitigates,3 +2595,,T1003.005,Cached Domain Credentials,[],[],,IA-4,mitigates,3 +2596,,T1003.006,DCSync,[],[],,IA-4,mitigates,3 +2597,,T1021.001,Remote Desktop Protocol,[],[],,IA-4,mitigates,3 +2598,,T1021.005,VNC,[],[],,IA-4,mitigates,3 +2599,,T1053,Scheduled Task/Job,[],[],,IA-4,mitigates,3 +2600,,T1053.002,At (Windows),[],[],,IA-4,mitigates,3 +2601,,T1053.005,Scheduled Task,[],[],,IA-4,mitigates,3 +2602,,T1110,Brute Force,[],[],,IA-4,mitigates,3 +2603,,T1110.001,Password Guessing,[],[],,IA-4,mitigates,3 +2604,,T1110.002,Password Cracking,[],[],,IA-4,mitigates,3 +2605,,T1110.003,Password Spraying,[],[],,IA-4,mitigates,3 +2606,,T1110.004,Credential Stuffing,[],[],,IA-4,mitigates,3 +2607,,T1213,Data from Information Repositories,[],[],,IA-4,mitigates,3 +2608,,T1213.001,Confluence,[],[],,IA-4,mitigates,3 +2609,,T1213.002,Sharepoint,[],[],,IA-4,mitigates,3 +2610,,T1528,Steal Application Access Token,[],[],,IA-4,mitigates,3 +2611,,T1530,Data from Cloud Storage Object,[],[],,IA-4,mitigates,3 +2612,,T1537,Transfer Data to Cloud Account,[],[],,IA-4,mitigates,3 +2613,,T1543,Create or Modify System Process,[],[],,IA-4,mitigates,3 +2614,,T1543.003,Windows Service,[],[],,IA-4,mitigates,3 +2615,,T1550.001,Application Access Token,[],[],,IA-4,mitigates,3 +2616,,T1552,Unsecured Credentials,[],[],,IA-4,mitigates,3 +2617,,T1552.005,Cloud Instance Metadata API,[],[],,IA-4,mitigates,3 +2618,,T1562,Impair Defenses,[],[],,IA-4,mitigates,3 +2619,,T1563,Remote Service Session Hijacking,[],[],,IA-4,mitigates,3 +2620,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-4,mitigates,3 +2621,,T1578.001,Create Snapshot,[],[],,IA-4,mitigates,3 +2622,,T1578.002,Create Cloud Instance,[],[],,IA-4,mitigates,3 +2623,,T1578.003,Delete Cloud Instance,[],[],,IA-4,mitigates,3 +2624,,T1602,Data from Configuration Repository,[],[],,IA-4,mitigates,3 +2625,,T1602.001,SNMP (MIB Dump),[],[],,IA-4,mitigates,3 +2626,,T1602.002,Network Device Configuration Dump,[],[],,IA-4,mitigates,3 +2627,,T1003,OS Credential Dumping,[],[],,IA-5,mitigates,3 +2628,,T1003.001,LSASS Memory,[],[],,IA-5,mitigates,3 +2629,,T1003.002,Security Account Manager,[],[],,IA-5,mitigates,3 +2630,,T1003.003,NTDS,[],[],,IA-5,mitigates,3 +2631,,T1003.004,LSA Secrets,[],[],,IA-5,mitigates,3 +2632,,T1003.005,Cached Domain Credentials,[],[],,IA-5,mitigates,3 +2633,,T1003.006,DCSync,[],[],,IA-5,mitigates,3 +2634,,T1003.007,Proc Filesystem,[],[],,IA-5,mitigates,3 +2635,,T1003.008,/etc/passwd and /etc/shadow,[],[],,IA-5,mitigates,3 +2636,,T1021,Remote Services,[],[],,IA-5,mitigates,3 +2637,,T1021.001,Remote Desktop Protocol,[],[],,IA-5,mitigates,3 +2638,,T1021.004,SSH,[],[],,IA-5,mitigates,3 +2639,,T1040,Network Sniffing,[],[],,IA-5,mitigates,3 +2640,,T1072,Software Deployment Tools,[],[],,IA-5,mitigates,3 +2641,,T1078,Valid Accounts,[],[],,IA-5,mitigates,3 +2642,,T1078.002,Domain Accounts,[],[],,IA-5,mitigates,3 +2643,,T1078.004,Cloud Accounts,[],[],,IA-5,mitigates,3 +2644,,T1098.001,Additional Cloud Credentials,[],[],,IA-5,mitigates,3 +2645,,T1098.002,Exchange Email Delegate Permissions,[],[],,IA-5,mitigates,3 +2646,,T1098.003,Add Office 365 Global Administrator Role,[],[],,IA-5,mitigates,3 +2647,,T1110,Brute Force,[],[],,IA-5,mitigates,3 +2648,,T1110.001,Password Guessing,[],[],,IA-5,mitigates,3 +2649,,T1110.002,Password Cracking,[],[],,IA-5,mitigates,3 +2650,,T1110.003,Password Spraying,[],[],,IA-5,mitigates,3 +2651,,T1110.004,Credential Stuffing,[],[],,IA-5,mitigates,3 +2652,,T1111,Two-Factor Authentication Interception,[],[],,IA-5,mitigates,3 +2653,,T1114,Email Collection,[],[],,IA-5,mitigates,3 +2654,,T1114.002,Remote Email Collection,[],[],,IA-5,mitigates,3 +2655,,T1133,External Remote Services,[],[],,IA-5,mitigates,3 +2656,,T1136,Create Account,[],[],,IA-5,mitigates,3 +2657,,T1136.001,Local Account,[],[],,IA-5,mitigates,3 +2658,,T1136.002,Domain Account,[],[],,IA-5,mitigates,3 +2659,,T1136.003,Cloud Account,[],[],,IA-5,mitigates,3 +2660,,T1528,Steal Application Access Token,[],[],,IA-5,mitigates,3 +2661,,T1530,Data from Cloud Storage Object,[],[],,IA-5,mitigates,3 +2662,,T1539,Steal Web Session Cookie,[],[],,IA-5,mitigates,3 +2663,,T1550.003,Pass the Ticket,[],[],,IA-5,mitigates,3 +2664,,T1552,Unsecured Credentials,[],[],,IA-5,mitigates,3 +2665,,T1552.001,Credentials In Files,[],[],,IA-5,mitigates,3 +2666,,T1552.002,Credentials in Registry,[],[],,IA-5,mitigates,3 +2667,,T1552.004,Private Keys,[],[],,IA-5,mitigates,3 +2668,,T1552.006,Group Policy Preferences,[],[],,IA-5,mitigates,3 +2669,,T1555,Credentials from Password Stores,[],[],,IA-5,mitigates,3 +2670,,T1555.001,Keychain,[],[],,IA-5,mitigates,3 +2671,,T1555.002,Securityd Memory,[],[],,IA-5,mitigates,3 +2672,,T1555.004,Windows Credential Manager,[],[],,IA-5,mitigates,3 +2673,,T1555.005,Password Managers,[],[],,IA-5,mitigates,3 +2674,,T1556,Modify Authentication Process,[],[],,IA-5,mitigates,3 +2675,,T1556.001,Domain Controller Authentication,[],[],,IA-5,mitigates,3 +2676,,T1556.003,Pluggable Authentication Modules,[],[],,IA-5,mitigates,3 +2677,,T1556.004,Network Device Authentication,[],[],,IA-5,mitigates,3 +2678,,T1558,Steal or Forge Kerberos Tickets,[],[],,IA-5,mitigates,3 +2679,,T1558.001,Golden Ticket,[],[],,IA-5,mitigates,3 +2680,,T1558.002,Silver Ticket,[],[],,IA-5,mitigates,3 +2681,,T1558.003,Kerberoasting,[],[],,IA-5,mitigates,3 +2682,,T1558.004,AS-REP Roasting,[],[],,IA-5,mitigates,3 +2683,,T1563.001,SSH Hijacking,[],[],,IA-5,mitigates,3 +2684,,T1599,Network Boundary Bridging,[],[],,IA-5,mitigates,3 +2685,,T1599.001,Network Address Translation Traversal,[],[],,IA-5,mitigates,3 +2686,,T1601,Modify System Image,[],[],,IA-5,mitigates,3 +2687,,T1601.001,Patch System Image,[],[],,IA-5,mitigates,3 +2688,,T1601.002,Downgrade System Image,[],[],,IA-5,mitigates,3 +2689,,T1021.001,Remote Desktop Protocol,[],[],,IA-6,mitigates,3 +2690,,T1021.005,VNC,[],[],,IA-6,mitigates,3 +2691,,T1530,Data from Cloud Storage Object,[],[],,IA-6,mitigates,3 +2692,,T1563,Remote Service Session Hijacking,[],[],,IA-6,mitigates,3 +2693,,T1578,Modify Cloud Compute Infrastructure,[],[],,IA-6,mitigates,3 +2694,,T1578.001,Create Snapshot,[],[],,IA-6,mitigates,3 +2695,,T1578.002,Create Cloud Instance,[],[],,IA-6,mitigates,3 +2696,,T1578.003,Delete Cloud Instance,[],[],,IA-6,mitigates,3 +2697,,T1195.003,Compromise Hardware Supply Chain,[],[],,IA-7,mitigates,3 +2698,,T1495,Firmware Corruption,[],[],,IA-7,mitigates,3 +2699,,T1542,Pre-OS Boot,[],[],,IA-7,mitigates,3 +2700,,T1542.001,System Firmware,[],[],,IA-7,mitigates,3 +2701,,T1542.003,Bootkit,[],[],,IA-7,mitigates,3 +2702,,T1542.004,ROMMONkit,[],[],,IA-7,mitigates,3 +2703,,T1542.005,TFTP Boot,[],[],,IA-7,mitigates,3 +2704,,T1553,Subvert Trust Controls,[],[],,IA-7,mitigates,3 +2705,,T1553.006,Code Signing Policy Modification,[],[],,IA-7,mitigates,3 +2706,,T1601,Modify System Image,[],[],,IA-7,mitigates,3 +2707,,T1601.001,Patch System Image,[],[],,IA-7,mitigates,3 +2708,,T1601.002,Downgrade System Image,[],[],,IA-7,mitigates,3 +2709,,T1053,Scheduled Task/Job,[],[],,IA-8,mitigates,3 +2710,,T1053.007,Container Orchestration Job,[],[],,IA-8,mitigates,3 +2711,,T1059,Command and Scripting Interpreter,[],[],,IA-8,mitigates,3 +2712,,T1059.001,PowerShell,[],[],,IA-8,mitigates,3 +2713,,T1059.008,Network Device CLI,[],[],,IA-8,mitigates,3 +2714,,T1087.004,Cloud Account,[],[],,IA-8,mitigates,3 +2715,,T1190,Exploit Public-Facing Application,[],[],,IA-8,mitigates,3 +2716,,T1210,Exploitation of Remote Services,[],[],,IA-8,mitigates,3 +2717,,T1213,Data from Information Repositories,[],[],,IA-8,mitigates,3 +2718,,T1213.001,Confluence,[],[],,IA-8,mitigates,3 +2719,,T1213.002,Sharepoint,[],[],,IA-8,mitigates,3 +2720,,T1528,Steal Application Access Token,[],[],,IA-8,mitigates,3 +2721,,T1530,Data from Cloud Storage Object,[],[],,IA-8,mitigates,3 +2722,,T1537,Transfer Data to Cloud Account,[],[],,IA-8,mitigates,3 +2723,,T1538,Cloud Service Dashboard,[],[],,IA-8,mitigates,3 +2724,,T1542,Pre-OS Boot,[],[],,IA-8,mitigates,3 +2725,,T1542.001,System Firmware,[],[],,IA-8,mitigates,3 +2726,,T1542.003,Bootkit,[],[],,IA-8,mitigates,3 +2727,,T1542.005,TFTP Boot,[],[],,IA-8,mitigates,3 +2728,,T1036,Masquerading,[],[],,IA-9,mitigates,3 +2729,,T1036.001,Invalid Code Signature,[],[],,IA-9,mitigates,3 +2730,,T1036.005,Match Legitimate Name or Location,[],[],,IA-9,mitigates,3 +2731,,T1059,Command and Scripting Interpreter,[],[],,IA-9,mitigates,3 +2732,,T1059.001,PowerShell,[],[],,IA-9,mitigates,3 +2733,,T1059.002,AppleScript,[],[],,IA-9,mitigates,3 +2734,,T1505,Server Software Component,[],[],,IA-9,mitigates,3 +2735,,T1505.001,SQL Stored Procedures,[],[],,IA-9,mitigates,3 +2736,,T1505.002,Transport Agent,[],[],,IA-9,mitigates,3 +2737,,T1525,Implant Internal Image,[],[],,IA-9,mitigates,3 +2738,,T1546,Event Triggered Execution,[],[],,IA-9,mitigates,3 +2739,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,IA-9,mitigates,3 +2740,,T1546.013,PowerShell Profile,[],[],,IA-9,mitigates,3 +2741,,T1553,Subvert Trust Controls,[],[],,IA-9,mitigates,3 +2742,,T1553.004,Install Root Certificate,[],[],,IA-9,mitigates,3 +2743,,T1554,Compromise Client Software Binary,[],[],,IA-9,mitigates,3 +2744,,T1566,Phishing,[],[],,IA-9,mitigates,3 +2745,,T1566.001,Spearphishing Attachment,[],[],,IA-9,mitigates,3 +2746,,T1566.002,Spearphishing Link,[],[],,IA-9,mitigates,3 +2747,,T1598,Phishing for Information,[],[],,IA-9,mitigates,3 +2748,,T1598.002,Spearphishing Attachment,[],[],,IA-9,mitigates,3 +2749,,T1598.003,Spearphishing Link,[],[],,IA-9,mitigates,3 +2750,,T1052,Exfiltration Over Physical Medium,[],[],,MP-7,mitigates,3 +2751,,T1052.001,Exfiltration over USB,[],[],,MP-7,mitigates,3 +2752,,T1091,Replication Through Removable Media,[],[],,MP-7,mitigates,3 +2753,,T1092,Communication Through Removable Media,[],[],,MP-7,mitigates,3 +2754,,T1200,Hardware Additions,[],[],,MP-7,mitigates,3 +2755,,T1078,Valid Accounts,[],[],,PL-8,mitigates,3 +2756,,T1068,Exploitation for Privilege Escalation,[],[],,RA-10,mitigates,3 +2757,,T1190,Exploit Public-Facing Application,[],[],,RA-10,mitigates,3 +2758,,T1195,Supply Chain Compromise,[],[],,RA-10,mitigates,3 +2759,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-10,mitigates,3 +2760,,T1195.002,Compromise Software Supply Chain,[],[],,RA-10,mitigates,3 +2761,,T1210,Exploitation of Remote Services,[],[],,RA-10,mitigates,3 +2762,,T1211,Exploitation for Defense Evasion,[],[],,RA-10,mitigates,3 +2763,,T1212,Exploitation for Credential Access,[],[],,RA-10,mitigates,3 +2764,,T1011.001,Exfiltration Over Bluetooth,[],[],,RA-5,mitigates,3 +2765,,T1021.001,Remote Desktop Protocol,[],[],,RA-5,mitigates,3 +2766,,T1021.003,Distributed Component Object Model,[],[],,RA-5,mitigates,3 +2767,,T1021.004,SSH,[],[],,RA-5,mitigates,3 +2768,,T1021.005,VNC,[],[],,RA-5,mitigates,3 +2769,,T1021.006,Windows Remote Management,[],[],,RA-5,mitigates,3 +2770,,T1046,Network Service Scanning,[],[],,RA-5,mitigates,3 +2771,,T1052,Exfiltration Over Physical Medium,[],[],,RA-5,mitigates,3 +2772,,T1052.001,Exfiltration over USB,[],[],,RA-5,mitigates,3 +2773,,T1053,Scheduled Task/Job,[],[],,RA-5,mitigates,3 +2774,,T1053.001,At (Linux),[],[],,RA-5,mitigates,3 +2775,,T1053.002,At (Windows),[],[],,RA-5,mitigates,3 +2776,,T1053.003,Cron,[],[],,RA-5,mitigates,3 +2777,,T1053.004,Launchd,[],[],,RA-5,mitigates,3 +2778,,T1053.005,Scheduled Task,[],[],,RA-5,mitigates,3 +2779,,T1059,Command and Scripting Interpreter,[],[],,RA-5,mitigates,3 +2780,,T1059.001,PowerShell,[],[],,RA-5,mitigates,3 +2781,,T1059.005,Visual Basic,[],[],,RA-5,mitigates,3 +2782,,T1059.007,JavaScript,[],[],,RA-5,mitigates,3 +2783,,T1068,Exploitation for Privilege Escalation,[],[],,RA-5,mitigates,3 +2784,,T1078,Valid Accounts,[],[],,RA-5,mitigates,3 +2785,,T1091,Replication Through Removable Media,[],[],,RA-5,mitigates,3 +2786,,T1092,Communication Through Removable Media,[],[],,RA-5,mitigates,3 +2787,,T1098.004,SSH Authorized Keys,[],[],,RA-5,mitigates,3 +2788,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,RA-5,mitigates,3 +2789,,T1127.001,MSBuild,[],[],,RA-5,mitigates,3 +2790,,T1133,External Remote Services,[],[],,RA-5,mitigates,3 +2791,,T1137,Office Application Startup,[],[],,RA-5,mitigates,3 +2792,,T1137.001,Office Template Macros,[],[],,RA-5,mitigates,3 +2793,,T1176,Browser Extensions,[],[],,RA-5,mitigates,3 +2794,,T1190,Exploit Public-Facing Application,[],[],,RA-5,mitigates,3 +2795,,T1195,Supply Chain Compromise,[],[],,RA-5,mitigates,3 +2796,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,RA-5,mitigates,3 +2797,,T1195.002,Compromise Software Supply Chain,[],[],,RA-5,mitigates,3 +2798,,T1204.003,Malicious Image,[],[],,RA-5,mitigates,3 +2799,,T1210,Exploitation of Remote Services,[],[],,RA-5,mitigates,3 +2800,,T1211,Exploitation for Defense Evasion,[],[],,RA-5,mitigates,3 +2801,,T1212,Exploitation for Credential Access,[],[],,RA-5,mitigates,3 +2802,,T1213,Data from Information Repositories,[],[],,RA-5,mitigates,3 +2803,,T1213.001,Confluence,[],[],,RA-5,mitigates,3 +2804,,T1213.002,Sharepoint,[],[],,RA-5,mitigates,3 +2805,,T1218,Signed Binary Proxy Execution,[],[],,RA-5,mitigates,3 +2806,,T1218.003,CMSTP,[],[],,RA-5,mitigates,3 +2807,,T1218.004,InstallUtil,[],[],,RA-5,mitigates,3 +2808,,T1218.005,Mshta,[],[],,RA-5,mitigates,3 +2809,,T1218.008,Odbcconf,[],[],,RA-5,mitigates,3 +2810,,T1218.009,Regsvcs/Regasm,[],[],,RA-5,mitigates,3 +2811,,T1218.012,Verclsid,[],[],,RA-5,mitigates,3 +2812,,T1221,Template Injection,[],[],,RA-5,mitigates,3 +2813,,T1482,Domain Trust Discovery,[],[],,RA-5,mitigates,3 +2814,,T1484,Domain Policy Modification,[],[],,RA-5,mitigates,3 +2815,,T1505,Server Software Component,[],[],,RA-5,mitigates,3 +2816,,T1505.001,SQL Stored Procedures,[],[],,RA-5,mitigates,3 +2817,,T1505.002,Transport Agent,[],[],,RA-5,mitigates,3 +2818,,T1525,Implant Internal Image,[],[],,RA-5,mitigates,3 +2819,,T1528,Steal Application Access Token,[],[],,RA-5,mitigates,3 +2820,,T1530,Data from Cloud Storage Object,[],[],,RA-5,mitigates,3 +2821,,T1542.004,ROMMONkit,[],[],,RA-5,mitigates,3 +2822,,T1542.005,TFTP Boot,[],[],,RA-5,mitigates,3 +2823,,T1543,Create or Modify System Process,[],[],,RA-5,mitigates,3 +2824,,T1543.003,Windows Service,[],[],,RA-5,mitigates,3 +2825,,T1546.002,Screensaver,[],[],,RA-5,mitigates,3 +2826,,T1546.014,Emond,[],[],,RA-5,mitigates,3 +2827,,T1547.007,Re-opened Applications,[],[],,RA-5,mitigates,3 +2828,,T1547.008,LSASS Driver,[],[],,RA-5,mitigates,3 +2829,,T1548,Abuse Elevation Control Mechanism,[],[],,RA-5,mitigates,3 +2830,,T1548.002,Bypass User Account Control,[],[],,RA-5,mitigates,3 +2831,,T1548.003,Sudo and Sudo Caching,[],[],,RA-5,mitigates,3 +2832,,T1552,Unsecured Credentials,[],[],,RA-5,mitigates,3 +2833,,T1552.001,Credentials In Files,[],[],,RA-5,mitigates,3 +2834,,T1552.002,Credentials in Registry,[],[],,RA-5,mitigates,3 +2835,,T1552.004,Private Keys,[],[],,RA-5,mitigates,3 +2836,,T1552.006,Group Policy Preferences,[],[],,RA-5,mitigates,3 +2837,,T1557,Man-in-the-Middle,[],[],,RA-5,mitigates,3 +2838,,T1558.004,AS-REP Roasting,[],[],,RA-5,mitigates,3 +2839,,T1559,Inter-Process Communication,[],[],,RA-5,mitigates,3 +2840,,T1559.002,Dynamic Data Exchange,[],[],,RA-5,mitigates,3 +2841,,T1560,Archive Collected Data,[],[],,RA-5,mitigates,3 +2842,,T1560.001,Archive via Utility,[],[],,RA-5,mitigates,3 +2843,,T1562,Impair Defenses,[],[],,RA-5,mitigates,3 +2844,,T1563,Remote Service Session Hijacking,[],[],,RA-5,mitigates,3 +2845,,T1563.001,SSH Hijacking,[],[],,RA-5,mitigates,3 +2846,,T1563.002,RDP Hijacking,[],[],,RA-5,mitigates,3 +2847,,T1574,Hijack Execution Flow,[],[],,RA-5,mitigates,3 +2848,,T1574.001,DLL Search Order Hijacking,[],[],,RA-5,mitigates,3 +2849,,T1574.004,Dylib Hijacking,[],[],,RA-5,mitigates,3 +2850,,T1574.005,Executable Installer File Permissions Weakness,[],[],,RA-5,mitigates,3 +2851,,T1574.007,Path Interception by PATH Environment Variable,[],[],,RA-5,mitigates,3 +2852,,T1574.008,Path Interception by Search Order Hijacking,[],[],,RA-5,mitigates,3 +2853,,T1574.009,Path Interception by Unquoted Path,[],[],,RA-5,mitigates,3 +2854,,T1574.010,Services File Permissions Weakness,[],[],,RA-5,mitigates,3 +2855,,T1578,Modify Cloud Compute Infrastructure,[],[],,RA-5,mitigates,3 +2856,,T1578.001,Create Snapshot,[],[],,RA-5,mitigates,3 +2857,,T1578.002,Create Cloud Instance,[],[],,RA-5,mitigates,3 +2858,,T1578.003,Delete Cloud Instance,[],[],,RA-5,mitigates,3 +2859,,T1612,Build Image on Host,[],[],,RA-5,mitigates,3 +2860,,T1195.003,Compromise Hardware Supply Chain,[],[],,RA-9,mitigates,3 +2861,,T1495,Firmware Corruption,[],[],,RA-9,mitigates,3 +2862,,T1542,Pre-OS Boot,[],[],,RA-9,mitigates,3 +2863,,T1542.001,System Firmware,[],[],,RA-9,mitigates,3 +2864,,T1542.003,Bootkit,[],[],,RA-9,mitigates,3 +2865,,T1542.004,ROMMONkit,[],[],,RA-9,mitigates,3 +2866,,T1542.005,TFTP Boot,[],[],,RA-9,mitigates,3 +2867,,T1553,Subvert Trust Controls,[],[],,RA-9,mitigates,3 +2868,,T1553.006,Code Signing Policy Modification,[],[],,RA-9,mitigates,3 +2869,,T1601,Modify System Image,[],[],,RA-9,mitigates,3 +2870,,T1601.001,Patch System Image,[],[],,RA-9,mitigates,3 +2871,,T1601.002,Downgrade System Image,[],[],,RA-9,mitigates,3 +2872,,T1078,Valid Accounts,[],[],,SA-10,mitigates,3 +2873,,T1078.001,Default Accounts,[],[],,SA-10,mitigates,3 +2874,,T1078.003,Local Accounts,[],[],,SA-10,mitigates,3 +2875,,T1078.004,Cloud Accounts,[],[],,SA-10,mitigates,3 +2876,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-10,mitigates,3 +2877,,T1495,Firmware Corruption,[],[],,SA-10,mitigates,3 +2878,,T1505,Server Software Component,[],[],,SA-10,mitigates,3 +2879,,T1505.001,SQL Stored Procedures,[],[],,SA-10,mitigates,3 +2880,,T1505.002,Transport Agent,[],[],,SA-10,mitigates,3 +2881,,T1542,Pre-OS Boot,[],[],,SA-10,mitigates,3 +2882,,T1542.001,System Firmware,[],[],,SA-10,mitigates,3 +2883,,T1542.003,Bootkit,[],[],,SA-10,mitigates,3 +2884,,T1542.004,ROMMONkit,[],[],,SA-10,mitigates,3 +2885,,T1542.005,TFTP Boot,[],[],,SA-10,mitigates,3 +2886,,T1553,Subvert Trust Controls,[],[],,SA-10,mitigates,3 +2887,,T1553.006,Code Signing Policy Modification,[],[],,SA-10,mitigates,3 +2888,,T1574.002,DLL Side-Loading,[],[],,SA-10,mitigates,3 +2889,,T1601,Modify System Image,[],[],,SA-10,mitigates,3 +2890,,T1601.001,Patch System Image,[],[],,SA-10,mitigates,3 +2891,,T1601.002,Downgrade System Image,[],[],,SA-10,mitigates,3 +2892,,T1078,Valid Accounts,[],[],,SA-11,mitigates,3 +2893,,T1078.001,Default Accounts,[],[],,SA-11,mitigates,3 +2894,,T1078.003,Local Accounts,[],[],,SA-11,mitigates,3 +2895,,T1078.004,Cloud Accounts,[],[],,SA-11,mitigates,3 +2896,,T1134.005,SID-History Injection,[],[],,SA-11,mitigates,3 +2897,,T1195.003,Compromise Hardware Supply Chain,[],[],,SA-11,mitigates,3 +2898,,T1495,Firmware Corruption,[],[],,SA-11,mitigates,3 +2899,,T1505,Server Software Component,[],[],,SA-11,mitigates,3 +2900,,T1505.001,SQL Stored Procedures,[],[],,SA-11,mitigates,3 +2901,,T1505.002,Transport Agent,[],[],,SA-11,mitigates,3 +2902,,T1528,Steal Application Access Token,[],[],,SA-11,mitigates,3 +2903,,T1542,Pre-OS Boot,[],[],,SA-11,mitigates,3 +2904,,T1542.001,System Firmware,[],[],,SA-11,mitigates,3 +2905,,T1542.003,Bootkit,[],[],,SA-11,mitigates,3 +2906,,T1542.004,ROMMONkit,[],[],,SA-11,mitigates,3 +2907,,T1542.005,TFTP Boot,[],[],,SA-11,mitigates,3 +2908,,T1552,Unsecured Credentials,[],[],,SA-11,mitigates,3 +2909,,T1552.001,Credentials In Files,[],[],,SA-11,mitigates,3 +2910,,T1552.002,Credentials in Registry,[],[],,SA-11,mitigates,3 +2911,,T1552.004,Private Keys,[],[],,SA-11,mitigates,3 +2912,,T1552.006,Group Policy Preferences,[],[],,SA-11,mitigates,3 +2913,,T1553,Subvert Trust Controls,[],[],,SA-11,mitigates,3 +2914,,T1553.006,Code Signing Policy Modification,[],[],,SA-11,mitigates,3 +2915,,T1558.004,AS-REP Roasting,[],[],,SA-11,mitigates,3 +2916,,T1574.002,DLL Side-Loading,[],[],,SA-11,mitigates,3 +2917,,T1601,Modify System Image,[],[],,SA-11,mitigates,3 +2918,,T1601.001,Patch System Image,[],[],,SA-11,mitigates,3 +2919,,T1601.002,Downgrade System Image,[],[],,SA-11,mitigates,3 +2920,,T1612,Build Image on Host,[],[],,SA-11,mitigates,3 +2921,,T1078,Valid Accounts,[],[],,SA-12,mitigates,3 +2922,,T1078,Valid Accounts,[],[],,SA-15,mitigates,3 +2923,,T1078.001,Default Accounts,[],[],,SA-15,mitigates,3 +2924,,T1078.003,Local Accounts,[],[],,SA-15,mitigates,3 +2925,,T1078.004,Cloud Accounts,[],[],,SA-15,mitigates,3 +2926,,T1528,Steal Application Access Token,[],[],,SA-15,mitigates,3 +2927,,T1552,Unsecured Credentials,[],[],,SA-15,mitigates,3 +2928,,T1552.001,Credentials In Files,[],[],,SA-15,mitigates,3 +2929,,T1552.002,Credentials in Registry,[],[],,SA-15,mitigates,3 +2930,,T1552.004,Private Keys,[],[],,SA-15,mitigates,3 +2931,,T1552.006,Group Policy Preferences,[],[],,SA-15,mitigates,3 +2932,,T1558.004,AS-REP Roasting,[],[],,SA-15,mitigates,3 +2933,,T1574.002,DLL Side-Loading,[],[],,SA-15,mitigates,3 +2934,,T1078,Valid Accounts,[],[],,SA-16,mitigates,3 +2935,,T1078.001,Default Accounts,[],[],,SA-16,mitigates,3 +2936,,T1078.003,Local Accounts,[],[],,SA-16,mitigates,3 +2937,,T1078.004,Cloud Accounts,[],[],,SA-16,mitigates,3 +2938,,T1574.002,DLL Side-Loading,[],[],,SA-16,mitigates,3 +2939,,T1078,Valid Accounts,[],[],,SA-17,mitigates,3 +2940,,T1078.001,Default Accounts,[],[],,SA-17,mitigates,3 +2941,,T1078.003,Local Accounts,[],[],,SA-17,mitigates,3 +2942,,T1078.004,Cloud Accounts,[],[],,SA-17,mitigates,3 +2943,,T1134.005,SID-History Injection,[],[],,SA-17,mitigates,3 +2944,,T1482,Domain Trust Discovery,[],[],,SA-17,mitigates,3 +2945,,T1574.002,DLL Side-Loading,[],[],,SA-17,mitigates,3 +2946,,T1189,Drive-by Compromise,[],[],,SA-22,mitigates,3 +2947,,T1195,Supply Chain Compromise,[],[],,SA-22,mitigates,3 +2948,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SA-22,mitigates,3 +2949,,T1195.002,Compromise Software Supply Chain,[],[],,SA-22,mitigates,3 +2950,,T1543,Create or Modify System Process,[],[],,SA-22,mitigates,3 +2951,,T1543.002,Systemd Service,[],[],,SA-22,mitigates,3 +2952,,T1078,Valid Accounts,[],[],,SA-3,mitigates,3 +2953,,T1078.001,Default Accounts,[],[],,SA-3,mitigates,3 +2954,,T1078.003,Local Accounts,[],[],,SA-3,mitigates,3 +2955,,T1078.004,Cloud Accounts,[],[],,SA-3,mitigates,3 +2956,,T1574.002,DLL Side-Loading,[],[],,SA-3,mitigates,3 +2957,,T1078,Valid Accounts,[],[],,SA-4,mitigates,3 +2958,,T1078.001,Default Accounts,[],[],,SA-4,mitigates,3 +2959,,T1078.003,Local Accounts,[],[],,SA-4,mitigates,3 +2960,,T1078.004,Cloud Accounts,[],[],,SA-4,mitigates,3 +2961,,T1134.005,SID-History Injection,[],[],,SA-4,mitigates,3 +2962,,T1574.002,DLL Side-Loading,[],[],,SA-4,mitigates,3 +2963,,T1078,Valid Accounts,[],[],,SA-8,mitigates,3 +2964,,T1078.001,Default Accounts,[],[],,SA-8,mitigates,3 +2965,,T1078.003,Local Accounts,[],[],,SA-8,mitigates,3 +2966,,T1078.004,Cloud Accounts,[],[],,SA-8,mitigates,3 +2967,,T1134.005,SID-History Injection,[],[],,SA-8,mitigates,3 +2968,,T1190,Exploit Public-Facing Application,[],[],,SA-8,mitigates,3 +2969,,T1482,Domain Trust Discovery,[],[],,SA-8,mitigates,3 +2970,,T1574.002,DLL Side-Loading,[],[],,SA-8,mitigates,3 +2971,,T1071,Application Layer Protocol,[],[],,SC-10,mitigates,3 +2972,,T1071.001,Web Protocols,[],[],,SC-10,mitigates,3 +2973,,T1071.002,File Transfer Protocols,[],[],,SC-10,mitigates,3 +2974,,T1071.003,Mail Protocols,[],[],,SC-10,mitigates,3 +2975,,T1071.004,DNS,[],[],,SC-10,mitigates,3 +2976,,T1072,Software Deployment Tools,[],[],,SC-12,mitigates,3 +2977,,T1098.004,SSH Authorized Keys,[],[],,SC-12,mitigates,3 +2978,,T1552,Unsecured Credentials,[],[],,SC-12,mitigates,3 +2979,,T1552.001,Credentials In Files,[],[],,SC-12,mitigates,3 +2980,,T1552.002,Credentials in Registry,[],[],,SC-12,mitigates,3 +2981,,T1552.004,Private Keys,[],[],,SC-12,mitigates,3 +2982,,T1563.001,SSH Hijacking,[],[],,SC-12,mitigates,3 +2983,,T1573,Encrypted Channel,[],[],,SC-12,mitigates,3 +2984,,T1573.001,Symmetric Cryptography,[],[],,SC-12,mitigates,3 +2985,,T1573.002,Asymmetric Cryptography,[],[],,SC-12,mitigates,3 +2986,,T1573,Encrypted Channel,[],[],,SC-16,mitigates,3 +2987,,T1573.001,Symmetric Cryptography,[],[],,SC-16,mitigates,3 +2988,,T1573.002,Asymmetric Cryptography,[],[],,SC-16,mitigates,3 +2989,,T1072,Software Deployment Tools,[],[],,SC-17,mitigates,3 +2990,,T1021.003,Distributed Component Object Model,[],[],,SC-18,mitigates,3 +2991,,T1055,Process Injection,[],[],,SC-18,mitigates,3 +2992,,T1055.001,Dynamic-link Library Injection,[],[],,SC-18,mitigates,3 +2993,,T1055.002,Portable Executable Injection,[],[],,SC-18,mitigates,3 +2994,,T1055.003,Thread Execution Hijacking,[],[],,SC-18,mitigates,3 +2995,,T1055.004,Asynchronous Procedure Call,[],[],,SC-18,mitigates,3 +2996,,T1055.005,Thread Local Storage,[],[],,SC-18,mitigates,3 +2997,,T1055.008,Ptrace System Calls,[],[],,SC-18,mitigates,3 +2998,,T1055.009,Proc Memory,[],[],,SC-18,mitigates,3 +2999,,T1055.011,Extra Window Memory Injection,[],[],,SC-18,mitigates,3 +3000,,T1055.012,Process Hollowing,[],[],,SC-18,mitigates,3 +3001,,T1055.013,Process Doppelgänging,[],[],,SC-18,mitigates,3 +3002,,T1055.014,VDSO Hijacking,[],[],,SC-18,mitigates,3 +3003,,T1059,Command and Scripting Interpreter,[],[],,SC-18,mitigates,3 +3004,,T1059.005,Visual Basic,[],[],,SC-18,mitigates,3 +3005,,T1059.007,JavaScript,[],[],,SC-18,mitigates,3 +3006,,T1068,Exploitation for Privilege Escalation,[],[],,SC-18,mitigates,3 +3007,,T1189,Drive-by Compromise,[],[],,SC-18,mitigates,3 +3008,,T1190,Exploit Public-Facing Application,[],[],,SC-18,mitigates,3 +3009,,T1203,Exploitation for Client Execution,[],[],,SC-18,mitigates,3 +3010,,T1210,Exploitation of Remote Services,[],[],,SC-18,mitigates,3 +3011,,T1211,Exploitation for Defense Evasion,[],[],,SC-18,mitigates,3 +3012,,T1212,Exploitation for Credential Access,[],[],,SC-18,mitigates,3 +3013,,T1218.001,Compiled HTML File,[],[],,SC-18,mitigates,3 +3014,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-18,mitigates,3 +3015,,T1548.004,Elevated Execution with Prompt,[],[],,SC-18,mitigates,3 +3016,,T1559,Inter-Process Communication,[],[],,SC-18,mitigates,3 +3017,,T1559.001,Component Object Model,[],[],,SC-18,mitigates,3 +3018,,T1559.002,Dynamic Data Exchange,[],[],,SC-18,mitigates,3 +3019,,T1611,Escape to Host,[],[],,SC-18,mitigates,3 +3020,,T1068,Exploitation for Privilege Escalation,[],[],,SC-2,mitigates,3 +3021,,T1189,Drive-by Compromise,[],[],,SC-2,mitigates,3 +3022,,T1190,Exploit Public-Facing Application,[],[],,SC-2,mitigates,3 +3023,,T1203,Exploitation for Client Execution,[],[],,SC-2,mitigates,3 +3024,,T1210,Exploitation of Remote Services,[],[],,SC-2,mitigates,3 +3025,,T1211,Exploitation for Defense Evasion,[],[],,SC-2,mitigates,3 +3026,,T1212,Exploitation for Credential Access,[],[],,SC-2,mitigates,3 +3027,,T1611,Escape to Host,[],[],,SC-2,mitigates,3 +3028,,T1071,Application Layer Protocol,[],[],,SC-20,mitigates,3 +3029,,T1071.001,Web Protocols,[],[],,SC-20,mitigates,3 +3030,,T1071.002,File Transfer Protocols,[],[],,SC-20,mitigates,3 +3031,,T1071.003,Mail Protocols,[],[],,SC-20,mitigates,3 +3032,,T1071.004,DNS,[],[],,SC-20,mitigates,3 +3033,,T1553.004,Install Root Certificate,[],[],,SC-20,mitigates,3 +3034,,T1566,Phishing,[],[],,SC-20,mitigates,3 +3035,,T1566.001,Spearphishing Attachment,[],[],,SC-20,mitigates,3 +3036,,T1566.002,Spearphishing Link,[],[],,SC-20,mitigates,3 +3037,,T1568,Dynamic Resolution,[],[],,SC-20,mitigates,3 +3038,,T1568.002,Domain Generation Algorithms,[],[],,SC-20,mitigates,3 +3039,,T1598,Phishing for Information,[],[],,SC-20,mitigates,3 +3040,,T1598.002,Spearphishing Attachment,[],[],,SC-20,mitigates,3 +3041,,T1598.003,Spearphishing Link,[],[],,SC-20,mitigates,3 +3042,,T1071,Application Layer Protocol,[],[],,SC-21,mitigates,3 +3043,,T1071.001,Web Protocols,[],[],,SC-21,mitigates,3 +3044,,T1071.002,File Transfer Protocols,[],[],,SC-21,mitigates,3 +3045,,T1071.003,Mail Protocols,[],[],,SC-21,mitigates,3 +3046,,T1071.004,DNS,[],[],,SC-21,mitigates,3 +3047,,T1568,Dynamic Resolution,[],[],,SC-21,mitigates,3 +3048,,T1568.002,Domain Generation Algorithms,[],[],,SC-21,mitigates,3 +3049,,T1071,Application Layer Protocol,[],[],,SC-22,mitigates,3 +3050,,T1071.001,Web Protocols,[],[],,SC-22,mitigates,3 +3051,,T1071.002,File Transfer Protocols,[],[],,SC-22,mitigates,3 +3052,,T1071.003,Mail Protocols,[],[],,SC-22,mitigates,3 +3053,,T1071.004,DNS,[],[],,SC-22,mitigates,3 +3054,,T1568,Dynamic Resolution,[],[],,SC-22,mitigates,3 +3055,,T1568.002,Domain Generation Algorithms,[],[],,SC-22,mitigates,3 +3056,,T1071,Application Layer Protocol,[],[],,SC-23,mitigates,3 +3057,,T1071.001,Web Protocols,[],[],,SC-23,mitigates,3 +3058,,T1071.002,File Transfer Protocols,[],[],,SC-23,mitigates,3 +3059,,T1071.003,Mail Protocols,[],[],,SC-23,mitigates,3 +3060,,T1071.004,DNS,[],[],,SC-23,mitigates,3 +3061,,T1535,Unused/Unsupported Cloud Regions,[],[],,SC-23,mitigates,3 +3062,,T1550.004,Web Session Cookie,[],[],,SC-23,mitigates,3 +3063,,T1557,Man-in-the-Middle,[],[],,SC-23,mitigates,3 +3064,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-23,mitigates,3 +3065,,T1557.002,ARP Cache Poisoning,[],[],,SC-23,mitigates,3 +3066,,T1563.001,SSH Hijacking,[],[],,SC-23,mitigates,3 +3067,,T1573,Encrypted Channel,[],[],,SC-23,mitigates,3 +3068,,T1573.001,Symmetric Cryptography,[],[],,SC-23,mitigates,3 +3069,,T1573.002,Asymmetric Cryptography,[],[],,SC-23,mitigates,3 +3070,,T1068,Exploitation for Privilege Escalation,[],[],,SC-26,mitigates,3 +3071,,T1210,Exploitation of Remote Services,[],[],,SC-26,mitigates,3 +3072,,T1211,Exploitation for Defense Evasion,[],[],,SC-26,mitigates,3 +3073,,T1212,Exploitation for Credential Access,[],[],,SC-26,mitigates,3 +3074,,T1003,OS Credential Dumping,[],[],,SC-28,mitigates,3 +3075,,T1003.001,LSASS Memory,[],[],,SC-28,mitigates,3 +3076,,T1003.002,Security Account Manager,[],[],,SC-28,mitigates,3 +3077,,T1003.003,NTDS,[],[],,SC-28,mitigates,3 +3078,,T1003.004,LSA Secrets,[],[],,SC-28,mitigates,3 +3079,,T1003.005,Cached Domain Credentials,[],[],,SC-28,mitigates,3 +3080,,T1003.006,DCSync,[],[],,SC-28,mitigates,3 +3081,,T1003.007,Proc Filesystem,[],[],,SC-28,mitigates,3 +3082,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-28,mitigates,3 +3083,,T1078,Valid Accounts,[],[],,SC-28,mitigates,3 +3084,,T1078.001,Default Accounts,[],[],,SC-28,mitigates,3 +3085,,T1078.003,Local Accounts,[],[],,SC-28,mitigates,3 +3086,,T1078.004,Cloud Accounts,[],[],,SC-28,mitigates,3 +3087,,T1213,Data from Information Repositories,[],[],,SC-28,mitigates,3 +3088,,T1213.001,Confluence,[],[],,SC-28,mitigates,3 +3089,,T1213.002,Sharepoint,[],[],,SC-28,mitigates,3 +3090,,T1530,Data from Cloud Storage Object,[],[],,SC-28,mitigates,3 +3091,,T1550.001,Application Access Token,[],[],,SC-28,mitigates,3 +3092,,T1552,Unsecured Credentials,[],[],,SC-28,mitigates,3 +3093,,T1552.001,Credentials In Files,[],[],,SC-28,mitigates,3 +3094,,T1552.002,Credentials in Registry,[],[],,SC-28,mitigates,3 +3095,,T1552.003,Bash History,[],[],,SC-28,mitigates,3 +3096,,T1552.004,Private Keys,[],[],,SC-28,mitigates,3 +3097,,T1565,Data Manipulation,[],[],,SC-28,mitigates,3 +3098,,T1565.001,Stored Data Manipulation,[],[],,SC-28,mitigates,3 +3099,,T1565.003,Runtime Data Manipulation,[],[],,SC-28,mitigates,3 +3100,,T1599,Network Boundary Bridging,[],[],,SC-28,mitigates,3 +3101,,T1599.001,Network Address Translation Traversal,[],[],,SC-28,mitigates,3 +3102,,T1602,Data from Configuration Repository,[],[],,SC-28,mitigates,3 +3103,,T1602.001,SNMP (MIB Dump),[],[],,SC-28,mitigates,3 +3104,,T1602.002,Network Device Configuration Dump,[],[],,SC-28,mitigates,3 +3105,,T1068,Exploitation for Privilege Escalation,[],[],,SC-29,mitigates,3 +3106,,T1189,Drive-by Compromise,[],[],,SC-29,mitigates,3 +3107,,T1190,Exploit Public-Facing Application,[],[],,SC-29,mitigates,3 +3108,,T1203,Exploitation for Client Execution,[],[],,SC-29,mitigates,3 +3109,,T1210,Exploitation of Remote Services,[],[],,SC-29,mitigates,3 +3110,,T1211,Exploitation for Defense Evasion,[],[],,SC-29,mitigates,3 +3111,,T1212,Exploitation for Credential Access,[],[],,SC-29,mitigates,3 +3112,,T1021.003,Distributed Component Object Model,[],[],,SC-3,mitigates,3 +3113,,T1068,Exploitation for Privilege Escalation,[],[],,SC-3,mitigates,3 +3114,,T1134.005,SID-History Injection,[],[],,SC-3,mitigates,3 +3115,,T1189,Drive-by Compromise,[],[],,SC-3,mitigates,3 +3116,,T1190,Exploit Public-Facing Application,[],[],,SC-3,mitigates,3 +3117,,T1203,Exploitation for Client Execution,[],[],,SC-3,mitigates,3 +3118,,T1210,Exploitation of Remote Services,[],[],,SC-3,mitigates,3 +3119,,T1211,Exploitation for Defense Evasion,[],[],,SC-3,mitigates,3 +3120,,T1212,Exploitation for Credential Access,[],[],,SC-3,mitigates,3 +3121,,T1559,Inter-Process Communication,[],[],,SC-3,mitigates,3 +3122,,T1559.001,Component Object Model,[],[],,SC-3,mitigates,3 +3123,,T1559.002,Dynamic Data Exchange,[],[],,SC-3,mitigates,3 +3124,,T1602,Data from Configuration Repository,[],[],,SC-3,mitigates,3 +3125,,T1602.001,SNMP (MIB Dump),[],[],,SC-3,mitigates,3 +3126,,T1602.002,Network Device Configuration Dump,[],[],,SC-3,mitigates,3 +3127,,T1611,Escape to Host,[],[],,SC-3,mitigates,3 +3128,,T1068,Exploitation for Privilege Escalation,[],[],,SC-30,mitigates,3 +3129,,T1189,Drive-by Compromise,[],[],,SC-30,mitigates,3 +3130,,T1190,Exploit Public-Facing Application,[],[],,SC-30,mitigates,3 +3131,,T1203,Exploitation for Client Execution,[],[],,SC-30,mitigates,3 +3132,,T1210,Exploitation of Remote Services,[],[],,SC-30,mitigates,3 +3133,,T1211,Exploitation for Defense Evasion,[],[],,SC-30,mitigates,3 +3134,,T1212,Exploitation for Credential Access,[],[],,SC-30,mitigates,3 +3135,,T1071,Application Layer Protocol,[],[],,SC-31,mitigates,3 +3136,,T1071.001,Web Protocols,[],[],,SC-31,mitigates,3 +3137,,T1071.002,File Transfer Protocols,[],[],,SC-31,mitigates,3 +3138,,T1071.003,Mail Protocols,[],[],,SC-31,mitigates,3 +3139,,T1071.004,DNS,[],[],,SC-31,mitigates,3 +3140,,T1195.003,Compromise Hardware Supply Chain,[],[],,SC-34,mitigates,3 +3141,,T1542,Pre-OS Boot,[],[],,SC-34,mitigates,3 +3142,,T1542.001,System Firmware,[],[],,SC-34,mitigates,3 +3143,,T1542.003,Bootkit,[],[],,SC-34,mitigates,3 +3144,,T1542.004,ROMMONkit,[],[],,SC-34,mitigates,3 +3145,,T1542.005,TFTP Boot,[],[],,SC-34,mitigates,3 +3146,,T1548,Abuse Elevation Control Mechanism,[],[],,SC-34,mitigates,3 +3147,,T1548.004,Elevated Execution with Prompt,[],[],,SC-34,mitigates,3 +3148,,T1553,Subvert Trust Controls,[],[],,SC-34,mitigates,3 +3149,,T1553.006,Code Signing Policy Modification,[],[],,SC-34,mitigates,3 +3150,,T1601,Modify System Image,[],[],,SC-34,mitigates,3 +3151,,T1601.001,Patch System Image,[],[],,SC-34,mitigates,3 +3152,,T1601.002,Downgrade System Image,[],[],,SC-34,mitigates,3 +3153,,T1611,Escape to Host,[],[],,SC-34,mitigates,3 +3154,,T1068,Exploitation for Privilege Escalation,[],[],,SC-35,mitigates,3 +3155,,T1210,Exploitation of Remote Services,[],[],,SC-35,mitigates,3 +3156,,T1211,Exploitation for Defense Evasion,[],[],,SC-35,mitigates,3 +3157,,T1212,Exploitation for Credential Access,[],[],,SC-35,mitigates,3 +3158,,T1070,Indicator Removal on Host,[],[],,SC-36,mitigates,3 +3159,,T1070.001,Clear Windows Event Logs,[],[],,SC-36,mitigates,3 +3160,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-36,mitigates,3 +3161,,T1119,Automated Collection,[],[],,SC-36,mitigates,3 +3162,,T1565,Data Manipulation,[],[],,SC-36,mitigates,3 +3163,,T1565.001,Stored Data Manipulation,[],[],,SC-36,mitigates,3 +3164,,T1071,Application Layer Protocol,[],[],,SC-37,mitigates,3 +3165,,T1071.001,Web Protocols,[],[],,SC-37,mitigates,3 +3166,,T1071.002,File Transfer Protocols,[],[],,SC-37,mitigates,3 +3167,,T1071.003,Mail Protocols,[],[],,SC-37,mitigates,3 +3168,,T1071.004,DNS,[],[],,SC-37,mitigates,3 +3169,,T1003,OS Credential Dumping,[],[],,SC-39,mitigates,3 +3170,,T1003.001,LSASS Memory,[],[],,SC-39,mitigates,3 +3171,,T1003.002,Security Account Manager,[],[],,SC-39,mitigates,3 +3172,,T1003.003,NTDS,[],[],,SC-39,mitigates,3 +3173,,T1003.004,LSA Secrets,[],[],,SC-39,mitigates,3 +3174,,T1003.005,Cached Domain Credentials,[],[],,SC-39,mitigates,3 +3175,,T1003.006,DCSync,[],[],,SC-39,mitigates,3 +3176,,T1003.007,Proc Filesystem,[],[],,SC-39,mitigates,3 +3177,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SC-39,mitigates,3 +3178,,T1068,Exploitation for Privilege Escalation,[],[],,SC-39,mitigates,3 +3179,,T1189,Drive-by Compromise,[],[],,SC-39,mitigates,3 +3180,,T1190,Exploit Public-Facing Application,[],[],,SC-39,mitigates,3 +3181,,T1203,Exploitation for Client Execution,[],[],,SC-39,mitigates,3 +3182,,T1210,Exploitation of Remote Services,[],[],,SC-39,mitigates,3 +3183,,T1211,Exploitation for Defense Evasion,[],[],,SC-39,mitigates,3 +3184,,T1212,Exploitation for Credential Access,[],[],,SC-39,mitigates,3 +3185,,T1547.002,Authentication Package,[],[],,SC-39,mitigates,3 +3186,,T1547.005,Security Support Provider,[],[],,SC-39,mitigates,3 +3187,,T1547.008,LSASS Driver,[],[],,SC-39,mitigates,3 +3188,,T1556,Modify Authentication Process,[],[],,SC-39,mitigates,3 +3189,,T1556.001,Domain Controller Authentication,[],[],,SC-39,mitigates,3 +3190,,T1611,Escape to Host,[],[],,SC-39,mitigates,3 +3191,,T1020.001,Traffic Duplication,[],[],,SC-4,mitigates,3 +3192,,T1040,Network Sniffing,[],[],,SC-4,mitigates,3 +3193,,T1070,Indicator Removal on Host,[],[],,SC-4,mitigates,3 +3194,,T1070.001,Clear Windows Event Logs,[],[],,SC-4,mitigates,3 +3195,,T1070.002,Clear Linux or Mac System Logs,[],[],,SC-4,mitigates,3 +3196,,T1080,Taint Shared Content,[],[],,SC-4,mitigates,3 +3197,,T1119,Automated Collection,[],[],,SC-4,mitigates,3 +3198,,T1530,Data from Cloud Storage Object,[],[],,SC-4,mitigates,3 +3199,,T1552,Unsecured Credentials,[],[],,SC-4,mitigates,3 +3200,,T1552.001,Credentials In Files,[],[],,SC-4,mitigates,3 +3201,,T1552.002,Credentials in Registry,[],[],,SC-4,mitigates,3 +3202,,T1552.004,Private Keys,[],[],,SC-4,mitigates,3 +3203,,T1557,Man-in-the-Middle,[],[],,SC-4,mitigates,3 +3204,,T1557.002,ARP Cache Poisoning,[],[],,SC-4,mitigates,3 +3205,,T1558,Steal or Forge Kerberos Tickets,[],[],,SC-4,mitigates,3 +3206,,T1558.002,Silver Ticket,[],[],,SC-4,mitigates,3 +3207,,T1558.003,Kerberoasting,[],[],,SC-4,mitigates,3 +3208,,T1558.004,AS-REP Roasting,[],[],,SC-4,mitigates,3 +3209,,T1565,Data Manipulation,[],[],,SC-4,mitigates,3 +3210,,T1565.001,Stored Data Manipulation,[],[],,SC-4,mitigates,3 +3211,,T1565.002,Transmitted Data Manipulation,[],[],,SC-4,mitigates,3 +3212,,T1565.003,Runtime Data Manipulation,[],[],,SC-4,mitigates,3 +3213,,T1602,Data from Configuration Repository,[],[],,SC-4,mitigates,3 +3214,,T1602.001,SNMP (MIB Dump),[],[],,SC-4,mitigates,3 +3215,,T1602.002,Network Device Configuration Dump,[],[],,SC-4,mitigates,3 +3216,,T1052,Exfiltration Over Physical Medium,[],[],,SC-41,mitigates,3 +3217,,T1052.001,Exfiltration over USB,[],[],,SC-41,mitigates,3 +3218,,T1091,Replication Through Removable Media,[],[],,SC-41,mitigates,3 +3219,,T1200,Hardware Additions,[],[],,SC-41,mitigates,3 +3220,,T1613,Container and Resource Discovery,[],[],,SC-43,mitigates,3 +3221,,T1204,User Execution,[],[],,SC-44,mitigates,3 +3222,,T1204.001,Malicious Link,[],[],,SC-44,mitigates,3 +3223,,T1204.002,Malicious File,[],[],,SC-44,mitigates,3 +3224,,T1204.003,Malicious Image,[],[],,SC-44,mitigates,3 +3225,,T1221,Template Injection,[],[],,SC-44,mitigates,3 +3226,,T1566,Phishing,[],[],,SC-44,mitigates,3 +3227,,T1566.001,Spearphishing Attachment,[],[],,SC-44,mitigates,3 +3228,,T1566.002,Spearphishing Link,[],[],,SC-44,mitigates,3 +3229,,T1566.003,Spearphishing via Service,[],[],,SC-44,mitigates,3 +3230,,T1598,Phishing for Information,[],[],,SC-44,mitigates,3 +3231,,T1598.001,Spearphishing Service,[],[],,SC-44,mitigates,3 +3232,,T1598.002,Spearphishing Attachment,[],[],,SC-44,mitigates,3 +3233,,T1598.003,Spearphishing Link,[],[],,SC-44,mitigates,3 +3234,,T1021.001,Remote Desktop Protocol,[],[],,SC-46,mitigates,3 +3235,,T1021.003,Distributed Component Object Model,[],[],,SC-46,mitigates,3 +3236,,T1021.006,Windows Remote Management,[],[],,SC-46,mitigates,3 +3237,,T1046,Network Service Scanning,[],[],,SC-46,mitigates,3 +3238,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-46,mitigates,3 +3239,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,3 +3240,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-46,mitigates,3 +3241,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-46,mitigates,3 +3242,,T1072,Software Deployment Tools,[],[],,SC-46,mitigates,3 +3243,,T1098,Account Manipulation,[],[],,SC-46,mitigates,3 +3244,,T1098.001,Additional Cloud Credentials,[],[],,SC-46,mitigates,3 +3245,,T1133,External Remote Services,[],[],,SC-46,mitigates,3 +3246,,T1136,Create Account,[],[],,SC-46,mitigates,3 +3247,,T1136.002,Domain Account,[],[],,SC-46,mitigates,3 +3248,,T1136.003,Cloud Account,[],[],,SC-46,mitigates,3 +3249,,T1190,Exploit Public-Facing Application,[],[],,SC-46,mitigates,3 +3250,,T1199,Trusted Relationship,[],[],,SC-46,mitigates,3 +3251,,T1210,Exploitation of Remote Services,[],[],,SC-46,mitigates,3 +3252,,T1482,Domain Trust Discovery,[],[],,SC-46,mitigates,3 +3253,,T1489,Service Stop,[],[],,SC-46,mitigates,3 +3254,,T1552.007,Container API,[],[],,SC-46,mitigates,3 +3255,,T1557,Man-in-the-Middle,[],[],,SC-46,mitigates,3 +3256,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-46,mitigates,3 +3257,,T1563,Remote Service Session Hijacking,[],[],,SC-46,mitigates,3 +3258,,T1563.002,RDP Hijacking,[],[],,SC-46,mitigates,3 +3259,,T1565,Data Manipulation,[],[],,SC-46,mitigates,3 +3260,,T1565.003,Runtime Data Manipulation,[],[],,SC-46,mitigates,3 +3261,,T1001,Data Obfuscation,[],[],,SC-7,mitigates,3 +3262,,T1001.001,Junk Data,[],[],,SC-7,mitigates,3 +3263,,T1001.002,Steganography,[],[],,SC-7,mitigates,3 +3264,,T1001.003,Protocol Impersonation,[],[],,SC-7,mitigates,3 +3265,,T1008,Fallback Channels,[],[],,SC-7,mitigates,3 +3266,,T1021.001,Remote Desktop Protocol,[],[],,SC-7,mitigates,3 +3267,,T1021.002,SMB/Windows Admin Shares,[],[],,SC-7,mitigates,3 +3268,,T1021.003,Distributed Component Object Model,[],[],,SC-7,mitigates,3 +3269,,T1021.005,VNC,[],[],,SC-7,mitigates,3 +3270,,T1021.006,Windows Remote Management,[],[],,SC-7,mitigates,3 +3271,,T1029,Scheduled Transfer,[],[],,SC-7,mitigates,3 +3272,,T1030,Data Transfer Size Limits,[],[],,SC-7,mitigates,3 +3273,,T1041,Exfiltration Over C2 Channel,[],[],,SC-7,mitigates,3 +3274,,T1046,Network Service Scanning,[],[],,SC-7,mitigates,3 +3275,,T1048,Exfiltration Over Alternative Protocol,[],[],,SC-7,mitigates,3 +3276,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,3 +3277,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SC-7,mitigates,3 +3278,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SC-7,mitigates,3 +3279,,T1055,Process Injection,[],[],,SC-7,mitigates,3 +3280,,T1055.001,Dynamic-link Library Injection,[],[],,SC-7,mitigates,3 +3281,,T1055.002,Portable Executable Injection,[],[],,SC-7,mitigates,3 +3282,,T1055.003,Thread Execution Hijacking,[],[],,SC-7,mitigates,3 +3283,,T1055.004,Asynchronous Procedure Call,[],[],,SC-7,mitigates,3 +3284,,T1055.005,Thread Local Storage,[],[],,SC-7,mitigates,3 +3285,,T1055.008,Ptrace System Calls,[],[],,SC-7,mitigates,3 +3286,,T1055.009,Proc Memory,[],[],,SC-7,mitigates,3 +3287,,T1055.011,Extra Window Memory Injection,[],[],,SC-7,mitigates,3 +3288,,T1055.012,Process Hollowing,[],[],,SC-7,mitigates,3 +3289,,T1055.013,Process Doppelgänging,[],[],,SC-7,mitigates,3 +3290,,T1055.014,VDSO Hijacking,[],[],,SC-7,mitigates,3 +3291,,T1068,Exploitation for Privilege Escalation,[],[],,SC-7,mitigates,3 +3292,,T1071,Application Layer Protocol,[],[],,SC-7,mitigates,3 +3293,,T1071.001,Web Protocols,[],[],,SC-7,mitigates,3 +3294,,T1071.002,File Transfer Protocols,[],[],,SC-7,mitigates,3 +3295,,T1071.003,Mail Protocols,[],[],,SC-7,mitigates,3 +3296,,T1071.004,DNS,[],[],,SC-7,mitigates,3 +3297,,T1072,Software Deployment Tools,[],[],,SC-7,mitigates,3 +3298,,T1080,Taint Shared Content,[],[],,SC-7,mitigates,3 +3299,,T1090,Proxy,[],[],,SC-7,mitigates,3 +3300,,T1090.001,Internal Proxy,[],[],,SC-7,mitigates,3 +3301,,T1090.002,External Proxy,[],[],,SC-7,mitigates,3 +3302,,T1090.003,Multi-hop Proxy,[],[],,SC-7,mitigates,3 +3303,,T1095,Non-Application Layer Protocol,[],[],,SC-7,mitigates,3 +3304,,T1098,Account Manipulation,[],[],,SC-7,mitigates,3 +3305,,T1098.001,Additional Cloud Credentials,[],[],,SC-7,mitigates,3 +3306,,T1102,Web Service,[],[],,SC-7,mitigates,3 +3307,,T1102.001,Dead Drop Resolver,[],[],,SC-7,mitigates,3 +3308,,T1102.002,Bidirectional Communication,[],[],,SC-7,mitigates,3 +3309,,T1102.003,One-Way Communication,[],[],,SC-7,mitigates,3 +3310,,T1104,Multi-Stage Channels,[],[],,SC-7,mitigates,3 +3311,,T1105,Ingress Tool Transfer,[],[],,SC-7,mitigates,3 +3312,,T1114,Email Collection,[],[],,SC-7,mitigates,3 +3313,,T1114.003,Email Forwarding Rule,[],[],,SC-7,mitigates,3 +3314,,T1132,Data Encoding,[],[],,SC-7,mitigates,3 +3315,,T1132.001,Standard Encoding,[],[],,SC-7,mitigates,3 +3316,,T1132.002,Non-Standard Encoding,[],[],,SC-7,mitigates,3 +3317,,T1133,External Remote Services,[],[],,SC-7,mitigates,3 +3318,,T1136,Create Account,[],[],,SC-7,mitigates,3 +3319,,T1136.002,Domain Account,[],[],,SC-7,mitigates,3 +3320,,T1136.003,Cloud Account,[],[],,SC-7,mitigates,3 +3321,,T1176,Browser Extensions,[],[],,SC-7,mitigates,3 +3322,,T1187,Forced Authentication,[],[],,SC-7,mitigates,3 +3323,,T1189,Drive-by Compromise,[],[],,SC-7,mitigates,3 +3324,,T1190,Exploit Public-Facing Application,[],[],,SC-7,mitigates,3 +3325,,T1197,BITS Jobs,[],[],,SC-7,mitigates,3 +3326,,T1199,Trusted Relationship,[],[],,SC-7,mitigates,3 +3327,,T1203,Exploitation for Client Execution,[],[],,SC-7,mitigates,3 +3328,,T1204,User Execution,[],[],,SC-7,mitigates,3 +3329,,T1204.001,Malicious Link,[],[],,SC-7,mitigates,3 +3330,,T1204.002,Malicious File,[],[],,SC-7,mitigates,3 +3331,,T1204.003,Malicious Image,[],[],,SC-7,mitigates,3 +3332,,T1205,Traffic Signaling,[],[],,SC-7,mitigates,3 +3333,,T1205.001,Port Knocking,[],[],,SC-7,mitigates,3 +3334,,T1210,Exploitation of Remote Services,[],[],,SC-7,mitigates,3 +3335,,T1211,Exploitation for Defense Evasion,[],[],,SC-7,mitigates,3 +3336,,T1212,Exploitation for Credential Access,[],[],,SC-7,mitigates,3 +3337,,T1218.012,Verclsid,[],[],,SC-7,mitigates,3 +3338,,T1219,Remote Access Software,[],[],,SC-7,mitigates,3 +3339,,T1221,Template Injection,[],[],,SC-7,mitigates,3 +3340,,T1482,Domain Trust Discovery,[],[],,SC-7,mitigates,3 +3341,,T1489,Service Stop,[],[],,SC-7,mitigates,3 +3342,,T1498,Network Denial of Service,[],[],,SC-7,mitigates,3 +3343,,T1498.001,Direct Network Flood,[],[],,SC-7,mitigates,3 +3344,,T1498.002,Reflection Amplification,[],[],,SC-7,mitigates,3 +3345,,T1499,Endpoint Denial of Service,[],[],,SC-7,mitigates,3 +3346,,T1499.001,OS Exhaustion Flood,[],[],,SC-7,mitigates,3 +3347,,T1499.002,Service Exhaustion Flood,[],[],,SC-7,mitigates,3 +3348,,T1499.003,Application Exhaustion Flood,[],[],,SC-7,mitigates,3 +3349,,T1499.004,Application or System Exploitation,[],[],,SC-7,mitigates,3 +3350,,T1530,Data from Cloud Storage Object,[],[],,SC-7,mitigates,3 +3351,,T1537,Transfer Data to Cloud Account,[],[],,SC-7,mitigates,3 +3352,,T1542,Pre-OS Boot,[],[],,SC-7,mitigates,3 +3353,,T1542.004,ROMMONkit,[],[],,SC-7,mitigates,3 +3354,,T1542.005,TFTP Boot,[],[],,SC-7,mitigates,3 +3355,,T1552,Unsecured Credentials,[],[],,SC-7,mitigates,3 +3356,,T1552.001,Credentials In Files,[],[],,SC-7,mitigates,3 +3357,,T1552.004,Private Keys,[],[],,SC-7,mitigates,3 +3358,,T1552.005,Cloud Instance Metadata API,[],[],,SC-7,mitigates,3 +3359,,T1552.007,Container API,[],[],,SC-7,mitigates,3 +3360,,T1557,Man-in-the-Middle,[],[],,SC-7,mitigates,3 +3361,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-7,mitigates,3 +3362,,T1557.002,ARP Cache Poisoning,[],[],,SC-7,mitigates,3 +3363,,T1559,Inter-Process Communication,[],[],,SC-7,mitigates,3 +3364,,T1559.001,Component Object Model,[],[],,SC-7,mitigates,3 +3365,,T1559.002,Dynamic Data Exchange,[],[],,SC-7,mitigates,3 +3366,,T1560,Archive Collected Data,[],[],,SC-7,mitigates,3 +3367,,T1560.001,Archive via Utility,[],[],,SC-7,mitigates,3 +3368,,T1563,Remote Service Session Hijacking,[],[],,SC-7,mitigates,3 +3369,,T1563.002,RDP Hijacking,[],[],,SC-7,mitigates,3 +3370,,T1565,Data Manipulation,[],[],,SC-7,mitigates,3 +3371,,T1565.001,Stored Data Manipulation,[],[],,SC-7,mitigates,3 +3372,,T1565.003,Runtime Data Manipulation,[],[],,SC-7,mitigates,3 +3373,,T1566,Phishing,[],[],,SC-7,mitigates,3 +3374,,T1566.001,Spearphishing Attachment,[],[],,SC-7,mitigates,3 +3375,,T1566.002,Spearphishing Link,[],[],,SC-7,mitigates,3 +3376,,T1566.003,Spearphishing via Service,[],[],,SC-7,mitigates,3 +3377,,T1567,Exfiltration Over Web Service,[],[],,SC-7,mitigates,3 +3378,,T1567.001,Exfiltration to Code Repository,[],[],,SC-7,mitigates,3 +3379,,T1567.002,Exfiltration to Cloud Storage,[],[],,SC-7,mitigates,3 +3380,,T1568,Dynamic Resolution,[],[],,SC-7,mitigates,3 +3381,,T1568.002,Domain Generation Algorithms,[],[],,SC-7,mitigates,3 +3382,,T1570,Lateral Tool Transfer,[],[],,SC-7,mitigates,3 +3383,,T1571,Non-Standard Port,[],[],,SC-7,mitigates,3 +3384,,T1572,Protocol Tunneling,[],[],,SC-7,mitigates,3 +3385,,T1573,Encrypted Channel,[],[],,SC-7,mitigates,3 +3386,,T1573.001,Symmetric Cryptography,[],[],,SC-7,mitigates,3 +3387,,T1573.002,Asymmetric Cryptography,[],[],,SC-7,mitigates,3 +3388,,T1598,Phishing for Information,[],[],,SC-7,mitigates,3 +3389,,T1598.001,Spearphishing Service,[],[],,SC-7,mitigates,3 +3390,,T1598.002,Spearphishing Attachment,[],[],,SC-7,mitigates,3 +3391,,T1598.003,Spearphishing Link,[],[],,SC-7,mitigates,3 +3392,,T1599,Network Boundary Bridging,[],[],,SC-7,mitigates,3 +3393,,T1599.001,Network Address Translation Traversal,[],[],,SC-7,mitigates,3 +3394,,T1602,Data from Configuration Repository,[],[],,SC-7,mitigates,3 +3395,,T1602.001,SNMP (MIB Dump),[],[],,SC-7,mitigates,3 +3396,,T1602.002,Network Device Configuration Dump,[],[],,SC-7,mitigates,3 +3397,,T1609,Container Administration Command,[],[],,SC-7,mitigates,3 +3398,,T1610,Deploy Container,[],[],,SC-7,mitigates,3 +3399,,T1611,Escape to Host,[],[],,SC-7,mitigates,3 +3400,,T1612,Build Image on Host,[],[],,SC-7,mitigates,3 +3401,,T1613,Container and Resource Discovery,[],[],,SC-7,mitigates,3 +3402,,T1040,Network Sniffing,[],[],,SC-8,mitigates,3 +3403,,T1090,Proxy,[],[],,SC-8,mitigates,3 +3404,,T1090.004,Domain Fronting,[],[],,SC-8,mitigates,3 +3405,,T1550.001,Application Access Token,[],[],,SC-8,mitigates,3 +3406,,T1550.004,Web Session Cookie,[],[],,SC-8,mitigates,3 +3407,,T1552.007,Container API,[],[],,SC-8,mitigates,3 +3408,,T1557,Man-in-the-Middle,[],[],,SC-8,mitigates,3 +3409,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SC-8,mitigates,3 +3410,,T1557.002,ARP Cache Poisoning,[],[],,SC-8,mitigates,3 +3411,,T1562.006,Indicator Blocking,[],[],,SC-8,mitigates,3 +3412,,T1602,Data from Configuration Repository,[],[],,SC-8,mitigates,3 +3413,,T1602.001,SNMP (MIB Dump),[],[],,SC-8,mitigates,3 +3414,,T1602.002,Network Device Configuration Dump,[],[],,SC-8,mitigates,3 +3415,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-10,mitigates,3 +3416,,T1021.005,VNC,[],[],,SI-10,mitigates,3 +3417,,T1036,Masquerading,[],[],,SI-10,mitigates,3 +3418,,T1036.005,Match Legitimate Name or Location,[],[],,SI-10,mitigates,3 +3419,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-10,mitigates,3 +3420,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,3 +3421,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-10,mitigates,3 +3422,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-10,mitigates,3 +3423,,T1059,Command and Scripting Interpreter,[],[],,SI-10,mitigates,3 +3424,,T1059.002,AppleScript,[],[],,SI-10,mitigates,3 +3425,,T1059.003,Windows Command Shell,[],[],,SI-10,mitigates,3 +3426,,T1059.004,Unix Shell,[],[],,SI-10,mitigates,3 +3427,,T1059.005,Visual Basic,[],[],,SI-10,mitigates,3 +3428,,T1059.006,Python,[],[],,SI-10,mitigates,3 +3429,,T1059.007,JavaScript,[],[],,SI-10,mitigates,3 +3430,,T1059.008,Network Device CLI,[],[],,SI-10,mitigates,3 +3431,,T1071.004,DNS,[],[],,SI-10,mitigates,3 +3432,,T1080,Taint Shared Content,[],[],,SI-10,mitigates,3 +3433,,T1090,Proxy,[],[],,SI-10,mitigates,3 +3434,,T1090.003,Multi-hop Proxy,[],[],,SI-10,mitigates,3 +3435,,T1095,Non-Application Layer Protocol,[],[],,SI-10,mitigates,3 +3436,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-10,mitigates,3 +3437,,T1129,Shared Modules,[],[],,SI-10,mitigates,3 +3438,,T1176,Browser Extensions,[],[],,SI-10,mitigates,3 +3439,,T1187,Forced Authentication,[],[],,SI-10,mitigates,3 +3440,,T1190,Exploit Public-Facing Application,[],[],,SI-10,mitigates,3 +3441,,T1197,BITS Jobs,[],[],,SI-10,mitigates,3 +3442,,T1204,User Execution,[],[],,SI-10,mitigates,3 +3443,,T1204.002,Malicious File,[],[],,SI-10,mitigates,3 +3444,,T1216,Signed Script Proxy Execution,[],[],,SI-10,mitigates,3 +3445,,T1216.001,PubPrn,[],[],,SI-10,mitigates,3 +3446,,T1218,Signed Binary Proxy Execution,[],[],,SI-10,mitigates,3 +3447,,T1218.001,Compiled HTML File,[],[],,SI-10,mitigates,3 +3448,,T1218.002,Control Panel,[],[],,SI-10,mitigates,3 +3449,,T1218.003,CMSTP,[],[],,SI-10,mitigates,3 +3450,,T1218.004,InstallUtil,[],[],,SI-10,mitigates,3 +3451,,T1218.005,Mshta,[],[],,SI-10,mitigates,3 +3452,,T1218.008,Odbcconf,[],[],,SI-10,mitigates,3 +3453,,T1218.009,Regsvcs/Regasm,[],[],,SI-10,mitigates,3 +3454,,T1218.010,Regsvr32,[],[],,SI-10,mitigates,3 +3455,,T1218.011,Rundll32,[],[],,SI-10,mitigates,3 +3456,,T1218.012,Verclsid,[],[],,SI-10,mitigates,3 +3457,,T1219,Remote Access Software,[],[],,SI-10,mitigates,3 +3458,,T1220,XSL Script Processing,[],[],,SI-10,mitigates,3 +3459,,T1221,Template Injection,[],[],,SI-10,mitigates,3 +3460,,T1498,Network Denial of Service,[],[],,SI-10,mitigates,3 +3461,,T1498.001,Direct Network Flood,[],[],,SI-10,mitigates,3 +3462,,T1498.002,Reflection Amplification,[],[],,SI-10,mitigates,3 +3463,,T1499,Endpoint Denial of Service,[],[],,SI-10,mitigates,3 +3464,,T1499.001,OS Exhaustion Flood,[],[],,SI-10,mitigates,3 +3465,,T1499.002,Service Exhaustion Flood,[],[],,SI-10,mitigates,3 +3466,,T1499.003,Application Exhaustion Flood,[],[],,SI-10,mitigates,3 +3467,,T1499.004,Application or System Exploitation,[],[],,SI-10,mitigates,3 +3468,,T1530,Data from Cloud Storage Object,[],[],,SI-10,mitigates,3 +3469,,T1537,Transfer Data to Cloud Account,[],[],,SI-10,mitigates,3 +3470,,T1546.002,Screensaver,[],[],,SI-10,mitigates,3 +3471,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-10,mitigates,3 +3472,,T1546.008,Accessibility Features,[],[],,SI-10,mitigates,3 +3473,,T1546.009,AppCert DLLs,[],[],,SI-10,mitigates,3 +3474,,T1546.010,AppInit DLLs,[],[],,SI-10,mitigates,3 +3475,,T1547.004,Winlogon Helper DLL,[],[],,SI-10,mitigates,3 +3476,,T1547.006,Kernel Modules and Extensions,[],[],,SI-10,mitigates,3 +3477,,T1552,Unsecured Credentials,[],[],,SI-10,mitigates,3 +3478,,T1552.005,Cloud Instance Metadata API,[],[],,SI-10,mitigates,3 +3479,,T1553,Subvert Trust Controls,[],[],,SI-10,mitigates,3 +3480,,T1553.001,Gatekeeper Bypass,[],[],,SI-10,mitigates,3 +3481,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-10,mitigates,3 +3482,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-10,mitigates,3 +3483,,T1557,Man-in-the-Middle,[],[],,SI-10,mitigates,3 +3484,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-10,mitigates,3 +3485,,T1557.002,ARP Cache Poisoning,[],[],,SI-10,mitigates,3 +3486,,T1564.003,Hidden Window,[],[],,SI-10,mitigates,3 +3487,,T1564.006,Run Virtual Instance,[],[],,SI-10,mitigates,3 +3488,,T1570,Lateral Tool Transfer,[],[],,SI-10,mitigates,3 +3489,,T1572,Protocol Tunneling,[],[],,SI-10,mitigates,3 +3490,,T1574,Hijack Execution Flow,[],[],,SI-10,mitigates,3 +3491,,T1574.001,DLL Search Order Hijacking,[],[],,SI-10,mitigates,3 +3492,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-10,mitigates,3 +3493,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-10,mitigates,3 +3494,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-10,mitigates,3 +3495,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-10,mitigates,3 +3496,,T1574.012,COR_PROFILER,[],[],,SI-10,mitigates,3 +3497,,T1599,Network Boundary Bridging,[],[],,SI-10,mitigates,3 +3498,,T1599.001,Network Address Translation Traversal,[],[],,SI-10,mitigates,3 +3499,,T1602,Data from Configuration Repository,[],[],,SI-10,mitigates,3 +3500,,T1602.001,SNMP (MIB Dump),[],[],,SI-10,mitigates,3 +3501,,T1602.002,Network Device Configuration Dump,[],[],,SI-10,mitigates,3 +3502,,T1609,Container Administration Command,[],[],,SI-10,mitigates,3 +3503,,T1003,OS Credential Dumping,[],[],,SI-12,mitigates,3 +3504,,T1003.003,NTDS,[],[],,SI-12,mitigates,3 +3505,,T1020.001,Traffic Duplication,[],[],,SI-12,mitigates,3 +3506,,T1040,Network Sniffing,[],[],,SI-12,mitigates,3 +3507,,T1070,Indicator Removal on Host,[],[],,SI-12,mitigates,3 +3508,,T1070.001,Clear Windows Event Logs,[],[],,SI-12,mitigates,3 +3509,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-12,mitigates,3 +3510,,T1114,Email Collection,[],[],,SI-12,mitigates,3 +3511,,T1114.001,Local Email Collection,[],[],,SI-12,mitigates,3 +3512,,T1114.002,Remote Email Collection,[],[],,SI-12,mitigates,3 +3513,,T1114.003,Email Forwarding Rule,[],[],,SI-12,mitigates,3 +3514,,T1119,Automated Collection,[],[],,SI-12,mitigates,3 +3515,,T1530,Data from Cloud Storage Object,[],[],,SI-12,mitigates,3 +3516,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-12,mitigates,3 +3517,,T1548.004,Elevated Execution with Prompt,[],[],,SI-12,mitigates,3 +3518,,T1550.001,Application Access Token,[],[],,SI-12,mitigates,3 +3519,,T1552,Unsecured Credentials,[],[],,SI-12,mitigates,3 +3520,,T1552.004,Private Keys,[],[],,SI-12,mitigates,3 +3521,,T1557,Man-in-the-Middle,[],[],,SI-12,mitigates,3 +3522,,T1557.002,ARP Cache Poisoning,[],[],,SI-12,mitigates,3 +3523,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-12,mitigates,3 +3524,,T1558.002,Silver Ticket,[],[],,SI-12,mitigates,3 +3525,,T1558.003,Kerberoasting,[],[],,SI-12,mitigates,3 +3526,,T1558.004,AS-REP Roasting,[],[],,SI-12,mitigates,3 +3527,,T1565,Data Manipulation,[],[],,SI-12,mitigates,3 +3528,,T1565.001,Stored Data Manipulation,[],[],,SI-12,mitigates,3 +3529,,T1565.002,Transmitted Data Manipulation,[],[],,SI-12,mitigates,3 +3530,,T1602,Data from Configuration Repository,[],[],,SI-12,mitigates,3 +3531,,T1602.001,SNMP (MIB Dump),[],[],,SI-12,mitigates,3 +3532,,T1602.002,Network Device Configuration Dump,[],[],,SI-12,mitigates,3 +3533,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-15,mitigates,3 +3534,,T1021.005,VNC,[],[],,SI-15,mitigates,3 +3535,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-15,mitigates,3 +3536,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,3 +3537,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-15,mitigates,3 +3538,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-15,mitigates,3 +3539,,T1071.004,DNS,[],[],,SI-15,mitigates,3 +3540,,T1090,Proxy,[],[],,SI-15,mitigates,3 +3541,,T1090.003,Multi-hop Proxy,[],[],,SI-15,mitigates,3 +3542,,T1095,Non-Application Layer Protocol,[],[],,SI-15,mitigates,3 +3543,,T1187,Forced Authentication,[],[],,SI-15,mitigates,3 +3544,,T1197,BITS Jobs,[],[],,SI-15,mitigates,3 +3545,,T1205,Traffic Signaling,[],[],,SI-15,mitigates,3 +3546,,T1205.001,Port Knocking,[],[],,SI-15,mitigates,3 +3547,,T1218.012,Verclsid,[],[],,SI-15,mitigates,3 +3548,,T1219,Remote Access Software,[],[],,SI-15,mitigates,3 +3549,,T1498,Network Denial of Service,[],[],,SI-15,mitigates,3 +3550,,T1498.001,Direct Network Flood,[],[],,SI-15,mitigates,3 +3551,,T1498.002,Reflection Amplification,[],[],,SI-15,mitigates,3 +3552,,T1499,Endpoint Denial of Service,[],[],,SI-15,mitigates,3 +3553,,T1499.001,OS Exhaustion Flood,[],[],,SI-15,mitigates,3 +3554,,T1499.002,Service Exhaustion Flood,[],[],,SI-15,mitigates,3 +3555,,T1499.003,Application Exhaustion Flood,[],[],,SI-15,mitigates,3 +3556,,T1499.004,Application or System Exploitation,[],[],,SI-15,mitigates,3 +3557,,T1530,Data from Cloud Storage Object,[],[],,SI-15,mitigates,3 +3558,,T1537,Transfer Data to Cloud Account,[],[],,SI-15,mitigates,3 +3559,,T1552,Unsecured Credentials,[],[],,SI-15,mitigates,3 +3560,,T1552.005,Cloud Instance Metadata API,[],[],,SI-15,mitigates,3 +3561,,T1557,Man-in-the-Middle,[],[],,SI-15,mitigates,3 +3562,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-15,mitigates,3 +3563,,T1557.002,ARP Cache Poisoning,[],[],,SI-15,mitigates,3 +3564,,T1570,Lateral Tool Transfer,[],[],,SI-15,mitigates,3 +3565,,T1572,Protocol Tunneling,[],[],,SI-15,mitigates,3 +3566,,T1599,Network Boundary Bridging,[],[],,SI-15,mitigates,3 +3567,,T1599.001,Network Address Translation Traversal,[],[],,SI-15,mitigates,3 +3568,,T1602,Data from Configuration Repository,[],[],,SI-15,mitigates,3 +3569,,T1602.001,SNMP (MIB Dump),[],[],,SI-15,mitigates,3 +3570,,T1602.002,Network Device Configuration Dump,[],[],,SI-15,mitigates,3 +3571,,T1055.009,Proc Memory,[],[],,SI-16,mitigates,3 +3572,,T1543,Create or Modify System Process,[],[],,SI-16,mitigates,3 +3573,,T1543.002,Systemd Service,[],[],,SI-16,mitigates,3 +3574,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-16,mitigates,3 +3575,,T1548.004,Elevated Execution with Prompt,[],[],,SI-16,mitigates,3 +3576,,T1565,Data Manipulation,[],[],,SI-16,mitigates,3 +3577,,T1565.001,Stored Data Manipulation,[],[],,SI-16,mitigates,3 +3578,,T1565.003,Runtime Data Manipulation,[],[],,SI-16,mitigates,3 +3579,,T1611,Escape to Host,[],[],,SI-16,mitigates,3 +3580,,T1027,Obfuscated Files or Information,[],[],,SI-2,mitigates,3 +3581,,T1027.002,Software Packing,[],[],,SI-2,mitigates,3 +3582,,T1055,Process Injection,[],[],,SI-2,mitigates,3 +3583,,T1055.001,Dynamic-link Library Injection,[],[],,SI-2,mitigates,3 +3584,,T1055.002,Portable Executable Injection,[],[],,SI-2,mitigates,3 +3585,,T1055.003,Thread Execution Hijacking,[],[],,SI-2,mitigates,3 +3586,,T1055.004,Asynchronous Procedure Call,[],[],,SI-2,mitigates,3 +3587,,T1055.005,Thread Local Storage,[],[],,SI-2,mitigates,3 +3588,,T1055.008,Ptrace System Calls,[],[],,SI-2,mitigates,3 +3589,,T1055.009,Proc Memory,[],[],,SI-2,mitigates,3 +3590,,T1055.011,Extra Window Memory Injection,[],[],,SI-2,mitigates,3 +3591,,T1055.012,Process Hollowing,[],[],,SI-2,mitigates,3 +3592,,T1055.013,Process Doppelgänging,[],[],,SI-2,mitigates,3 +3593,,T1055.014,VDSO Hijacking,[],[],,SI-2,mitigates,3 +3594,,T1059,Command and Scripting Interpreter,[],[],,SI-2,mitigates,3 +3595,,T1059.001,PowerShell,[],[],,SI-2,mitigates,3 +3596,,T1059.005,Visual Basic,[],[],,SI-2,mitigates,3 +3597,,T1059.006,Python,[],[],,SI-2,mitigates,3 +3598,,T1068,Exploitation for Privilege Escalation,[],[],,SI-2,mitigates,3 +3599,,T1072,Software Deployment Tools,[],[],,SI-2,mitigates,3 +3600,,T1137,Office Application Startup,[],[],,SI-2,mitigates,3 +3601,,T1137.003,Outlook Forms,[],[],,SI-2,mitigates,3 +3602,,T1137.004,Outlook Home Page,[],[],,SI-2,mitigates,3 +3603,,T1137.005,Outlook Rules,[],[],,SI-2,mitigates,3 +3604,,T1189,Drive-by Compromise,[],[],,SI-2,mitigates,3 +3605,,T1190,Exploit Public-Facing Application,[],[],,SI-2,mitigates,3 +3606,,T1195,Supply Chain Compromise,[],[],,SI-2,mitigates,3 +3607,,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,SI-2,mitigates,3 +3608,,T1195.002,Compromise Software Supply Chain,[],[],,SI-2,mitigates,3 +3609,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-2,mitigates,3 +3610,,T1204,User Execution,[],[],,SI-2,mitigates,3 +3611,,T1204.001,Malicious Link,[],[],,SI-2,mitigates,3 +3612,,T1204.003,Malicious Image,[],[],,SI-2,mitigates,3 +3613,,T1210,Exploitation of Remote Services,[],[],,SI-2,mitigates,3 +3614,,T1211,Exploitation for Defense Evasion,[],[],,SI-2,mitigates,3 +3615,,T1212,Exploitation for Credential Access,[],[],,SI-2,mitigates,3 +3616,,T1221,Template Injection,[],[],,SI-2,mitigates,3 +3617,,T1495,Firmware Corruption,[],[],,SI-2,mitigates,3 +3618,,T1525,Implant Internal Image,[],[],,SI-2,mitigates,3 +3619,,T1542,Pre-OS Boot,[],[],,SI-2,mitigates,3 +3620,,T1542.001,System Firmware,[],[],,SI-2,mitigates,3 +3621,,T1542.003,Bootkit,[],[],,SI-2,mitigates,3 +3622,,T1542.004,ROMMONkit,[],[],,SI-2,mitigates,3 +3623,,T1542.005,TFTP Boot,[],[],,SI-2,mitigates,3 +3624,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-2,mitigates,3 +3625,,T1546.010,AppInit DLLs,[],[],,SI-2,mitigates,3 +3626,,T1546.011,Application Shimming,[],[],,SI-2,mitigates,3 +3627,,T1547.006,Kernel Modules and Extensions,[],[],,SI-2,mitigates,3 +3628,,T1548.002,Bypass User Account Control,[],[],,SI-2,mitigates,3 +3629,,T1550.002,Pass the Hash,[],[],,SI-2,mitigates,3 +3630,,T1552,Unsecured Credentials,[],[],,SI-2,mitigates,3 +3631,,T1552.006,Group Policy Preferences,[],[],,SI-2,mitigates,3 +3632,,T1553,Subvert Trust Controls,[],[],,SI-2,mitigates,3 +3633,,T1553.006,Code Signing Policy Modification,[],[],,SI-2,mitigates,3 +3634,,T1555.005,Password Managers,[],[],,SI-2,mitigates,3 +3635,,T1559,Inter-Process Communication,[],[],,SI-2,mitigates,3 +3636,,T1559.002,Dynamic Data Exchange,[],[],,SI-2,mitigates,3 +3637,,T1566,Phishing,[],[],,SI-2,mitigates,3 +3638,,T1566.001,Spearphishing Attachment,[],[],,SI-2,mitigates,3 +3639,,T1566.003,Spearphishing via Service,[],[],,SI-2,mitigates,3 +3640,,T1574,Hijack Execution Flow,[],[],,SI-2,mitigates,3 +3641,,T1574.002,DLL Side-Loading,[],[],,SI-2,mitigates,3 +3642,,T1601,Modify System Image,[],[],,SI-2,mitigates,3 +3643,,T1601.001,Patch System Image,[],[],,SI-2,mitigates,3 +3644,,T1601.002,Downgrade System Image,[],[],,SI-2,mitigates,3 +3645,,T1611,Escape to Host,[],[],,SI-2,mitigates,3 +3646,,T1070,Indicator Removal on Host,[],[],,SI-23,mitigates,3 +3647,,T1070.001,Clear Windows Event Logs,[],[],,SI-23,mitigates,3 +3648,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-23,mitigates,3 +3649,,T1072,Software Deployment Tools,[],[],,SI-23,mitigates,3 +3650,,T1119,Automated Collection,[],[],,SI-23,mitigates,3 +3651,,T1565,Data Manipulation,[],[],,SI-23,mitigates,3 +3652,,T1565.001,Stored Data Manipulation,[],[],,SI-23,mitigates,3 +3653,,T1001,Data Obfuscation,[],[],,SI-3,mitigates,3 +3654,,T1001.001,Junk Data,[],[],,SI-3,mitigates,3 +3655,,T1001.002,Steganography,[],[],,SI-3,mitigates,3 +3656,,T1001.003,Protocol Impersonation,[],[],,SI-3,mitigates,3 +3657,,T1003,OS Credential Dumping,[],[],,SI-3,mitigates,3 +3658,,T1003.001,LSASS Memory,[],[],,SI-3,mitigates,3 +3659,,T1003.002,Security Account Manager,[],[],,SI-3,mitigates,3 +3660,,T1003.003,NTDS,[],[],,SI-3,mitigates,3 +3661,,T1003.004,LSA Secrets,[],[],,SI-3,mitigates,3 +3662,,T1003.005,Cached Domain Credentials,[],[],,SI-3,mitigates,3 +3663,,T1003.006,DCSync,[],[],,SI-3,mitigates,3 +3664,,T1003.007,Proc Filesystem,[],[],,SI-3,mitigates,3 +3665,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-3,mitigates,3 +3666,,T1008,Fallback Channels,[],[],,SI-3,mitigates,3 +3667,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-3,mitigates,3 +3668,,T1021.003,Distributed Component Object Model,[],[],,SI-3,mitigates,3 +3669,,T1021.005,VNC,[],[],,SI-3,mitigates,3 +3670,,T1027,Obfuscated Files or Information,[],[],,SI-3,mitigates,3 +3671,,T1027.002,Software Packing,[],[],,SI-3,mitigates,3 +3672,,T1029,Scheduled Transfer,[],[],,SI-3,mitigates,3 +3673,,T1030,Data Transfer Size Limits,[],[],,SI-3,mitigates,3 +3674,,T1036,Masquerading,[],[],,SI-3,mitigates,3 +3675,,T1036.003,Rename System Utilities,[],[],,SI-3,mitigates,3 +3676,,T1036.005,Match Legitimate Name or Location,[],[],,SI-3,mitigates,3 +3677,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-3,mitigates,3 +3678,,T1037.002,Logon Script (Mac),[],[],,SI-3,mitigates,3 +3679,,T1037.003,Network Logon Script,[],[],,SI-3,mitigates,3 +3680,,T1037.004,RC Scripts,[],[],,SI-3,mitigates,3 +3681,,T1037.005,Startup Items,[],[],,SI-3,mitigates,3 +3682,,T1041,Exfiltration Over C2 Channel,[],[],,SI-3,mitigates,3 +3683,,T1046,Network Service Scanning,[],[],,SI-3,mitigates,3 +3684,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-3,mitigates,3 +3685,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,3 +3686,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-3,mitigates,3 +3687,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-3,mitigates,3 +3688,,T1052,Exfiltration Over Physical Medium,[],[],,SI-3,mitigates,3 +3689,,T1052.001,Exfiltration over USB,[],[],,SI-3,mitigates,3 +3690,,T1055,Process Injection,[],[],,SI-3,mitigates,3 +3691,,T1055.001,Dynamic-link Library Injection,[],[],,SI-3,mitigates,3 +3692,,T1055.002,Portable Executable Injection,[],[],,SI-3,mitigates,3 +3693,,T1055.003,Thread Execution Hijacking,[],[],,SI-3,mitigates,3 +3694,,T1055.004,Asynchronous Procedure Call,[],[],,SI-3,mitigates,3 +3695,,T1055.005,Thread Local Storage,[],[],,SI-3,mitigates,3 +3696,,T1055.008,Ptrace System Calls,[],[],,SI-3,mitigates,3 +3697,,T1055.009,Proc Memory,[],[],,SI-3,mitigates,3 +3698,,T1055.011,Extra Window Memory Injection,[],[],,SI-3,mitigates,3 +3699,,T1055.012,Process Hollowing,[],[],,SI-3,mitigates,3 +3700,,T1055.013,Process Doppelgänging,[],[],,SI-3,mitigates,3 +3701,,T1055.014,VDSO Hijacking,[],[],,SI-3,mitigates,3 +3702,,T1056.002,GUI Input Capture,[],[],,SI-3,mitigates,3 +3703,,T1059,Command and Scripting Interpreter,[],[],,SI-3,mitigates,3 +3704,,T1059.001,PowerShell,[],[],,SI-3,mitigates,3 +3705,,T1059.005,Visual Basic,[],[],,SI-3,mitigates,3 +3706,,T1059.006,Python,[],[],,SI-3,mitigates,3 +3707,,T1059.007,JavaScript,[],[],,SI-3,mitigates,3 +3708,,T1068,Exploitation for Privilege Escalation,[],[],,SI-3,mitigates,3 +3709,,T1070,Indicator Removal on Host,[],[],,SI-3,mitigates,3 +3710,,T1070.001,Clear Windows Event Logs,[],[],,SI-3,mitigates,3 +3711,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-3,mitigates,3 +3712,,T1070.003,Clear Command History,[],[],,SI-3,mitigates,3 +3713,,T1071,Application Layer Protocol,[],[],,SI-3,mitigates,3 +3714,,T1071.001,Web Protocols,[],[],,SI-3,mitigates,3 +3715,,T1071.002,File Transfer Protocols,[],[],,SI-3,mitigates,3 +3716,,T1071.003,Mail Protocols,[],[],,SI-3,mitigates,3 +3717,,T1071.004,DNS,[],[],,SI-3,mitigates,3 +3718,,T1072,Software Deployment Tools,[],[],,SI-3,mitigates,3 +3719,,T1080,Taint Shared Content,[],[],,SI-3,mitigates,3 +3720,,T1090,Proxy,[],[],,SI-3,mitigates,3 +3721,,T1090.001,Internal Proxy,[],[],,SI-3,mitigates,3 +3722,,T1090.002,External Proxy,[],[],,SI-3,mitigates,3 +3723,,T1091,Replication Through Removable Media,[],[],,SI-3,mitigates,3 +3724,,T1092,Communication Through Removable Media,[],[],,SI-3,mitigates,3 +3725,,T1095,Non-Application Layer Protocol,[],[],,SI-3,mitigates,3 +3726,,T1098.004,SSH Authorized Keys,[],[],,SI-3,mitigates,3 +3727,,T1102,Web Service,[],[],,SI-3,mitigates,3 +3728,,T1102.001,Dead Drop Resolver,[],[],,SI-3,mitigates,3 +3729,,T1102.002,Bidirectional Communication,[],[],,SI-3,mitigates,3 +3730,,T1102.003,One-Way Communication,[],[],,SI-3,mitigates,3 +3731,,T1104,Multi-Stage Channels,[],[],,SI-3,mitigates,3 +3732,,T1105,Ingress Tool Transfer,[],[],,SI-3,mitigates,3 +3733,,T1111,Two-Factor Authentication Interception,[],[],,SI-3,mitigates,3 +3734,,T1132,Data Encoding,[],[],,SI-3,mitigates,3 +3735,,T1132.001,Standard Encoding,[],[],,SI-3,mitigates,3 +3736,,T1132.002,Non-Standard Encoding,[],[],,SI-3,mitigates,3 +3737,,T1137,Office Application Startup,[],[],,SI-3,mitigates,3 +3738,,T1137.001,Office Template Macros,[],[],,SI-3,mitigates,3 +3739,,T1176,Browser Extensions,[],[],,SI-3,mitigates,3 +3740,,T1185,Man in the Browser,[],[],,SI-3,mitigates,3 +3741,,T1189,Drive-by Compromise,[],[],,SI-3,mitigates,3 +3742,,T1190,Exploit Public-Facing Application,[],[],,SI-3,mitigates,3 +3743,,T1201,Password Policy Discovery,[],[],,SI-3,mitigates,3 +3744,,T1203,Exploitation for Client Execution,[],[],,SI-3,mitigates,3 +3745,,T1204,User Execution,[],[],,SI-3,mitigates,3 +3746,,T1204.001,Malicious Link,[],[],,SI-3,mitigates,3 +3747,,T1204.002,Malicious File,[],[],,SI-3,mitigates,3 +3748,,T1204.003,Malicious Image,[],[],,SI-3,mitigates,3 +3749,,T1210,Exploitation of Remote Services,[],[],,SI-3,mitigates,3 +3750,,T1211,Exploitation for Defense Evasion,[],[],,SI-3,mitigates,3 +3751,,T1212,Exploitation for Credential Access,[],[],,SI-3,mitigates,3 +3752,,T1218.002,Control Panel,[],[],,SI-3,mitigates,3 +3753,,T1219,Remote Access Software,[],[],,SI-3,mitigates,3 +3754,,T1221,Template Injection,[],[],,SI-3,mitigates,3 +3755,,T1485,Data Destruction,[],[],,SI-3,mitigates,3 +3756,,T1486,Data Encrypted for Impact,[],[],,SI-3,mitigates,3 +3757,,T1490,Inhibit System Recovery,[],[],,SI-3,mitigates,3 +3758,,T1491,Defacement,[],[],,SI-3,mitigates,3 +3759,,T1491.001,Internal Defacement,[],[],,SI-3,mitigates,3 +3760,,T1491.002,External Defacement,[],[],,SI-3,mitigates,3 +3761,,T1525,Implant Internal Image,[],[],,SI-3,mitigates,3 +3762,,T1539,Steal Web Session Cookie,[],[],,SI-3,mitigates,3 +3763,,T1543,Create or Modify System Process,[],[],,SI-3,mitigates,3 +3764,,T1543.002,Systemd Service,[],[],,SI-3,mitigates,3 +3765,,T1546.002,Screensaver,[],[],,SI-3,mitigates,3 +3766,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-3,mitigates,3 +3767,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-3,mitigates,3 +3768,,T1546.013,PowerShell Profile,[],[],,SI-3,mitigates,3 +3769,,T1546.014,Emond,[],[],,SI-3,mitigates,3 +3770,,T1547.002,Authentication Package,[],[],,SI-3,mitigates,3 +3771,,T1547.005,Security Support Provider,[],[],,SI-3,mitigates,3 +3772,,T1547.006,Kernel Modules and Extensions,[],[],,SI-3,mitigates,3 +3773,,T1547.007,Re-opened Applications,[],[],,SI-3,mitigates,3 +3774,,T1547.008,LSASS Driver,[],[],,SI-3,mitigates,3 +3775,,T1547.013,XDG Autostart Entries,[],[],,SI-3,mitigates,3 +3776,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-3,mitigates,3 +3777,,T1548.004,Elevated Execution with Prompt,[],[],,SI-3,mitigates,3 +3778,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-3,mitigates,3 +3779,,T1557,Man-in-the-Middle,[],[],,SI-3,mitigates,3 +3780,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-3,mitigates,3 +3781,,T1557.002,ARP Cache Poisoning,[],[],,SI-3,mitigates,3 +3782,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-3,mitigates,3 +3783,,T1558.002,Silver Ticket,[],[],,SI-3,mitigates,3 +3784,,T1558.003,Kerberoasting,[],[],,SI-3,mitigates,3 +3785,,T1558.004,AS-REP Roasting,[],[],,SI-3,mitigates,3 +3786,,T1559,Inter-Process Communication,[],[],,SI-3,mitigates,3 +3787,,T1559.001,Component Object Model,[],[],,SI-3,mitigates,3 +3788,,T1559.002,Dynamic Data Exchange,[],[],,SI-3,mitigates,3 +3789,,T1560,Archive Collected Data,[],[],,SI-3,mitigates,3 +3790,,T1560.001,Archive via Utility,[],[],,SI-3,mitigates,3 +3791,,T1561,Disk Wipe,[],[],,SI-3,mitigates,3 +3792,,T1561.001,Disk Content Wipe,[],[],,SI-3,mitigates,3 +3793,,T1561.002,Disk Structure Wipe,[],[],,SI-3,mitigates,3 +3794,,T1562,Impair Defenses,[],[],,SI-3,mitigates,3 +3795,,T1562.001,Disable or Modify Tools,[],[],,SI-3,mitigates,3 +3796,,T1562.002,Disable Windows Event Logging,[],[],,SI-3,mitigates,3 +3797,,T1562.004,Disable or Modify System Firewall,[],[],,SI-3,mitigates,3 +3798,,T1562.006,Indicator Blocking,[],[],,SI-3,mitigates,3 +3799,,T1564.004,NTFS File Attributes,[],[],,SI-3,mitigates,3 +3800,,T1566,Phishing,[],[],,SI-3,mitigates,3 +3801,,T1566.001,Spearphishing Attachment,[],[],,SI-3,mitigates,3 +3802,,T1566.002,Spearphishing Link,[],[],,SI-3,mitigates,3 +3803,,T1566.003,Spearphishing via Service,[],[],,SI-3,mitigates,3 +3804,,T1568,Dynamic Resolution,[],[],,SI-3,mitigates,3 +3805,,T1568.002,Domain Generation Algorithms,[],[],,SI-3,mitigates,3 +3806,,T1569,System Services,[],[],,SI-3,mitigates,3 +3807,,T1569.002,Service Execution,[],[],,SI-3,mitigates,3 +3808,,T1570,Lateral Tool Transfer,[],[],,SI-3,mitigates,3 +3809,,T1571,Non-Standard Port,[],[],,SI-3,mitigates,3 +3810,,T1572,Protocol Tunneling,[],[],,SI-3,mitigates,3 +3811,,T1573,Encrypted Channel,[],[],,SI-3,mitigates,3 +3812,,T1573.001,Symmetric Cryptography,[],[],,SI-3,mitigates,3 +3813,,T1573.002,Asymmetric Cryptography,[],[],,SI-3,mitigates,3 +3814,,T1574,Hijack Execution Flow,[],[],,SI-3,mitigates,3 +3815,,T1574.001,DLL Search Order Hijacking,[],[],,SI-3,mitigates,3 +3816,,T1574.004,Dylib Hijacking,[],[],,SI-3,mitigates,3 +3817,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-3,mitigates,3 +3818,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-3,mitigates,3 +3819,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-3,mitigates,3 +3820,,T1598,Phishing for Information,[],[],,SI-3,mitigates,3 +3821,,T1598.001,Spearphishing Service,[],[],,SI-3,mitigates,3 +3822,,T1598.002,Spearphishing Attachment,[],[],,SI-3,mitigates,3 +3823,,T1598.003,Spearphishing Link,[],[],,SI-3,mitigates,3 +3824,,T1602,Data from Configuration Repository,[],[],,SI-3,mitigates,3 +3825,,T1602.001,SNMP (MIB Dump),[],[],,SI-3,mitigates,3 +3826,,T1602.002,Network Device Configuration Dump,[],[],,SI-3,mitigates,3 +3827,,T1611,Escape to Host,[],[],,SI-3,mitigates,3 +3828,,T1001,Data Obfuscation,[],[],,SI-4,mitigates,3 +3829,,T1001.001,Junk Data,[],[],,SI-4,mitigates,3 +3830,,T1001.002,Steganography,[],[],,SI-4,mitigates,3 +3831,,T1001.003,Protocol Impersonation,[],[],,SI-4,mitigates,3 +3832,,T1003,OS Credential Dumping,[],[],,SI-4,mitigates,3 +3833,,T1003.001,LSASS Memory,[],[],,SI-4,mitigates,3 +3834,,T1003.002,Security Account Manager,[],[],,SI-4,mitigates,3 +3835,,T1003.003,NTDS,[],[],,SI-4,mitigates,3 +3836,,T1003.004,LSA Secrets,[],[],,SI-4,mitigates,3 +3837,,T1003.005,Cached Domain Credentials,[],[],,SI-4,mitigates,3 +3838,,T1003.006,DCSync,[],[],,SI-4,mitigates,3 +3839,,T1003.007,Proc Filesystem,[],[],,SI-4,mitigates,3 +3840,,T1003.008,/etc/passwd and /etc/shadow,[],[],,SI-4,mitigates,3 +3841,,T1008,Fallback Channels,[],[],,SI-4,mitigates,3 +3842,,T1011,Exfiltration Over Other Network Medium,[],[],,SI-4,mitigates,3 +3843,,T1011.001,Exfiltration Over Bluetooth,[],[],,SI-4,mitigates,3 +3844,,T1020.001,Traffic Duplication,[],[],,SI-4,mitigates,3 +3845,,T1021,Remote Services,[],[],,SI-4,mitigates,3 +3846,,T1021.001,Remote Desktop Protocol,[],[],,SI-4,mitigates,3 +3847,,T1021.002,SMB/Windows Admin Shares,[],[],,SI-4,mitigates,3 +3848,,T1021.003,Distributed Component Object Model,[],[],,SI-4,mitigates,3 +3849,,T1021.004,SSH,[],[],,SI-4,mitigates,3 +3850,,T1021.005,VNC,[],[],,SI-4,mitigates,3 +3851,,T1021.006,Windows Remote Management,[],[],,SI-4,mitigates,3 +3852,,T1027,Obfuscated Files or Information,[],[],,SI-4,mitigates,3 +3853,,T1027.002,Software Packing,[],[],,SI-4,mitigates,3 +3854,,T1029,Scheduled Transfer,[],[],,SI-4,mitigates,3 +3855,,T1030,Data Transfer Size Limits,[],[],,SI-4,mitigates,3 +3856,,T1036,Masquerading,[],[],,SI-4,mitigates,3 +3857,,T1036.001,Invalid Code Signature,[],[],,SI-4,mitigates,3 +3858,,T1036.003,Rename System Utilities,[],[],,SI-4,mitigates,3 +3859,,T1036.005,Match Legitimate Name or Location,[],[],,SI-4,mitigates,3 +3860,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-4,mitigates,3 +3861,,T1037.002,Logon Script (Mac),[],[],,SI-4,mitigates,3 +3862,,T1037.003,Network Logon Script,[],[],,SI-4,mitigates,3 +3863,,T1037.004,RC Scripts,[],[],,SI-4,mitigates,3 +3864,,T1037.005,Startup Items,[],[],,SI-4,mitigates,3 +3865,,T1040,Network Sniffing,[],[],,SI-4,mitigates,3 +3866,,T1041,Exfiltration Over C2 Channel,[],[],,SI-4,mitigates,3 +3867,,T1046,Network Service Scanning,[],[],,SI-4,mitigates,3 +3868,,T1048,Exfiltration Over Alternative Protocol,[],[],,SI-4,mitigates,3 +3869,,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,3 +3870,,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,SI-4,mitigates,3 +3871,,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,SI-4,mitigates,3 +3872,,T1052,Exfiltration Over Physical Medium,[],[],,SI-4,mitigates,3 +3873,,T1052.001,Exfiltration over USB,[],[],,SI-4,mitigates,3 +3874,,T1053,Scheduled Task/Job,[],[],,SI-4,mitigates,3 +3875,,T1053.001,At (Linux),[],[],,SI-4,mitigates,3 +3876,,T1053.002,At (Windows),[],[],,SI-4,mitigates,3 +3877,,T1053.003,Cron,[],[],,SI-4,mitigates,3 +3878,,T1053.004,Launchd,[],[],,SI-4,mitigates,3 +3879,,T1053.005,Scheduled Task,[],[],,SI-4,mitigates,3 +3880,,T1053.006,Systemd Timers,[],[],,SI-4,mitigates,3 +3881,,T1055,Process Injection,[],[],,SI-4,mitigates,3 +3882,,T1055.001,Dynamic-link Library Injection,[],[],,SI-4,mitigates,3 +3883,,T1055.002,Portable Executable Injection,[],[],,SI-4,mitigates,3 +3884,,T1055.003,Thread Execution Hijacking,[],[],,SI-4,mitigates,3 +3885,,T1055.004,Asynchronous Procedure Call,[],[],,SI-4,mitigates,3 +3886,,T1055.005,Thread Local Storage,[],[],,SI-4,mitigates,3 +3887,,T1055.008,Ptrace System Calls,[],[],,SI-4,mitigates,3 +3888,,T1055.009,Proc Memory,[],[],,SI-4,mitigates,3 +3889,,T1055.011,Extra Window Memory Injection,[],[],,SI-4,mitigates,3 +3890,,T1055.012,Process Hollowing,[],[],,SI-4,mitigates,3 +3891,,T1055.013,Process Doppelgänging,[],[],,SI-4,mitigates,3 +3892,,T1055.014,VDSO Hijacking,[],[],,SI-4,mitigates,3 +3893,,T1056.002,GUI Input Capture,[],[],,SI-4,mitigates,3 +3894,,T1059,Command and Scripting Interpreter,[],[],,SI-4,mitigates,3 +3895,,T1059.001,PowerShell,[],[],,SI-4,mitigates,3 +3896,,T1059.002,AppleScript,[],[],,SI-4,mitigates,3 +3897,,T1059.003,Windows Command Shell,[],[],,SI-4,mitigates,3 +3898,,T1059.004,Unix Shell,[],[],,SI-4,mitigates,3 +3899,,T1059.005,Visual Basic,[],[],,SI-4,mitigates,3 +3900,,T1059.006,Python,[],[],,SI-4,mitigates,3 +3901,,T1059.007,JavaScript,[],[],,SI-4,mitigates,3 +3902,,T1059.008,Network Device CLI,[],[],,SI-4,mitigates,3 +3903,,T1068,Exploitation for Privilege Escalation,[],[],,SI-4,mitigates,3 +3904,,T1070,Indicator Removal on Host,[],[],,SI-4,mitigates,3 +3905,,T1070.001,Clear Windows Event Logs,[],[],,SI-4,mitigates,3 +3906,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-4,mitigates,3 +3907,,T1070.003,Clear Command History,[],[],,SI-4,mitigates,3 +3908,,T1071,Application Layer Protocol,[],[],,SI-4,mitigates,3 +3909,,T1071.001,Web Protocols,[],[],,SI-4,mitigates,3 +3910,,T1071.002,File Transfer Protocols,[],[],,SI-4,mitigates,3 +3911,,T1071.003,Mail Protocols,[],[],,SI-4,mitigates,3 +3912,,T1071.004,DNS,[],[],,SI-4,mitigates,3 +3913,,T1072,Software Deployment Tools,[],[],,SI-4,mitigates,3 +3914,,T1078,Valid Accounts,[],[],,SI-4,mitigates,3 +3915,,T1078.001,Default Accounts,[],[],,SI-4,mitigates,3 +3916,,T1078.002,Domain Accounts,[],[],,SI-4,mitigates,3 +3917,,T1078.003,Local Accounts,[],[],,SI-4,mitigates,3 +3918,,T1078.004,Cloud Accounts,[],[],,SI-4,mitigates,3 +3919,,T1080,Taint Shared Content,[],[],,SI-4,mitigates,3 +3920,,T1087,Account Discovery,[],[],,SI-4,mitigates,3 +3921,,T1087.001,Local Account,[],[],,SI-4,mitigates,3 +3922,,T1087.002,Domain Account,[],[],,SI-4,mitigates,3 +3923,,T1090,Proxy,[],[],,SI-4,mitigates,3 +3924,,T1090.001,Internal Proxy,[],[],,SI-4,mitigates,3 +3925,,T1090.002,External Proxy,[],[],,SI-4,mitigates,3 +3926,,T1091,Replication Through Removable Media,[],[],,SI-4,mitigates,3 +3927,,T1092,Communication Through Removable Media,[],[],,SI-4,mitigates,3 +3928,,T1095,Non-Application Layer Protocol,[],[],,SI-4,mitigates,3 +3929,,T1098,Account Manipulation,[],[],,SI-4,mitigates,3 +3930,,T1098.001,Additional Cloud Credentials,[],[],,SI-4,mitigates,3 +3931,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-4,mitigates,3 +3932,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-4,mitigates,3 +3933,,T1098.004,SSH Authorized Keys,[],[],,SI-4,mitigates,3 +3934,,T1102,Web Service,[],[],,SI-4,mitigates,3 +3935,,T1102.001,Dead Drop Resolver,[],[],,SI-4,mitigates,3 +3936,,T1102.002,Bidirectional Communication,[],[],,SI-4,mitigates,3 +3937,,T1102.003,One-Way Communication,[],[],,SI-4,mitigates,3 +3938,,T1104,Multi-Stage Channels,[],[],,SI-4,mitigates,3 +3939,,T1105,Ingress Tool Transfer,[],[],,SI-4,mitigates,3 +3940,,T1110,Brute Force,[],[],,SI-4,mitigates,3 +3941,,T1110.001,Password Guessing,[],[],,SI-4,mitigates,3 +3942,,T1110.002,Password Cracking,[],[],,SI-4,mitigates,3 +3943,,T1110.003,Password Spraying,[],[],,SI-4,mitigates,3 +3944,,T1110.004,Credential Stuffing,[],[],,SI-4,mitigates,3 +3945,,T1111,Two-Factor Authentication Interception,[],[],,SI-4,mitigates,3 +3946,,T1114,Email Collection,[],[],,SI-4,mitigates,3 +3947,,T1114.001,Local Email Collection,[],[],,SI-4,mitigates,3 +3948,,T1114.002,Remote Email Collection,[],[],,SI-4,mitigates,3 +3949,,T1114.003,Email Forwarding Rule,[],[],,SI-4,mitigates,3 +3950,,T1119,Automated Collection,[],[],,SI-4,mitigates,3 +3951,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-4,mitigates,3 +3952,,T1127.001,MSBuild,[],[],,SI-4,mitigates,3 +3953,,T1129,Shared Modules,[],[],,SI-4,mitigates,3 +3954,,T1132,Data Encoding,[],[],,SI-4,mitigates,3 +3955,,T1132.001,Standard Encoding,[],[],,SI-4,mitigates,3 +3956,,T1132.002,Non-Standard Encoding,[],[],,SI-4,mitigates,3 +3957,,T1133,External Remote Services,[],[],,SI-4,mitigates,3 +3958,,T1135,Network Share Discovery,[],[],,SI-4,mitigates,3 +3959,,T1136,Create Account,[],[],,SI-4,mitigates,3 +3960,,T1136.001,Local Account,[],[],,SI-4,mitigates,3 +3961,,T1136.002,Domain Account,[],[],,SI-4,mitigates,3 +3962,,T1136.003,Cloud Account,[],[],,SI-4,mitigates,3 +3963,,T1137,Office Application Startup,[],[],,SI-4,mitigates,3 +3964,,T1137.001,Office Template Macros,[],[],,SI-4,mitigates,3 +3965,,T1176,Browser Extensions,[],[],,SI-4,mitigates,3 +3966,,T1185,Man in the Browser,[],[],,SI-4,mitigates,3 +3967,,T1187,Forced Authentication,[],[],,SI-4,mitigates,3 +3968,,T1189,Drive-by Compromise,[],[],,SI-4,mitigates,3 +3969,,T1190,Exploit Public-Facing Application,[],[],,SI-4,mitigates,3 +3970,,T1197,BITS Jobs,[],[],,SI-4,mitigates,3 +3971,,T1201,Password Policy Discovery,[],[],,SI-4,mitigates,3 +3972,,T1203,Exploitation for Client Execution,[],[],,SI-4,mitigates,3 +3973,,T1204,User Execution,[],[],,SI-4,mitigates,3 +3974,,T1204.001,Malicious Link,[],[],,SI-4,mitigates,3 +3975,,T1204.002,Malicious File,[],[],,SI-4,mitigates,3 +3976,,T1204.003,Malicious Image,[],[],,SI-4,mitigates,3 +3977,,T1205,Traffic Signaling,[],[],,SI-4,mitigates,3 +3978,,T1205.001,Port Knocking,[],[],,SI-4,mitigates,3 +3979,,T1210,Exploitation of Remote Services,[],[],,SI-4,mitigates,3 +3980,,T1211,Exploitation for Defense Evasion,[],[],,SI-4,mitigates,3 +3981,,T1212,Exploitation for Credential Access,[],[],,SI-4,mitigates,3 +3982,,T1213,Data from Information Repositories,[],[],,SI-4,mitigates,3 +3983,,T1213.001,Confluence,[],[],,SI-4,mitigates,3 +3984,,T1213.002,Sharepoint,[],[],,SI-4,mitigates,3 +3985,,T1216,Signed Script Proxy Execution,[],[],,SI-4,mitigates,3 +3986,,T1216.001,PubPrn,[],[],,SI-4,mitigates,3 +3987,,T1218,Signed Binary Proxy Execution,[],[],,SI-4,mitigates,3 +3988,,T1218.001,Compiled HTML File,[],[],,SI-4,mitigates,3 +3989,,T1218.002,Control Panel,[],[],,SI-4,mitigates,3 +3990,,T1218.003,CMSTP,[],[],,SI-4,mitigates,3 +3991,,T1218.004,InstallUtil,[],[],,SI-4,mitigates,3 +3992,,T1218.005,Mshta,[],[],,SI-4,mitigates,3 +3993,,T1218.008,Odbcconf,[],[],,SI-4,mitigates,3 +3994,,T1218.009,Regsvcs/Regasm,[],[],,SI-4,mitigates,3 +3995,,T1218.010,Regsvr32,[],[],,SI-4,mitigates,3 +3996,,T1218.011,Rundll32,[],[],,SI-4,mitigates,3 +3997,,T1218.012,Verclsid,[],[],,SI-4,mitigates,3 +3998,,T1219,Remote Access Software,[],[],,SI-4,mitigates,3 +3999,,T1220,XSL Script Processing,[],[],,SI-4,mitigates,3 +4000,,T1221,Template Injection,[],[],,SI-4,mitigates,3 +4001,,T1222,File and Directory Permissions Modification,[],[],,SI-4,mitigates,3 +4002,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-4,mitigates,3 +4003,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-4,mitigates,3 +4004,,T1484,Domain Policy Modification,[],[],,SI-4,mitigates,3 +4005,,T1485,Data Destruction,[],[],,SI-4,mitigates,3 +4006,,T1486,Data Encrypted for Impact,[],[],,SI-4,mitigates,3 +4007,,T1489,Service Stop,[],[],,SI-4,mitigates,3 +4008,,T1490,Inhibit System Recovery,[],[],,SI-4,mitigates,3 +4009,,T1491,Defacement,[],[],,SI-4,mitigates,3 +4010,,T1491.001,Internal Defacement,[],[],,SI-4,mitigates,3 +4011,,T1491.002,External Defacement,[],[],,SI-4,mitigates,3 +4012,,T1499,Endpoint Denial of Service,[],[],,SI-4,mitigates,3 +4013,,T1499.001,OS Exhaustion Flood,[],[],,SI-4,mitigates,3 +4014,,T1499.002,Service Exhaustion Flood,[],[],,SI-4,mitigates,3 +4015,,T1499.003,Application Exhaustion Flood,[],[],,SI-4,mitigates,3 +4016,,T1499.004,Application or System Exploitation,[],[],,SI-4,mitigates,3 +4017,,T1505,Server Software Component,[],[],,SI-4,mitigates,3 +4018,,T1505.001,SQL Stored Procedures,[],[],,SI-4,mitigates,3 +4019,,T1505.002,Transport Agent,[],[],,SI-4,mitigates,3 +4020,,T1525,Implant Internal Image,[],[],,SI-4,mitigates,3 +4021,,T1528,Steal Application Access Token,[],[],,SI-4,mitigates,3 +4022,,T1530,Data from Cloud Storage Object,[],[],,SI-4,mitigates,3 +4023,,T1537,Transfer Data to Cloud Account,[],[],,SI-4,mitigates,3 +4024,,T1539,Steal Web Session Cookie,[],[],,SI-4,mitigates,3 +4025,,T1542.004,ROMMONkit,[],[],,SI-4,mitigates,3 +4026,,T1542.005,TFTP Boot,[],[],,SI-4,mitigates,3 +4027,,T1543,Create or Modify System Process,[],[],,SI-4,mitigates,3 +4028,,T1543.002,Systemd Service,[],[],,SI-4,mitigates,3 +4029,,T1543.003,Windows Service,[],[],,SI-4,mitigates,3 +4030,,T1546.002,Screensaver,[],[],,SI-4,mitigates,3 +4031,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-4,mitigates,3 +4032,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-4,mitigates,3 +4033,,T1546.008,Accessibility Features,[],[],,SI-4,mitigates,3 +4034,,T1546.013,PowerShell Profile,[],[],,SI-4,mitigates,3 +4035,,T1546.014,Emond,[],[],,SI-4,mitigates,3 +4036,,T1547.002,Authentication Package,[],[],,SI-4,mitigates,3 +4037,,T1547.003,Time Providers,[],[],,SI-4,mitigates,3 +4038,,T1547.004,Winlogon Helper DLL,[],[],,SI-4,mitigates,3 +4039,,T1547.005,Security Support Provider,[],[],,SI-4,mitigates,3 +4040,,T1547.006,Kernel Modules and Extensions,[],[],,SI-4,mitigates,3 +4041,,T1547.007,Re-opened Applications,[],[],,SI-4,mitigates,3 +4042,,T1547.008,LSASS Driver,[],[],,SI-4,mitigates,3 +4043,,T1547.009,Shortcut Modification,[],[],,SI-4,mitigates,3 +4044,,T1547.011,Plist Modification,[],[],,SI-4,mitigates,3 +4045,,T1547.012,Print Processors,[],[],,SI-4,mitigates,3 +4046,,T1547.013,XDG Autostart Entries,[],[],,SI-4,mitigates,3 +4047,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-4,mitigates,3 +4048,,T1548.001,Setuid and Setgid,[],[],,SI-4,mitigates,3 +4049,,T1548.002,Bypass User Account Control,[],[],,SI-4,mitigates,3 +4050,,T1548.003,Sudo and Sudo Caching,[],[],,SI-4,mitigates,3 +4051,,T1548.004,Elevated Execution with Prompt,[],[],,SI-4,mitigates,3 +4052,,T1550.001,Application Access Token,[],[],,SI-4,mitigates,3 +4053,,T1550.003,Pass the Ticket,[],[],,SI-4,mitigates,3 +4054,,T1552,Unsecured Credentials,[],[],,SI-4,mitigates,3 +4055,,T1552.001,Credentials In Files,[],[],,SI-4,mitigates,3 +4056,,T1552.002,Credentials in Registry,[],[],,SI-4,mitigates,3 +4057,,T1552.003,Bash History,[],[],,SI-4,mitigates,3 +4058,,T1552.004,Private Keys,[],[],,SI-4,mitigates,3 +4059,,T1552.005,Cloud Instance Metadata API,[],[],,SI-4,mitigates,3 +4060,,T1552.006,Group Policy Preferences,[],[],,SI-4,mitigates,3 +4061,,T1553,Subvert Trust Controls,[],[],,SI-4,mitigates,3 +4062,,T1553.001,Gatekeeper Bypass,[],[],,SI-4,mitigates,3 +4063,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-4,mitigates,3 +4064,,T1553.004,Install Root Certificate,[],[],,SI-4,mitigates,3 +4065,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-4,mitigates,3 +4066,,T1555,Credentials from Password Stores,[],[],,SI-4,mitigates,3 +4067,,T1555.001,Keychain,[],[],,SI-4,mitigates,3 +4068,,T1555.002,Securityd Memory,[],[],,SI-4,mitigates,3 +4069,,T1555.004,Windows Credential Manager,[],[],,SI-4,mitigates,3 +4070,,T1555.005,Password Managers,[],[],,SI-4,mitigates,3 +4071,,T1556,Modify Authentication Process,[],[],,SI-4,mitigates,3 +4072,,T1556.001,Domain Controller Authentication,[],[],,SI-4,mitigates,3 +4073,,T1556.002,Password Filter DLL,[],[],,SI-4,mitigates,3 +4074,,T1556.003,Pluggable Authentication Modules,[],[],,SI-4,mitigates,3 +4075,,T1556.004,Network Device Authentication,[],[],,SI-4,mitigates,3 +4076,,T1557,Man-in-the-Middle,[],[],,SI-4,mitigates,3 +4077,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,SI-4,mitigates,3 +4078,,T1557.002,ARP Cache Poisoning,[],[],,SI-4,mitigates,3 +4079,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-4,mitigates,3 +4080,,T1558.002,Silver Ticket,[],[],,SI-4,mitigates,3 +4081,,T1558.003,Kerberoasting,[],[],,SI-4,mitigates,3 +4082,,T1558.004,AS-REP Roasting,[],[],,SI-4,mitigates,3 +4083,,T1559,Inter-Process Communication,[],[],,SI-4,mitigates,3 +4084,,T1559.002,Dynamic Data Exchange,[],[],,SI-4,mitigates,3 +4085,,T1560,Archive Collected Data,[],[],,SI-4,mitigates,3 +4086,,T1560.001,Archive via Utility,[],[],,SI-4,mitigates,3 +4087,,T1561,Disk Wipe,[],[],,SI-4,mitigates,3 +4088,,T1561.001,Disk Content Wipe,[],[],,SI-4,mitigates,3 +4089,,T1561.002,Disk Structure Wipe,[],[],,SI-4,mitigates,3 +4090,,T1562,Impair Defenses,[],[],,SI-4,mitigates,3 +4091,,T1562.001,Disable or Modify Tools,[],[],,SI-4,mitigates,3 +4092,,T1562.002,Disable Windows Event Logging,[],[],,SI-4,mitigates,3 +4093,,T1562.003,Impair Command History Logging,[],[],,SI-4,mitigates,3 +4094,,T1562.004,Disable or Modify System Firewall,[],[],,SI-4,mitigates,3 +4095,,T1562.006,Indicator Blocking,[],[],,SI-4,mitigates,3 +4096,,T1563,Remote Service Session Hijacking,[],[],,SI-4,mitigates,3 +4097,,T1563.001,SSH Hijacking,[],[],,SI-4,mitigates,3 +4098,,T1563.002,RDP Hijacking,[],[],,SI-4,mitigates,3 +4099,,T1564.002,Hidden Users,[],[],,SI-4,mitigates,3 +4100,,T1564.004,NTFS File Attributes,[],[],,SI-4,mitigates,3 +4101,,T1564.006,Run Virtual Instance,[],[],,SI-4,mitigates,3 +4102,,T1564.007,VBA Stomping,[],[],,SI-4,mitigates,3 +4103,,T1565,Data Manipulation,[],[],,SI-4,mitigates,3 +4104,,T1565.001,Stored Data Manipulation,[],[],,SI-4,mitigates,3 +4105,,T1565.002,Transmitted Data Manipulation,[],[],,SI-4,mitigates,3 +4106,,T1565.003,Runtime Data Manipulation,[],[],,SI-4,mitigates,3 +4107,,T1566,Phishing,[],[],,SI-4,mitigates,3 +4108,,T1566.001,Spearphishing Attachment,[],[],,SI-4,mitigates,3 +4109,,T1566.002,Spearphishing Link,[],[],,SI-4,mitigates,3 +4110,,T1566.003,Spearphishing via Service,[],[],,SI-4,mitigates,3 +4111,,T1568,Dynamic Resolution,[],[],,SI-4,mitigates,3 +4112,,T1568.002,Domain Generation Algorithms,[],[],,SI-4,mitigates,3 +4113,,T1569,System Services,[],[],,SI-4,mitigates,3 +4114,,T1569.002,Service Execution,[],[],,SI-4,mitigates,3 +4115,,T1570,Lateral Tool Transfer,[],[],,SI-4,mitigates,3 +4116,,T1571,Non-Standard Port,[],[],,SI-4,mitigates,3 +4117,,T1572,Protocol Tunneling,[],[],,SI-4,mitigates,3 +4118,,T1573,Encrypted Channel,[],[],,SI-4,mitigates,3 +4119,,T1573.001,Symmetric Cryptography,[],[],,SI-4,mitigates,3 +4120,,T1573.002,Asymmetric Cryptography,[],[],,SI-4,mitigates,3 +4121,,T1574,Hijack Execution Flow,[],[],,SI-4,mitigates,3 +4122,,T1574.001,DLL Search Order Hijacking,[],[],,SI-4,mitigates,3 +4123,,T1574.004,Dylib Hijacking,[],[],,SI-4,mitigates,3 +4124,,T1574.005,Executable Installer File Permissions Weakness,[],[],,SI-4,mitigates,3 +4125,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-4,mitigates,3 +4126,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-4,mitigates,3 +4127,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-4,mitigates,3 +4128,,T1574.010,Services File Permissions Weakness,[],[],,SI-4,mitigates,3 +4129,,T1578,Modify Cloud Compute Infrastructure,[],[],,SI-4,mitigates,3 +4130,,T1578.001,Create Snapshot,[],[],,SI-4,mitigates,3 +4131,,T1578.002,Create Cloud Instance,[],[],,SI-4,mitigates,3 +4132,,T1578.003,Delete Cloud Instance,[],[],,SI-4,mitigates,3 +4133,,T1598,Phishing for Information,[],[],,SI-4,mitigates,3 +4134,,T1598.001,Spearphishing Service,[],[],,SI-4,mitigates,3 +4135,,T1598.002,Spearphishing Attachment,[],[],,SI-4,mitigates,3 +4136,,T1598.003,Spearphishing Link,[],[],,SI-4,mitigates,3 +4137,,T1599,Network Boundary Bridging,[],[],,SI-4,mitigates,3 +4138,,T1599.001,Network Address Translation Traversal,[],[],,SI-4,mitigates,3 +4139,,T1601,Modify System Image,[],[],,SI-4,mitigates,3 +4140,,T1601.001,Patch System Image,[],[],,SI-4,mitigates,3 +4141,,T1601.002,Downgrade System Image,[],[],,SI-4,mitigates,3 +4142,,T1602,Data from Configuration Repository,[],[],,SI-4,mitigates,3 +4143,,T1602.001,SNMP (MIB Dump),[],[],,SI-4,mitigates,3 +4144,,T1602.002,Network Device Configuration Dump,[],[],,SI-4,mitigates,3 +4145,,T1610,Deploy Container,[],[],,SI-4,mitigates,3 +4146,,T1611,Escape to Host,[],[],,SI-4,mitigates,3 +4147,,T1612,Build Image on Host,[],[],,SI-4,mitigates,3 +4148,,T1613,Container and Resource Discovery,[],[],,SI-4,mitigates,3 +4149,,T1068,Exploitation for Privilege Escalation,[],[],,SI-5,mitigates,3 +4150,,T1210,Exploitation of Remote Services,[],[],,SI-5,mitigates,3 +4151,,T1211,Exploitation for Defense Evasion,[],[],,SI-5,mitigates,3 +4152,,T1212,Exploitation for Credential Access,[],[],,SI-5,mitigates,3 +4153,,T1003,OS Credential Dumping,[],[],,SI-7,mitigates,3 +4154,,T1003.003,NTDS,[],[],,SI-7,mitigates,3 +4155,,T1020.001,Traffic Duplication,[],[],,SI-7,mitigates,3 +4156,,T1027,Obfuscated Files or Information,[],[],,SI-7,mitigates,3 +4157,,T1027.002,Software Packing,[],[],,SI-7,mitigates,3 +4158,,T1036,Masquerading,[],[],,SI-7,mitigates,3 +4159,,T1036.001,Invalid Code Signature,[],[],,SI-7,mitigates,3 +4160,,T1036.005,Match Legitimate Name or Location,[],[],,SI-7,mitigates,3 +4161,,T1037,Boot or Logon Initialization Scripts,[],[],,SI-7,mitigates,3 +4162,,T1037.002,Logon Script (Mac),[],[],,SI-7,mitigates,3 +4163,,T1037.003,Network Logon Script,[],[],,SI-7,mitigates,3 +4164,,T1037.004,RC Scripts,[],[],,SI-7,mitigates,3 +4165,,T1037.005,Startup Items,[],[],,SI-7,mitigates,3 +4166,,T1040,Network Sniffing,[],[],,SI-7,mitigates,3 +4167,,T1053.006,Systemd Timers,[],[],,SI-7,mitigates,3 +4168,,T1056.002,GUI Input Capture,[],[],,SI-7,mitigates,3 +4169,,T1059,Command and Scripting Interpreter,[],[],,SI-7,mitigates,3 +4170,,T1059.001,PowerShell,[],[],,SI-7,mitigates,3 +4171,,T1059.002,AppleScript,[],[],,SI-7,mitigates,3 +4172,,T1059.003,Windows Command Shell,[],[],,SI-7,mitigates,3 +4173,,T1059.004,Unix Shell,[],[],,SI-7,mitigates,3 +4174,,T1059.005,Visual Basic,[],[],,SI-7,mitigates,3 +4175,,T1059.006,Python,[],[],,SI-7,mitigates,3 +4176,,T1059.007,JavaScript,[],[],,SI-7,mitigates,3 +4177,,T1059.008,Network Device CLI,[],[],,SI-7,mitigates,3 +4178,,T1068,Exploitation for Privilege Escalation,[],[],,SI-7,mitigates,3 +4179,,T1070,Indicator Removal on Host,[],[],,SI-7,mitigates,3 +4180,,T1070.001,Clear Windows Event Logs,[],[],,SI-7,mitigates,3 +4181,,T1070.002,Clear Linux or Mac System Logs,[],[],,SI-7,mitigates,3 +4182,,T1070.003,Clear Command History,[],[],,SI-7,mitigates,3 +4183,,T1072,Software Deployment Tools,[],[],,SI-7,mitigates,3 +4184,,T1080,Taint Shared Content,[],[],,SI-7,mitigates,3 +4185,,T1098.001,Additional Cloud Credentials,[],[],,SI-7,mitigates,3 +4186,,T1098.002,Exchange Email Delegate Permissions,[],[],,SI-7,mitigates,3 +4187,,T1098.003,Add Office 365 Global Administrator Role,[],[],,SI-7,mitigates,3 +4188,,T1114,Email Collection,[],[],,SI-7,mitigates,3 +4189,,T1114.001,Local Email Collection,[],[],,SI-7,mitigates,3 +4190,,T1114.002,Remote Email Collection,[],[],,SI-7,mitigates,3 +4191,,T1114.003,Email Forwarding Rule,[],[],,SI-7,mitigates,3 +4192,,T1119,Automated Collection,[],[],,SI-7,mitigates,3 +4193,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,SI-7,mitigates,3 +4194,,T1129,Shared Modules,[],[],,SI-7,mitigates,3 +4195,,T1133,External Remote Services,[],[],,SI-7,mitigates,3 +4196,,T1136,Create Account,[],[],,SI-7,mitigates,3 +4197,,T1136.001,Local Account,[],[],,SI-7,mitigates,3 +4198,,T1136.002,Domain Account,[],[],,SI-7,mitigates,3 +4199,,T1136.003,Cloud Account,[],[],,SI-7,mitigates,3 +4200,,T1176,Browser Extensions,[],[],,SI-7,mitigates,3 +4201,,T1185,Man in the Browser,[],[],,SI-7,mitigates,3 +4202,,T1189,Drive-by Compromise,[],[],,SI-7,mitigates,3 +4203,,T1190,Exploit Public-Facing Application,[],[],,SI-7,mitigates,3 +4204,,T1195.003,Compromise Hardware Supply Chain,[],[],,SI-7,mitigates,3 +4205,,T1203,Exploitation for Client Execution,[],[],,SI-7,mitigates,3 +4206,,T1204,User Execution,[],[],,SI-7,mitigates,3 +4207,,T1204.002,Malicious File,[],[],,SI-7,mitigates,3 +4208,,T1204.003,Malicious Image,[],[],,SI-7,mitigates,3 +4209,,T1210,Exploitation of Remote Services,[],[],,SI-7,mitigates,3 +4210,,T1211,Exploitation for Defense Evasion,[],[],,SI-7,mitigates,3 +4211,,T1212,Exploitation for Credential Access,[],[],,SI-7,mitigates,3 +4212,,T1213,Data from Information Repositories,[],[],,SI-7,mitigates,3 +4213,,T1213.001,Confluence,[],[],,SI-7,mitigates,3 +4214,,T1213.002,Sharepoint,[],[],,SI-7,mitigates,3 +4215,,T1216,Signed Script Proxy Execution,[],[],,SI-7,mitigates,3 +4216,,T1216.001,PubPrn,[],[],,SI-7,mitigates,3 +4217,,T1218,Signed Binary Proxy Execution,[],[],,SI-7,mitigates,3 +4218,,T1218.001,Compiled HTML File,[],[],,SI-7,mitigates,3 +4219,,T1218.002,Control Panel,[],[],,SI-7,mitigates,3 +4220,,T1218.003,CMSTP,[],[],,SI-7,mitigates,3 +4221,,T1218.004,InstallUtil,[],[],,SI-7,mitigates,3 +4222,,T1218.005,Mshta,[],[],,SI-7,mitigates,3 +4223,,T1218.008,Odbcconf,[],[],,SI-7,mitigates,3 +4224,,T1218.009,Regsvcs/Regasm,[],[],,SI-7,mitigates,3 +4225,,T1218.010,Regsvr32,[],[],,SI-7,mitigates,3 +4226,,T1218.011,Rundll32,[],[],,SI-7,mitigates,3 +4227,,T1218.012,Verclsid,[],[],,SI-7,mitigates,3 +4228,,T1219,Remote Access Software,[],[],,SI-7,mitigates,3 +4229,,T1220,XSL Script Processing,[],[],,SI-7,mitigates,3 +4230,,T1221,Template Injection,[],[],,SI-7,mitigates,3 +4231,,T1222,File and Directory Permissions Modification,[],[],,SI-7,mitigates,3 +4232,,T1222.001,Windows File and Directory Permissions Modification,[],[],,SI-7,mitigates,3 +4233,,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,SI-7,mitigates,3 +4234,,T1485,Data Destruction,[],[],,SI-7,mitigates,3 +4235,,T1486,Data Encrypted for Impact,[],[],,SI-7,mitigates,3 +4236,,T1490,Inhibit System Recovery,[],[],,SI-7,mitigates,3 +4237,,T1491,Defacement,[],[],,SI-7,mitigates,3 +4238,,T1491.001,Internal Defacement,[],[],,SI-7,mitigates,3 +4239,,T1491.002,External Defacement,[],[],,SI-7,mitigates,3 +4240,,T1495,Firmware Corruption,[],[],,SI-7,mitigates,3 +4241,,T1505,Server Software Component,[],[],,SI-7,mitigates,3 +4242,,T1505.001,SQL Stored Procedures,[],[],,SI-7,mitigates,3 +4243,,T1505.002,Transport Agent,[],[],,SI-7,mitigates,3 +4244,,T1525,Implant Internal Image,[],[],,SI-7,mitigates,3 +4245,,T1530,Data from Cloud Storage Object,[],[],,SI-7,mitigates,3 +4246,,T1542,Pre-OS Boot,[],[],,SI-7,mitigates,3 +4247,,T1542.001,System Firmware,[],[],,SI-7,mitigates,3 +4248,,T1542.003,Bootkit,[],[],,SI-7,mitigates,3 +4249,,T1542.004,ROMMONkit,[],[],,SI-7,mitigates,3 +4250,,T1542.005,TFTP Boot,[],[],,SI-7,mitigates,3 +4251,,T1543,Create or Modify System Process,[],[],,SI-7,mitigates,3 +4252,,T1543.002,Systemd Service,[],[],,SI-7,mitigates,3 +4253,,T1546,Event Triggered Execution,[],[],,SI-7,mitigates,3 +4254,,T1546.002,Screensaver,[],[],,SI-7,mitigates,3 +4255,,T1546.004,Unix Shell Configuration Modification,[],[],,SI-7,mitigates,3 +4256,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SI-7,mitigates,3 +4257,,T1546.008,Accessibility Features,[],[],,SI-7,mitigates,3 +4258,,T1546.009,AppCert DLLs,[],[],,SI-7,mitigates,3 +4259,,T1546.010,AppInit DLLs,[],[],,SI-7,mitigates,3 +4260,,T1546.013,PowerShell Profile,[],[],,SI-7,mitigates,3 +4261,,T1547.002,Authentication Package,[],[],,SI-7,mitigates,3 +4262,,T1547.003,Time Providers,[],[],,SI-7,mitigates,3 +4263,,T1547.004,Winlogon Helper DLL,[],[],,SI-7,mitigates,3 +4264,,T1547.005,Security Support Provider,[],[],,SI-7,mitigates,3 +4265,,T1547.006,Kernel Modules and Extensions,[],[],,SI-7,mitigates,3 +4266,,T1547.008,LSASS Driver,[],[],,SI-7,mitigates,3 +4267,,T1547.011,Plist Modification,[],[],,SI-7,mitigates,3 +4268,,T1547.013,XDG Autostart Entries,[],[],,SI-7,mitigates,3 +4269,,T1548,Abuse Elevation Control Mechanism,[],[],,SI-7,mitigates,3 +4270,,T1548.004,Elevated Execution with Prompt,[],[],,SI-7,mitigates,3 +4271,,T1550.001,Application Access Token,[],[],,SI-7,mitigates,3 +4272,,T1550.004,Web Session Cookie,[],[],,SI-7,mitigates,3 +4273,,T1552,Unsecured Credentials,[],[],,SI-7,mitigates,3 +4274,,T1552.004,Private Keys,[],[],,SI-7,mitigates,3 +4275,,T1553,Subvert Trust Controls,[],[],,SI-7,mitigates,3 +4276,,T1553.001,Gatekeeper Bypass,[],[],,SI-7,mitigates,3 +4277,,T1553.003,SIP and Trust Provider Hijacking,[],[],,SI-7,mitigates,3 +4278,,T1553.005,Mark-of-the-Web Bypass,[],[],,SI-7,mitigates,3 +4279,,T1553.006,Code Signing Policy Modification,[],[],,SI-7,mitigates,3 +4280,,T1554,Compromise Client Software Binary,[],[],,SI-7,mitigates,3 +4281,,T1556,Modify Authentication Process,[],[],,SI-7,mitigates,3 +4282,,T1556.001,Domain Controller Authentication,[],[],,SI-7,mitigates,3 +4283,,T1556.003,Pluggable Authentication Modules,[],[],,SI-7,mitigates,3 +4284,,T1556.004,Network Device Authentication,[],[],,SI-7,mitigates,3 +4285,,T1557,Man-in-the-Middle,[],[],,SI-7,mitigates,3 +4286,,T1557.002,ARP Cache Poisoning,[],[],,SI-7,mitigates,3 +4287,,T1558,Steal or Forge Kerberos Tickets,[],[],,SI-7,mitigates,3 +4288,,T1558.002,Silver Ticket,[],[],,SI-7,mitigates,3 +4289,,T1558.003,Kerberoasting,[],[],,SI-7,mitigates,3 +4290,,T1558.004,AS-REP Roasting,[],[],,SI-7,mitigates,3 +4291,,T1561,Disk Wipe,[],[],,SI-7,mitigates,3 +4292,,T1561.001,Disk Content Wipe,[],[],,SI-7,mitigates,3 +4293,,T1561.002,Disk Structure Wipe,[],[],,SI-7,mitigates,3 +4294,,T1562,Impair Defenses,[],[],,SI-7,mitigates,3 +4295,,T1562.001,Disable or Modify Tools,[],[],,SI-7,mitigates,3 +4296,,T1562.002,Disable Windows Event Logging,[],[],,SI-7,mitigates,3 +4297,,T1562.004,Disable or Modify System Firewall,[],[],,SI-7,mitigates,3 +4298,,T1562.006,Indicator Blocking,[],[],,SI-7,mitigates,3 +4299,,T1564.003,Hidden Window,[],[],,SI-7,mitigates,3 +4300,,T1564.004,NTFS File Attributes,[],[],,SI-7,mitigates,3 +4301,,T1564.006,Run Virtual Instance,[],[],,SI-7,mitigates,3 +4302,,T1565,Data Manipulation,[],[],,SI-7,mitigates,3 +4303,,T1565.001,Stored Data Manipulation,[],[],,SI-7,mitigates,3 +4304,,T1565.002,Transmitted Data Manipulation,[],[],,SI-7,mitigates,3 +4305,,T1569,System Services,[],[],,SI-7,mitigates,3 +4306,,T1569.002,Service Execution,[],[],,SI-7,mitigates,3 +4307,,T1574,Hijack Execution Flow,[],[],,SI-7,mitigates,3 +4308,,T1574.001,DLL Search Order Hijacking,[],[],,SI-7,mitigates,3 +4309,,T1574.004,Dylib Hijacking,[],[],,SI-7,mitigates,3 +4310,,T1574.006,Dynamic Linker Hijacking,[],[],,SI-7,mitigates,3 +4311,,T1574.007,Path Interception by PATH Environment Variable,[],[],,SI-7,mitigates,3 +4312,,T1574.008,Path Interception by Search Order Hijacking,[],[],,SI-7,mitigates,3 +4313,,T1574.009,Path Interception by Unquoted Path,[],[],,SI-7,mitigates,3 +4314,,T1574.012,COR_PROFILER,[],[],,SI-7,mitigates,3 +4315,,T1599,Network Boundary Bridging,[],[],,SI-7,mitigates,3 +4316,,T1599.001,Network Address Translation Traversal,[],[],,SI-7,mitigates,3 +4317,,T1601,Modify System Image,[],[],,SI-7,mitigates,3 +4318,,T1601.001,Patch System Image,[],[],,SI-7,mitigates,3 +4319,,T1601.002,Downgrade System Image,[],[],,SI-7,mitigates,3 +4320,,T1602,Data from Configuration Repository,[],[],,SI-7,mitigates,3 +4321,,T1602.001,SNMP (MIB Dump),[],[],,SI-7,mitigates,3 +4322,,T1602.002,Network Device Configuration Dump,[],[],,SI-7,mitigates,3 +4323,,T1609,Container Administration Command,[],[],,SI-7,mitigates,3 +4324,,T1611,Escape to Host,[],[],,SI-7,mitigates,3 +4325,,T1204,User Execution,[],[],,SI-8,mitigates,3 +4326,,T1204.001,Malicious Link,[],[],,SI-8,mitigates,3 +4327,,T1204.002,Malicious File,[],[],,SI-8,mitigates,3 +4328,,T1204.003,Malicious Image,[],[],,SI-8,mitigates,3 +4329,,T1221,Template Injection,[],[],,SI-8,mitigates,3 +4330,,T1566,Phishing,[],[],,SI-8,mitigates,3 +4331,,T1566.001,Spearphishing Attachment,[],[],,SI-8,mitigates,3 +4332,,T1566.002,Spearphishing Link,[],[],,SI-8,mitigates,3 +4333,,T1566.003,Spearphishing via Service,[],[],,SI-8,mitigates,3 +4334,,T1598,Phishing for Information,[],[],,SI-8,mitigates,3 +4335,,T1598.001,Spearphishing Service,[],[],,SI-8,mitigates,3 +4336,,T1598.002,Spearphishing Attachment,[],[],,SI-8,mitigates,3 +4337,,T1598.003,Spearphishing Link,[],[],,SI-8,mitigates,3 +4338,,T1059.002,AppleScript,[],[],,SR-11,mitigates,3 +4339,,T1204.003,Malicious Image,[],[],,SR-11,mitigates,3 +4340,,T1505,Server Software Component,[],[],,SR-11,mitigates,3 +4341,,T1505.001,SQL Stored Procedures,[],[],,SR-11,mitigates,3 +4342,,T1505.002,Transport Agent,[],[],,SR-11,mitigates,3 +4343,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-11,mitigates,3 +4344,,T1554,Compromise Client Software Binary,[],[],,SR-11,mitigates,3 +4345,,T1601,Modify System Image,[],[],,SR-11,mitigates,3 +4346,,T1601.001,Patch System Image,[],[],,SR-11,mitigates,3 +4347,,T1601.002,Downgrade System Image,[],[],,SR-11,mitigates,3 +4348,,T1059.002,AppleScript,[],[],,SR-4,mitigates,3 +4349,,T1204.003,Malicious Image,[],[],,SR-4,mitigates,3 +4350,,T1505,Server Software Component,[],[],,SR-4,mitigates,3 +4351,,T1505.001,SQL Stored Procedures,[],[],,SR-4,mitigates,3 +4352,,T1505.002,Transport Agent,[],[],,SR-4,mitigates,3 +4353,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-4,mitigates,3 +4354,,T1554,Compromise Client Software Binary,[],[],,SR-4,mitigates,3 +4355,,T1601,Modify System Image,[],[],,SR-4,mitigates,3 +4356,,T1601.001,Patch System Image,[],[],,SR-4,mitigates,3 +4357,,T1601.002,Downgrade System Image,[],[],,SR-4,mitigates,3 +4358,,T1059.002,AppleScript,[],[],,SR-5,mitigates,3 +4359,,T1204.003,Malicious Image,[],[],,SR-5,mitigates,3 +4360,,T1505,Server Software Component,[],[],,SR-5,mitigates,3 +4361,,T1505.001,SQL Stored Procedures,[],[],,SR-5,mitigates,3 +4362,,T1505.002,Transport Agent,[],[],,SR-5,mitigates,3 +4363,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-5,mitigates,3 +4364,,T1554,Compromise Client Software Binary,[],[],,SR-5,mitigates,3 +4365,,T1601,Modify System Image,[],[],,SR-5,mitigates,3 +4366,,T1601.001,Patch System Image,[],[],,SR-5,mitigates,3 +4367,,T1601.002,Downgrade System Image,[],[],,SR-5,mitigates,3 +4368,,T1059.002,AppleScript,[],[],,SR-6,mitigates,3 +4369,,T1204.003,Malicious Image,[],[],,SR-6,mitigates,3 +4370,,T1505,Server Software Component,[],[],,SR-6,mitigates,3 +4371,,T1505.001,SQL Stored Procedures,[],[],,SR-6,mitigates,3 +4372,,T1505.002,Transport Agent,[],[],,SR-6,mitigates,3 +4373,,T1546.006,LC_LOAD_DYLIB Addition,[],[],,SR-6,mitigates,3 +4374,,T1554,Compromise Client Software Binary,[],[],,SR-6,mitigates,3 +4375,,T1601,Modify System Image,[],[],,SR-6,mitigates,3 +4376,,T1601.001,Patch System Image,[],[],,SR-6,mitigates,3 +4377,,T1601.002,Downgrade System Image,[],[],,SR-6,mitigates,3 diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata.csv new file mode 100644 index 00000000..804244e8 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,9.0,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,3 diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata_object.csv b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata_object.csv new file mode 100644 index 00000000..804244e8 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_metadata_object.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,r5,9.0,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,3 diff --git a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_navigator_layer.json index 0c3804bd..05ec9793 100644 --- a/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/nist_files/9.0/r5/parsed_nist800-53-r5-9.0_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "9.0"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to Concurrent Session Control, Remote Access, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to Concurrent Session Control, Permitted Actions Without Identification or Authentication, Remote Access, Least Privilege, Baseline Configuration, Access Restrictions for Change"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to Concurrent Session Control, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, System Monitoring"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to Device Lock, Session Termination, Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to Session Termination, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Key Establishment and Management, Public Key Infrastructure Certificates, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Backup, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Backup, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Information Flow Enforcement, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Alternate Storage Site, Alternate Processing Site, System Backup, Distributed Processing and Storage, Information in Shared System Resources, Information Management and Retention, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Information Sharing, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Authentication Feedback, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Identification and Authentication (non-organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.011", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to Security and Privacy Attributes, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to Security and Privacy Attributes, Remote Access, Access Control for Mobile Devices, Use of External Systems, Penetration Testing, Software Usage Restrictions, User-installed Software, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Protection of Information at Rest, Transmission Confidentiality and Integrity, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Input Validation, Information Management and Retention, Information Output Filtering, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Use of External Systems, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to Security and Privacy Attributes, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Device Identification and Authentication, Identifier Management, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Session Authenticity, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Account Management, Access Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Information in Shared System Resources, Information Management and Retention, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to Security and Privacy Attributes, Access Enforcement, Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, System Recovery and Reconstitution, Alternate Storage Site, Alternate Processing Site, System Backup, Protection of Information at Rest, Distributed Processing and Storage, Information in Shared System Resources, Boundary Protection, Information Management and Retention, Memory Protection, Information Fragmentation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Baseline Configuration, Configuration Settings, System Component Inventory, Information in Shared System Resources, Information Management and Retention, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to Security and Privacy Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Systems, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Device Identification and Authentication, Identifier Management, Protection of Information at Rest, Security Function Isolation, Information in Shared System Resources, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Management and Retention, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to Remote Access, Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to Remote Access, Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to Remote Access, Least Functionality"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to Remote Access, Use of External Systems, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to Remote Access, Access Enforcement, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.004", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, System Monitoring"}, {"techniqueID": "T1552.007", "score": 14, "comment": "Related to Remote Access, Account Management, Data Mining Protection, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to Remote Access, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to Remote Access, Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Session Authenticity, System Monitoring"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, System Monitoring"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Boundary Protection, System Monitoring"}, {"techniqueID": "T1613", "score": 10, "comment": "Related to Remote Access, Account Management, Access Enforcement, Least Privilege, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Usage Restrictions, Boundary Protection, System Monitoring"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to Wireless Access, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to Wireless Access, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Process Isolation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1053.006", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Identification and Authentication (organizational Users), System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1053.007", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.008", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1068", "score": 25, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1078", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Security and Privacy Architectures, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, Supply Chain Protection, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Continuous Monitoring, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identity Proofing, Identification and Authentication (organizational Users), Authenticator Management, Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Configuration Settings, Re-authentication, Identification and Authentication (organizational Users), Identifier Management, Authenticator Management, System Monitoring"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Cross Domain Policy Enforcement, Boundary Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Security and Privacy Engineering Principles, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Control Assessments, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users), Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Cross Domain Policy Enforcement, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to Account Management, Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Cross Domain Policy Enforcement, Boundary Protection, System Monitoring"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1505", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1505.001", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1505.002", "score": 21, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Developer Configuration Management, Developer Testing and Evaluation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Service Identification and Authentication, Vulnerability Monitoring and Scanning, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users), Identification and Authentication (non-organizational Users)"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Configuration Settings, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Cryptographic Module Authentication, Identification and Authentication (non-organizational Users), Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Unsupported System Components, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Flaw Remediation"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to Account Management, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Cryptographic Key Establishment and Management, Protection of Information at Rest, Information in Shared System Resources, Boundary Protection, System Monitoring"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to Account Management, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Vulnerability Monitoring and Scanning, Developer Testing and Evaluation, Development Process, Standards, and Tools, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Continuous Monitoring, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Process Isolation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to Account Management, Use of External Systems, Access Enforcement, Separation of Duties, Least Privilege, Unsuccessful Logon Attempts, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Software Usage Restrictions, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Mobile Code, Security Function Isolation, Boundary Protection, Malicious Code Protection"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Identifier Management, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Transmission Confidentiality and Integrity, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, User-installed Software, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, User-installed Software, Access Restrictions for Change, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Identification and Authentication (organizational Users), Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Least Functionality, Identification and Authentication (organizational Users), Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Access Restrictions for Change, Identification and Authentication (organizational Users), Identifier Management, Authentication Feedback, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Account Management, Access Enforcement, Separation of Duties, Least Privilege, Identification and Authentication (organizational Users)"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Continuous Monitoring, Baseline Configuration, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Authenticator Management, Protection of Information at Rest, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Identification and Authentication (organizational Users), Authenticator Management, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Access Restrictions for Change, Configuration Settings, Least Functionality, Identification and Authentication (organizational Users), Mobile Code, Separation of System and User Functionality, Security Function Isolation, Non-modifiable Executable Programs, Process Isolation, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to Use of External Systems, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Baseline Configuration, Configuration Settings, Developer Testing and Evaluation, Developer Security and Privacy Architecture and Design, Acquisition Process, Security and Privacy Engineering Principles, Security Function Isolation"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Media Use, Port and I/O Device Access"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to Use of External Systems, Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Use of External Systems, Information Flow Enforcement, Boundary Protection"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1048", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1048.002", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1048.003", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Mobile Code, Boundary Protection, Memory Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Least Functionality, Information in Shared System Resources, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Port and I/O Device Access, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to Access Enforcement, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cryptographic Key Establishment and Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Least Privilege, System Use Notification, Configuration Settings, Least Functionality, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to Access Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Storage Site, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, Configuration Settings, Least Functionality, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, System Monitoring"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Vulnerability Monitoring and Scanning, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Boundary Protection, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Session Authenticity, Cross Domain Policy Enforcement, Boundary Protection, Transmission Confidentiality and Integrity, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to Access Enforcement, Least Privilege, Baseline Configuration, System Recovery and Reconstitution, Contingency Plan, Alternate Processing Site, System Backup, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Configuration Settings, Least Functionality, System Backup, Protection of Information at Rest, Information in Shared System Resources, Cross Domain Policy Enforcement, Boundary Protection, Memory Protection, System Monitoring"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to Access Enforcement, Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Information Input Validation, Information Output Filtering, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Cross Domain Policy Enforcement, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Network Disconnect, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Session Authenticity, Covert Channel Analysis, Out-of-band Channels, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Baseline Configuration, Configuration Settings, System Component Inventory, Unsupported System Components, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, System Component Inventory, Mobile Code, Separation of System and User Functionality, Heterogeneity, Security Function Isolation, Concealment and Misdirection, Process Isolation, Boundary Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Detonation Chambers, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1204.003", "score": 18, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to Information Flow Enforcement, Least Privilege, Continuous Monitoring, Penetration Testing, Baseline Configuration, Configuration Settings, System Component Inventory, Threat Hunting, Vulnerability Monitoring and Scanning, Mobile Code, Separation of System and User Functionality, Decoys, Heterogeneity, Security Function Isolation, Concealment and Misdirection, External Malicious Code Identification, Process Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Security Alerts, Advisories, and Directives, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to Information Flow Enforcement, Penetration Testing, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Developer Security and Privacy Architecture and Design, Security and Privacy Engineering Principles, Cross Domain Policy Enforcement, Boundary Protection"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to Information Flow Enforcement, Least Privilege, Software Usage Restrictions, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Security Function Isolation, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.001", "score": 12, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Secure Name/address Resolution Service (authoritative Source), Secure Name/address Resolution Service (recursive or Caching Resolver), Architecture and Provisioning for Name/address Resolution Service, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, Cryptographic Key Establishment and Management, Transmission of Security and Privacy Attributes, Session Authenticity, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to Information Flow Enforcement, Continuous Monitoring, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), Detonation Chambers, Boundary Protection, Malicious Code Protection, System Monitoring, Spam Protection"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to Least Privilege, Mobile Code, Boundary Protection, Flaw Remediation, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to Least Privilege, User-installed Software, Configuration Change Control, Access Restrictions for Change, Least Functionality, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Least Privilege, Least Functionality"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to Least Privilege, Continuous Monitoring, Penetration Testing, User-installed Software, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Boundary Protection, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to Least Privilege, Flaw Remediation"}, {"techniqueID": "T1553", "score": 19, "comment": "Related to Least Privilege, Penetration Testing, Software Usage Restrictions, Baseline Configuration, Configuration Change Control, Access Restrictions for Change, Configuration Settings, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Service Identification and Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Information Input Validation, Flaw Remediation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.006", "score": 13, "comment": "Related to Least Privilege, Penetration Testing, Configuration Change Control, Access Restrictions for Change, Least Functionality, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to Least Privilege, Access Restrictions for Change"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to Control Assessments, Continuous Monitoring, User-installed Software, Least Functionality, Threat Hunting, Vulnerability Monitoring and Scanning, Unsupported System Components, Flaw Remediation"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to Continuous Monitoring, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to Continuous Monitoring, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to Continuous Monitoring, Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Detonation Chambers, Boundary Protection, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Spam Protection"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to Continuous Monitoring, Authenticator Management, System Monitoring"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to Penetration Testing, Configuration Change Control, Access Restrictions for Change, System Component Inventory, Cryptographic Module Authentication, Criticality Analysis, Developer Configuration Management, Developer Testing and Evaluation, Non-modifiable Executable Programs, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to Penetration Testing, Vulnerability Monitoring and Scanning, Boundary Protection, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to Penetration Testing, Baseline Configuration, Configuration Settings, Least Functionality, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to Software Usage Restrictions, Configuration Settings, Least Functionality, Service Identification and Authentication, Secure Name/address Resolution Service (authoritative Source), System Monitoring"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.002", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Service Identification and Authentication, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Mobile Code, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Media Use, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, System Monitoring"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1137.003", "score": 2, "comment": "Related to Baseline Configuration, Flaw Remediation"}, {"techniqueID": "T1137.004", "score": 2, "comment": "Related to Baseline Configuration, Flaw Remediation"}, {"techniqueID": "T1137.005", "score": 2, "comment": "Related to Baseline Configuration, Flaw Remediation"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Mobile Code, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Service Identification and Authentication, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Vulnerability Monitoring and Scanning, Information Input Validation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Service Identification and Authentication, Information Input Validation, Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity, Component Authenticity, Provenance, Acquisition Strategies, Tools, and Methods, Supplier Assessments and Reviews"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to Baseline Configuration, Least Functionality, Information Input Validation, Flaw Remediation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, Vulnerability Monitoring and Scanning, Malicious Code Protection, System Monitoring"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Vulnerability Monitoring and Scanning, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Mobile Code, Non-modifiable Executable Programs, Information Management and Retention, Memory Protection, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, Authenticator Management, System Monitoring"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to Baseline Configuration, Configuration Settings, Identification and Authentication (organizational Users), Authenticator Management, Flaw Remediation, System Monitoring"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to Baseline Configuration, Configuration Settings, Least Functionality, System Component Inventory, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to Baseline Configuration, Configuration Settings, System Component Inventory, System Monitoring"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to Configuration Settings, Process Isolation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Protection of Information at Rest, System Monitoring"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to Configuration Settings, Least Functionality, System Monitoring"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to Configuration Settings, Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.003", "score": 4, "comment": "Related to Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1059.004", "score": 4, "comment": "Related to Least Functionality, Information Input Validation, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to Least Functionality"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to Least Functionality, Information Input Validation, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to Developer Configuration Management, Developer Testing and Evaluation, Development Process, Standards, and Tools, Developer-provided Training, Developer Security and Privacy Architecture and Design, System Development Life Cycle, Acquisition Process, Security and Privacy Engineering Principles, Flaw Remediation"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to Session Authenticity"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to Session Authenticity, Transmission Confidentiality and Integrity, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to Transmission Confidentiality and Integrity"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to Flaw Remediation, Malicious Code Protection, System Monitoring, Software, Firmware, and Information Integrity"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file +{"name": "nist overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "9.0"}, "sorting": 3, "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1137", "score": 9, "comment": "Related to AC-10, AC-17, CM-2, CM-6, CM-8, RA-5, SI-2, SI-3, SI-4"}, {"techniqueID": "T1137.002", "score": 6, "comment": "Related to AC-10, AC-14, AC-17, AC-6, CM-2, CM-5"}, {"techniqueID": "T1528", "score": 19, "comment": "Related to AC-10, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, IA-8, RA-5, SA-11, SA-15, SI-4"}, {"techniqueID": "T1021.001", "score": 24, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-5, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.002", "score": 18, "comment": "Related to AC-11, AC-12, AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1072", "score": 24, "comment": "Related to AC-12, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, SC-12, SC-17, SC-46, SC-7, SI-2, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CP-9, IA-2, IA-4, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1003.003", "score": 18, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CP-9, IA-2, IA-5, SC-28, SC-39, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1020.001", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1040", "score": 11, "comment": "Related to AC-16, AC-17, AC-18, AC-19, IA-2, IA-5, SC-4, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1070", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.001", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1070.002", "score": 21, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-3, SI-4, SI-7"}, {"techniqueID": "T1114", "score": 14, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.001", "score": 8, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.002", "score": 13, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-3, AC-4, CM-2, CM-6, IA-2, IA-5, SI-12, SI-4, SI-7"}, {"techniqueID": "T1114.003", "score": 9, "comment": "Related to AC-16, AC-17, AC-19, AC-20, AC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1119", "score": 17, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, CP-6, CP-7, CP-9, SC-36, SC-4, SI-12, SI-23, SI-4, SI-7"}, {"techniqueID": "T1213", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.001", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1213.002", "score": 24, "comment": "Related to AC-16, AC-17, AC-2, AC-21, AC-23, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SC-28, SI-4, SI-7"}, {"techniqueID": "T1222", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.001", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1222.002", "score": 11, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-2, SI-4, SI-7"}, {"techniqueID": "T1530", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, AC-7, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8, RA-5, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-4, SI-7"}, {"techniqueID": "T1537", "score": 20, "comment": "Related to AC-16, AC-17, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-8, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1547.007", "score": 11, "comment": "Related to AC-16, AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.011", "score": 12, "comment": "Related to AC-16, AC-17, AC-3, AC-6, CA-7, CM-2, CM-3, CM-5, CM-6, CM-7, SI-4, SI-7"}, {"techniqueID": "T1548", "score": 21, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.003", "score": 13, "comment": "Related to AC-16, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1550.001", "score": 16, "comment": "Related to AC-16, AC-17, AC-19, AC-20, CA-8, CM-10, CM-11, CM-2, CM-6, IA-2, IA-4, SC-28, SC-8, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552", "score": 33, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-3, IA-4, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-10, SI-12, SI-15, SI-2, SI-4, SI-7"}, {"techniqueID": "T1552.004", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-20, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-12, SI-4, SI-7"}, {"techniqueID": "T1552.005", "score": 13, "comment": "Related to AC-16, AC-20, AC-3, AC-4, CA-7, CM-6, CM-7, IA-3, IA-4, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1557", "score": 24, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-23, SC-4, SC-46, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.002", "score": 22, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.002", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.003", "score": 19, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1558.004", "score": 20, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-2, AC-3, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-4, SI-12, SI-3, SI-4, SI-7"}, {"techniqueID": "T1564.004", "score": 6, "comment": "Related to AC-16, AC-3, CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565", "score": 26, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-46, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.001", "score": 23, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, CA-7, CM-2, CM-6, CM-8, CP-10, CP-6, CP-7, CP-9, SC-28, SC-36, SC-4, SC-7, SI-12, SI-16, SI-23, SI-4, SI-7"}, {"techniqueID": "T1565.002", "score": 12, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, CM-2, CM-6, CM-8, SC-4, SI-12, SI-4, SI-7"}, {"techniqueID": "T1602", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.001", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1602.002", "score": 25, "comment": "Related to AC-16, AC-17, AC-18, AC-19, AC-20, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, IA-3, IA-4, SC-28, SC-3, SC-4, SC-7, SC-8, SI-10, SI-12, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1021", "score": 12, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1021.002", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1021.003", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1021.004", "score": 15, "comment": "Related to AC-17, AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, CM-8, IA-2, IA-5, RA-5, SI-4"}, {"techniqueID": "T1021.005", "score": 23, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1021.006", "score": 16, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1037", "score": 9, "comment": "Related to AC-17, AC-3, CA-7, CM-2, CM-6, CM-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.001", "score": 2, "comment": "Related to AC-17, CM-7"}, {"techniqueID": "T1047", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1133", "score": 18, "comment": "Related to AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1219", "score": 13, "comment": "Related to AC-17, AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543", "score": 21, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.003", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1547.003", "score": 10, "comment": "Related to AC-17, AC-3, AC-4, AC-6, CA-7, CM-2, CM-5, CM-6, SI-4, SI-7"}, {"techniqueID": "T1547.004", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-4, SI-7"}, {"techniqueID": "T1547.009", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.012", "score": 8, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, SI-4"}, {"techniqueID": "T1547.013", "score": 15, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1552.002", "score": 18, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SI-4"}, {"techniqueID": "T1552.007", "score": 14, "comment": "Related to AC-17, AC-2, AC-23, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SC-8"}, {"techniqueID": "T1563", "score": 19, "comment": "Related to AC-17, AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-6, RA-5, SC-46, SC-7, SI-4"}, {"techniqueID": "T1563.001", "score": 17, "comment": "Related to AC-17, AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-12, SC-23, SI-4"}, {"techniqueID": "T1609", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, SC-7, SI-10, SI-7"}, {"techniqueID": "T1610", "score": 9, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-7, SI-4"}, {"techniqueID": "T1612", "score": 11, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CA-8, CM-6, CM-7, RA-5, SA-11, SC-7, SI-4"}, {"techniqueID": "T1613", "score": 10, "comment": "Related to AC-17, AC-2, AC-3, AC-6, CM-6, CM-7, IA-2, SC-43, SC-7, SI-4"}, {"techniqueID": "T1011", "score": 4, "comment": "Related to AC-18, CM-6, CM-7, SI-4"}, {"techniqueID": "T1011.001", "score": 8, "comment": "Related to AC-18, CM-2, CM-6, CM-7, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1003.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.002", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.004", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.005", "score": 17, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.006", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-4, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.007", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1003.008", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SC-28, SC-39, SI-3, SI-4"}, {"techniqueID": "T1036", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1036.003", "score": 8, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1036.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, IA-9, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1053", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, IA-8, RA-5, SI-4"}, {"techniqueID": "T1053.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.002", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.003", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.004", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, RA-5, SI-4"}, {"techniqueID": "T1053.005", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-4, RA-5, SI-4"}, {"techniqueID": "T1053.006", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, IA-2, SI-4, SI-7"}, {"techniqueID": "T1053.007", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2, IA-8"}, {"techniqueID": "T1055", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.008", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1056.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1059", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, IA-9, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.001", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-8, IA-2, IA-8, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.008", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1068", "score": 25, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1070.003", "score": 10, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1078", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-5, CM-6, IA-12, IA-2, IA-5, PL-8, RA-5, SA-10, SA-11, SA-12, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.001", "score": 14, "comment": "Related to AC-2, AC-5, AC-6, CA-7, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.002", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-12, IA-2, IA-5, SI-4"}, {"techniqueID": "T1078.003", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-5, CM-6, IA-12, IA-2, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1078.004", "score": 22, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-12, IA-2, IA-5, SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SC-28, SI-4"}, {"techniqueID": "T1087.004", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1098", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1098.001", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1098.002", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1098.003", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1110", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.002", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.003", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1110.004", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-6, IA-11, IA-2, IA-4, IA-5, SI-4"}, {"techniqueID": "T1134", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.002", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1134.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1136", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.001", "score": 11, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1136.002", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1136.003", "score": 15, "comment": "Related to AC-2, AC-20, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, IA-5, SC-46, SC-7, SI-4, SI-7"}, {"techniqueID": "T1185", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1190", "score": 29, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SA-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-46, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1197", "score": 14, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1210", "score": 32, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-2, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, IA-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-46, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1212", "score": 24, "comment": "Related to AC-2, AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1218", "score": 15, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.007", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, CM-7, IA-2"}, {"techniqueID": "T1484", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, RA-5, SI-4"}, {"techniqueID": "T1489", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-5, CM-6, CM-7, IA-2, SC-46, SC-7, SI-4"}, {"techniqueID": "T1495", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, RA-9, SA-10, SA-11, SI-2, SI-7"}, {"techniqueID": "T1505", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1505.001", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1505.002", "score": 21, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-11, CM-2, CM-5, CM-6, CM-8, IA-2, IA-9, RA-5, SA-10, SA-11, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1525", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-9, RA-5, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1538", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2, IA-8"}, {"techniqueID": "T1542", "score": 19, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-7"}, {"techniqueID": "T1542.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.003", "score": 18, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-3, CM-5, CM-6, CM-8, IA-2, IA-7, IA-8, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1542.005", "score": 24, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-7, IA-8, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1543.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1543.002", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-3, CM-5, CM-6, IA-2, SA-22, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1543.004", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1546.003", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1547.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.002", "score": 12, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-2, SI-4"}, {"techniqueID": "T1550", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2"}, {"techniqueID": "T1550.002", "score": 8, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-6, IA-2, SI-2"}, {"techniqueID": "T1550.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4"}, {"techniqueID": "T1552.001", "score": 18, "comment": "Related to AC-2, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SC-12, SC-28, SC-4, SC-7, SI-4"}, {"techniqueID": "T1552.006", "score": 13, "comment": "Related to AC-2, AC-5, AC-6, CA-8, CM-2, CM-6, IA-2, IA-5, RA-5, SA-11, SA-15, SI-2, SI-4"}, {"techniqueID": "T1556", "score": 16, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.001", "score": 14, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CA-7, CM-5, CM-6, IA-2, IA-5, SC-39, SI-4, SI-7"}, {"techniqueID": "T1556.003", "score": 12, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1556.004", "score": 13, "comment": "Related to AC-2, AC-20, AC-3, AC-5, AC-6, AC-7, CM-2, CM-5, CM-6, IA-2, IA-5, SI-4, SI-7"}, {"techniqueID": "T1558.001", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, IA-5"}, {"techniqueID": "T1559", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-10, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1559.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-2, CM-5, CM-6, IA-2, SC-18, SC-3, SC-7, SI-3"}, {"techniqueID": "T1562", "score": 16, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, IA-2, IA-4, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.001", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.006", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, IA-2, SC-8, SI-3, SI-4, SI-7"}, {"techniqueID": "T1562.007", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1562.008", "score": 6, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, IA-2"}, {"techniqueID": "T1569", "score": 14, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-11, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1569.001", "score": 7, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-11, CM-5, IA-2"}, {"techniqueID": "T1569.002", "score": 13, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574", "score": 19, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-5, CM-6, CM-7, CM-8, IA-2, RA-5, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.004", "score": 13, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-6, CM-8, RA-5, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.005", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.007", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.008", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.009", "score": 16, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CA-8, CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1574.010", "score": 12, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-5, CM-6, IA-2, RA-5, SI-4"}, {"techniqueID": "T1574.012", "score": 9, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CM-5, CM-7, IA-2, SI-10, SI-7"}, {"techniqueID": "T1578", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.001", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.002", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1578.003", "score": 11, "comment": "Related to AC-2, AC-3, AC-5, AC-6, CA-8, CM-5, IA-2, IA-4, IA-6, RA-5, SI-4"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to AC-2, AC-3, AC-5, AC-6, IA-2"}, {"techniqueID": "T1599", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1599.001", "score": 18, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-7, CM-2, CM-5, CM-6, CM-7, IA-2, IA-5, SC-28, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1601", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.001", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1601.002", "score": 26, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-5, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1611", "score": 20, "comment": "Related to AC-2, AC-3, AC-4, AC-5, AC-6, CM-5, CM-6, CM-7, IA-2, SC-18, SC-2, SC-3, SC-34, SC-39, SC-7, SI-16, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1134.005", "score": 12, "comment": "Related to AC-20, AC-3, AC-4, AC-5, AC-6, CM-2, CM-6, SA-11, SA-17, SA-4, SA-8, SC-3"}, {"techniqueID": "T1200", "score": 5, "comment": "Related to AC-20, AC-3, AC-6, MP-7, SC-41"}, {"techniqueID": "T1539", "score": 10, "comment": "Related to AC-20, AC-3, AC-6, CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to AC-20, AC-4, SC-7"}, {"techniqueID": "T1037.002", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.003", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.004", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1037.005", "score": 7, "comment": "Related to AC-3, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1048", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.001", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.002", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1048.003", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-46, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1052", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1052.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1055.009", "score": 9, "comment": "Related to AC-3, AC-6, CA-7, SC-18, SC-7, SI-16, SI-2, SI-3, SI-4"}, {"techniqueID": "T1071.004", "score": 18, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1080", "score": 10, "comment": "Related to AC-3, CA-7, CM-2, CM-7, SC-4, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1090", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1090.003", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1091", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-8, MP-7, RA-5, SC-41, SI-3, SI-4"}, {"techniqueID": "T1095", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1098.004", "score": 9, "comment": "Related to AC-3, CM-2, CM-6, CM-7, CM-8, RA-5, SC-12, SI-3, SI-4"}, {"techniqueID": "T1187", "score": 10, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1199", "score": 8, "comment": "Related to AC-3, AC-4, AC-6, AC-8, CM-6, CM-7, SC-46, SC-7"}, {"techniqueID": "T1205", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1205.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-15, SI-4"}, {"techniqueID": "T1218.002", "score": 9, "comment": "Related to AC-3, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1218.012", "score": 13, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-7, SI-10, SI-15, SI-4, SI-7"}, {"techniqueID": "T1485", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1486", "score": 11, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-6, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1490", "score": 12, "comment": "Related to AC-3, AC-6, CM-2, CM-6, CM-7, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1491.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1498", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.001", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1498.002", "score": 8, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15"}, {"techniqueID": "T1499", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.001", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.002", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.003", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1499.004", "score": 9, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, SC-7, SI-10, SI-15, SI-4"}, {"techniqueID": "T1542.004", "score": 20, "comment": "Related to AC-3, AC-6, CA-7, CA-8, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, RA-5, RA-9, SA-10, SA-11, SC-34, SC-7, SI-2, SI-4, SI-7"}, {"techniqueID": "T1546.004", "score": 8, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.013", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-10, CM-2, CM-6, IA-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.003", "score": 10, "comment": "Related to AC-3, AC-6, CA-7, CM-2, CM-6, CM-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1557.001", "score": 15, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, SC-23, SC-46, SC-7, SC-8, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1561", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.001", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1561.002", "score": 10, "comment": "Related to AC-3, AC-6, CM-2, CP-10, CP-2, CP-7, CP-9, SI-3, SI-4, SI-7"}, {"techniqueID": "T1565.003", "score": 12, "comment": "Related to AC-3, AC-4, CA-7, CM-6, CM-7, CP-9, SC-28, SC-4, SC-46, SC-7, SI-16, SI-4"}, {"techniqueID": "T1570", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1572", "score": 11, "comment": "Related to AC-3, AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-10, SI-15, SI-3, SI-4"}, {"techniqueID": "T1001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1001.003", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1008", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1029", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1030", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1041", "score": 5, "comment": "Related to AC-4, CA-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1046", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-46, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.001", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.002", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1071.003", "score": 15, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-10, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1090.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.001", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.002", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1102.003", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1104", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1105", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.001", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1132.002", "score": 7, "comment": "Related to AC-4, CA-7, CM-2, CM-6, SC-7, SI-3, SI-4"}, {"techniqueID": "T1189", "score": 18, "comment": "Related to AC-4, AC-6, CA-7, CM-2, CM-6, CM-8, SA-22, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1203", "score": 14, "comment": "Related to AC-4, AC-6, CA-7, CM-8, SC-18, SC-2, SC-29, SC-3, SC-30, SC-39, SC-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1204", "score": 13, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1204.002", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-44, SC-7, SI-10, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1204.003", "score": 18, "comment": "Related to AC-4, CA-7, CA-8, CM-2, CM-6, CM-7, RA-5, SC-44, SC-7, SI-2, SI-3, SI-4, SI-7, SI-8, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1211", "score": 23, "comment": "Related to AC-4, AC-6, CA-7, CA-8, CM-2, CM-6, CM-8, RA-10, RA-5, SC-18, SC-2, SC-26, SC-29, SC-3, SC-30, SC-35, SC-39, SC-7, SI-2, SI-3, SI-4, SI-5, SI-7"}, {"techniqueID": "T1482", "score": 9, "comment": "Related to AC-4, CA-8, CM-6, CM-7, RA-5, SA-17, SA-8, SC-46, SC-7"}, {"techniqueID": "T1559.002", "score": 14, "comment": "Related to AC-4, AC-6, CM-10, CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SC-3, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1566", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.001", "score": 12, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1566.003", "score": 8, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-2, SI-3, SI-4, SI-8"}, {"techniqueID": "T1568", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1568.002", "score": 8, "comment": "Related to AC-4, CA-7, SC-20, SC-21, SC-22, SC-7, SI-3, SI-4"}, {"techniqueID": "T1571", "score": 8, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.001", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1573.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, CM-7, SC-12, SC-16, SC-23, SC-7, SI-3, SI-4"}, {"techniqueID": "T1598", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.001", "score": 7, "comment": "Related to AC-4, CA-7, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.002", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1598.003", "score": 11, "comment": "Related to AC-4, CA-7, CM-2, CM-6, IA-9, SC-20, SC-44, SC-7, SI-3, SI-4, SI-8"}, {"techniqueID": "T1055.001", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.002", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.003", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.004", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.005", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.011", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.012", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.013", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1055.014", "score": 6, "comment": "Related to AC-6, SC-18, SC-7, SI-2, SI-3, SI-4"}, {"techniqueID": "T1059.006", "score": 10, "comment": "Related to AC-6, CM-11, CM-3, CM-5, CM-7, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to AC-6, CM-7"}, {"techniqueID": "T1176", "score": 15, "comment": "Related to AC-6, CA-7, CA-8, CM-11, CM-2, CM-3, CM-5, CM-6, CM-7, RA-5, SC-7, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.011", "score": 2, "comment": "Related to AC-6, SI-2"}, {"techniqueID": "T1553", "score": 19, "comment": "Related to AC-6, CA-8, CM-10, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, IA-7, IA-9, RA-9, SA-10, SA-11, SC-34, SI-10, SI-2, SI-4, SI-7"}, {"techniqueID": "T1553.006", "score": 13, "comment": "Related to AC-6, CA-8, CM-3, CM-5, CM-7, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1574.011", "score": 2, "comment": "Related to AC-6, CM-5"}, {"techniqueID": "T1195", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.001", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1195.002", "score": 8, "comment": "Related to CA-2, CA-7, CM-11, CM-7, RA-10, RA-5, SA-22, SI-2"}, {"techniqueID": "T1056.002", "score": 4, "comment": "Related to CA-7, SI-3, SI-4, SI-7"}, {"techniqueID": "T1111", "score": 7, "comment": "Related to CA-7, CM-2, CM-6, IA-2, IA-5, SI-3, SI-4"}, {"techniqueID": "T1201", "score": 5, "comment": "Related to CA-7, CM-2, CM-6, SI-3, SI-4"}, {"techniqueID": "T1218.010", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.011", "score": 4, "comment": "Related to CA-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1221", "score": 14, "comment": "Related to CA-7, CM-2, CM-6, CM-7, CM-8, RA-5, SC-44, SC-7, SI-10, SI-2, SI-3, SI-4, SI-7, SI-8"}, {"techniqueID": "T1555", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.001", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1555.002", "score": 3, "comment": "Related to CA-7, IA-5, SI-4"}, {"techniqueID": "T1195.003", "score": 11, "comment": "Related to CA-8, CM-3, CM-5, CM-8, IA-7, RA-9, SA-10, SA-11, SC-34, SI-2, SI-7"}, {"techniqueID": "T1554", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, IA-9, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1560", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1560.001", "score": 5, "comment": "Related to CA-8, RA-5, SC-7, SI-3, SI-4"}, {"techniqueID": "T1574.001", "score": 9, "comment": "Related to CA-8, CM-2, CM-6, CM-7, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.008", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.004", "score": 6, "comment": "Related to CM-10, CM-6, CM-7, IA-9, SC-20, SI-4"}, {"techniqueID": "T1036.001", "score": 5, "comment": "Related to CM-2, CM-6, IA-9, SI-4, SI-7"}, {"techniqueID": "T1059.002", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, IA-9, SI-10, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1059.005", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1059.007", "score": 10, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SC-18, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1092", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, MP-7, RA-5, SI-3, SI-4"}, {"techniqueID": "T1127", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1127.001", "score": 5, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-4"}, {"techniqueID": "T1129", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1137.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1137.003", "score": 2, "comment": "Related to CM-2, SI-2"}, {"techniqueID": "T1137.004", "score": 2, "comment": "Related to CM-2, SI-2"}, {"techniqueID": "T1137.005", "score": 2, "comment": "Related to CM-2, SI-2"}, {"techniqueID": "T1216", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1216.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.001", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, SC-18, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.003", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.004", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.005", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.008", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1218.009", "score": 8, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-4, SI-7"}, {"techniqueID": "T1220", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to CM-2, CM-6, IA-9, SI-7"}, {"techniqueID": "T1546.002", "score": 9, "comment": "Related to CM-2, CM-6, CM-7, CM-8, RA-5, SI-10, SI-3, SI-4, SI-7"}, {"techniqueID": "T1546.006", "score": 14, "comment": "Related to CM-2, CM-6, CM-7, CM-8, IA-9, SI-10, SI-2, SI-3, SI-4, SI-7, SR-11, SR-4, SR-5, SR-6"}, {"techniqueID": "T1546.010", "score": 5, "comment": "Related to CM-2, CM-7, SI-10, SI-2, SI-7"}, {"techniqueID": "T1546.014", "score": 6, "comment": "Related to CM-2, CM-6, CM-8, RA-5, SI-3, SI-4"}, {"techniqueID": "T1547.008", "score": 7, "comment": "Related to CM-2, CM-6, RA-5, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.004", "score": 11, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SC-18, SC-34, SI-12, SI-16, SI-3, SI-4, SI-7"}, {"techniqueID": "T1553.001", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1553.005", "score": 6, "comment": "Related to CM-2, CM-6, CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1555.004", "score": 5, "comment": "Related to CM-2, CM-6, CM-7, IA-5, SI-4"}, {"techniqueID": "T1555.005", "score": 6, "comment": "Related to CM-2, CM-6, IA-2, IA-5, SI-2, SI-4"}, {"techniqueID": "T1562.003", "score": 4, "comment": "Related to CM-2, CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.006", "score": 7, "comment": "Related to CM-2, CM-6, CM-7, CM-8, SI-10, SI-4, SI-7"}, {"techniqueID": "T1564.007", "score": 4, "comment": "Related to CM-2, CM-6, CM-8, SI-4"}, {"techniqueID": "T1087", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1135", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1547.002", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1547.005", "score": 5, "comment": "Related to CM-6, SC-39, SI-3, SI-4, SI-7"}, {"techniqueID": "T1548.001", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1552.003", "score": 4, "comment": "Related to CM-6, CM-7, SC-28, SI-4"}, {"techniqueID": "T1556.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1564.002", "score": 3, "comment": "Related to CM-6, CM-7, SI-4"}, {"techniqueID": "T1574.006", "score": 4, "comment": "Related to CM-6, CM-7, SI-10, SI-7"}, {"techniqueID": "T1059.003", "score": 4, "comment": "Related to CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1059.004", "score": 4, "comment": "Related to CM-7, SI-10, SI-4, SI-7"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to CM-7"}, {"techniqueID": "T1546.009", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1564.003", "score": 3, "comment": "Related to CM-7, SI-10, SI-7"}, {"techniqueID": "T1574.002", "score": 9, "comment": "Related to SA-10, SA-11, SA-15, SA-16, SA-17, SA-3, SA-4, SA-8, SI-2"}, {"techniqueID": "T1535", "score": 1, "comment": "Related to SC-23"}, {"techniqueID": "T1550.004", "score": 3, "comment": "Related to SC-23, SC-8, SI-7"}, {"techniqueID": "T1090.004", "score": 1, "comment": "Related to SC-8"}, {"techniqueID": "T1027", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}, {"techniqueID": "T1027.002", "score": 4, "comment": "Related to SI-2, SI-3, SI-4, SI-7"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 33}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings.yaml b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings.yaml index 7a0f782d..e7c45238 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings.yaml @@ -7,7 +7,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -20,7 +20,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -33,11 +33,69 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: true + related-score: '' score-category: Respond score-value: Significant tags: - Database +- attack-object-id: T1565.001 + attack-object-name: Stored Data Manipulation + capability-id: AWS RDS + comments: AWS RDS supports the encryption of database instances using the AES-256 + encryption algorithm. This can protect database instances from being modified + at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data + from being modified during transit. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1565.001 + attack-object-name: Stored Data Manipulation + capability-id: AWS RDS + comments: AWS RDS supports the replication and recovery of database instances. In + the event that data is manipulated, AWS RDS can be used to restore the database + instance to a previous point in time. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1565.002 + attack-object-name: Transmitted Data Manipulation + capability-id: AWS RDS + comments: AWS RDS supports the encryption of database instances using the AES-256 + encryption algorithm. This can protect database instances from being modified + at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data + from being modified during transit. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1565.002 + attack-object-name: Transmitted Data Manipulation + capability-id: AWS RDS + comments: AWS RDS supports the replication and recovery of database instances. In + the event that data is manipulated, AWS RDS can be used to restore the database + instance to a previous point in time. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle capability-id: AWS RDS @@ -46,7 +104,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -59,7 +117,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -72,7 +130,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -85,7 +143,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -98,7 +156,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -111,7 +169,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -124,7 +182,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -137,7 +195,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -150,7 +208,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -163,7 +221,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -176,7 +234,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -189,11 +247,43 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: true + related-score: '' score-category: Respond score-value: Minimal tags: - Database +- attack-object-id: T1561.001 + attack-object-name: Disk Content Wipe + capability-id: AWS RDS + comments: AWS RDS supports the replication and recovery of database instances. In + the event that a database instance is deleted during a disk wipe, AWS RDS can + be used to restore the database instance to a previous point in time. However, + this mapping is only given a score of Partial because AWS RDS only provides a + backup of the database instance and not the underlying system that it is hosted + on. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1561 + score-category: Respond + score-value: Minimal + tags: [] +- attack-object-id: T1561.002 + attack-object-name: Disk Structure Wipe + capability-id: AWS RDS + comments: AWS RDS supports the replication and recovery of database instances. In + the event that a database instance is deleted during a disk wipe, AWS RDS can + be used to restore the database instance to a previous point in time. However, + this mapping is only given a score of Partial because AWS RDS only provides a + backup of the database instance and not the underlying system that it is hosted + on. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1561 + score-category: Respond + score-value: Minimal + tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object capability-id: AWS RDS @@ -202,7 +292,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -215,7 +305,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -228,7 +318,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -248,10 +338,39 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] +- attack-object-id: T1020.001 + attack-object-name: Traffic Duplication + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure SSL/TLS encryption is enabled to protect + network traffic: "acm-certificate-expiration-check" for nearly expired certificates + in AWS Certificate Manager (ACM); "alb-http-to-https-redirection-check" for Application + Load Balancer (ALB) HTTP listeners; "api-gw-ssl-enabled" for API Gateway REST + API stages; "cloudfront-custom-ssl-certificate", "cloudfront-sni-enabled", and + "cloudfront-viewer-policy-https", for Amazon CloudFront distributions; "elb-acm-certificate-required", + "elb-custom-security-policy-ssl-check", "elb-predefined-security-policy-ssl-check", + and "elb-tls-https-listeners-only" for Elastic Load Balancing (ELB) Classic Load + Balancer listeners; "redshift-require-tls-ssl" for Amazon Redshift cluster connections + to SQL clients; "s3-bucket-ssl-requests-only" for requests for S3 bucket contents; + and "elasticsearch-node-to-node-encryption-check" for Amazon ElasticSearch Service + node-to-node communications. + + All of these are run on configuration changes except "alb-http-to-https-redirection-check", + which is run periodically. Coverage factor is partial for these rules, since they + are specific to a subset of the available AWS services and can only mitigate behavior + for adversaries who are unable to decrypt the relevant traffic, resulting in an + overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1020 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing capability-id: AWS Config @@ -267,7 +386,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -286,10 +405,27 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] +- attack-object-id: T1053.007 + attack-object-name: Container Orchestration Job + capability-id: AWS Config + comments: The "eks-endpoint-no-public-access" managed rule can identify whether + Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to + allow public endpoint access, which should be fixed in order to prevent malicious + external access to the Kubernetes API server, including malicious attempts to + create or modify orchestration jobs. It is run periodically and only provides + partial coverage because it is specific to public access, resulting in an overall + score of Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation capability-id: AWS Config @@ -305,7 +441,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -324,10 +460,42 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can provide protection against attempted misuse of cloud accounts: + "iam-user-mfa-enabled", "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", + and "root-account-mfa-enabled". All of these controls are run periodically. + + The following AWS Config managed rules can identify configuration problems that + should be fixed in order to ensure that appropriate AWS Identity and Access Management + (IAM) policies are in place to enforce fine-grained access policies and mitigate + the impact of compromised valid accounts: "iam-customer-policy-blocked-kms-actions", + "iam-inline-policy-blocked-kms-actions", "iam-no-inline-policy-check", "iam-group-has-users-check", + "iam-policy-blacklisted-check", "iam-policy-no-statements-with-admin-access", + "iam-policy-no-statements-with-full-access", "iam-role-managed-policy-check", + "iam-user-group-membership-check", "iam-user-no-policies-check", and "ec2-instance-profile-attached" + are run on configuration changes. "iam-password-policy", "iam-policy-in-use", + "iam-root-access-key-check", "iam-user-mfa-enabled", "iam-user-unused-credentials-check", + and "mfa-enabled-for-iam-console-access" are run periodically. The "access-keys-rotated" + managed rule ensures that IAM access keys are rotated at an appropriate rate. + + Given that these rules provide robust coverage for a variety of IAM configuration + problems and most are evaluated on configuration changes, they result in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: AWS Config @@ -343,10 +511,27 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can provide protection against attempted manipulation of cloud + accounts: "iam-user-mfa-enabled", "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", + and "root-account-mfa-enabled". All of these controls are run periodically and + provide partial coverage, since adversaries may be able to manipulate cloud credentials + via other mechanisms, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: AWS Config @@ -362,7 +547,127 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can significantly impede brute force authentication attempts by + requiring adversaries to provide a second form of authentication even if they + succeed in brute forcing a password via one of these sub-techniques: "iam-user-mfa-enabled", + "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and + "root-account-mfa-enabled". + + The "iam-password-policy" managed rule can identify insufficient password requirements + that should be fixed in order to make brute force authentication more difficult + by increasing the complexity of user passwords and decreasing the amount of time + before they are rotated, giving adversaries less time to brute force passwords + and making it more time consuming and resource intensive to do so. This is especially + important in the case of Password Cracking, since adversaries in possession of + password hashes may be able to recover usable credentials more quickly and do + so without generating detectable noise via invalid login attempts. + + All of these controls are run periodically, but implemented policies are enforced + continuously once set and coverage factor is significant, resulting in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can significantly impede brute force authentication attempts by + requiring adversaries to provide a second form of authentication even if they + succeed in brute forcing a password via one of these sub-techniques: "iam-user-mfa-enabled", + "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and + "root-account-mfa-enabled". + + The "iam-password-policy" managed rule can identify insufficient password requirements + that should be fixed in order to make brute force authentication more difficult + by increasing the complexity of user passwords and decreasing the amount of time + before they are rotated, giving adversaries less time to brute force passwords + and making it more time consuming and resource intensive to do so. This is especially + important in the case of Password Cracking, since adversaries in possession of + password hashes may be able to recover usable credentials more quickly and do + so without generating detectable noise via invalid login attempts. + + All of these controls are run periodically, but implemented policies are enforced + continuously once set and coverage factor is significant, resulting in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can significantly impede brute force authentication attempts by + requiring adversaries to provide a second form of authentication even if they + succeed in brute forcing a password via one of these sub-techniques: "iam-user-mfa-enabled", + "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and + "root-account-mfa-enabled". + + The "iam-password-policy" managed rule can identify insufficient password requirements + that should be fixed in order to make brute force authentication more difficult + by increasing the complexity of user passwords and decreasing the amount of time + before they are rotated, giving adversaries less time to brute force passwords + and making it more time consuming and resource intensive to do so. This is especially + important in the case of Password Cracking, since adversaries in possession of + password hashes may be able to recover usable credentials more quickly and do + so without generating detectable noise via invalid login attempts. + + All of these controls are run periodically, but implemented policies are enforced + continuously once set and coverage factor is significant, resulting in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can significantly impede brute force authentication attempts by + requiring adversaries to provide a second form of authentication even if they + succeed in brute forcing a password via one of these sub-techniques: "iam-user-mfa-enabled", + "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and + "root-account-mfa-enabled". + + The "iam-password-policy" managed rule can identify insufficient password requirements + that should be fixed in order to make brute force authentication more difficult + by increasing the complexity of user passwords and decreasing the amount of time + before they are rotated, giving adversaries less time to brute force passwords + and making it more time consuming and resource intensive to do so. This is especially + important in the case of Password Cracking, since adversaries in possession of + password hashes may be able to recover usable credentials more quickly and do + so without generating detectable noise via invalid login attempts. + + All of these controls are run periodically, but implemented policies are enforced + continuously once set and coverage factor is significant, resulting in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 score-category: Protect score-value: Significant tags: [] @@ -381,7 +686,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: [] @@ -400,10 +705,28 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] +- attack-object-id: T1136.003 + attack-object-name: Cloud Account + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to ensure multi-factor authentication (MFA) is enabled + properly, which can provide significant protection against attempted manipulation + of cloud accounts, including the creation of new ones: "iam-user-mfa-enabled", + "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and + "root-account-mfa-enabled". All of these controls are run periodically and provide + partial coverage, since adversaries may be able to create cloud credentials via + other mechanisms, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: AWS Config @@ -419,7 +742,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -438,7 +761,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -457,7 +780,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -476,7 +799,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -495,7 +818,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -514,10 +837,24 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: [] +- attack-object-id: T1204.003 + attack-object-name: Malicious Image + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify running instances + that are not using AMIs within a specified allow list: "approved-amis-by-id" and + "approved-amis-by-tag", both of which are run on configuration changes. They provide + significant coverage, resulting in an overall score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1204 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction capability-id: AWS Config @@ -533,7 +870,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -552,7 +889,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -571,7 +908,79 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1491.001 + attack-object-name: Internal Defacement + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to prevent malicious write access to data within + Amazon Simple Storage Service (S3) storage, which may include internal and/or + external defacement: "s3-bucket-blacklisted-actions-prohibited" checks whether + bucket policies prohibit disallowed actions (including encryption configuration + changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" + checks whether a bucket that should be locked in write-once-read-many (WORM) mode + is configured to prevent modification, and "s3-bucket-public-write-prohibited" + checks whether a bucket is configured to allow public access and modification. + All of these controls are run on configuration changes. + + The following AWS Config managed rules can identify configuration problems that + should be fixed in order to ensure backups and redundancy are in place which can + mitigate the effects of malicious defacement: "aurora-mysql-backtracking-enabled" + for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" + for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and + "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" + for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic + File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" + for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" + for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" + for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. + + Coverage factor is significant for these rules, since they cover a wide range + of services used to host content for websites within AWS, resulting in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1491.002 + attack-object-name: External Defacement + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to prevent malicious write access to data within + Amazon Simple Storage Service (S3) storage, which may include internal and/or + external defacement: "s3-bucket-blacklisted-actions-prohibited" checks whether + bucket policies prohibit disallowed actions (including encryption configuration + changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" + checks whether a bucket that should be locked in write-once-read-many (WORM) mode + is configured to prevent modification, and "s3-bucket-public-write-prohibited" + checks whether a bucket is configured to allow public access and modification. + All of these controls are run on configuration changes. + + The following AWS Config managed rules can identify configuration problems that + should be fixed in order to ensure backups and redundancy are in place which can + mitigate the effects of malicious defacement: "aurora-mysql-backtracking-enabled" + for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" + for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and + "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" + for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic + File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" + for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" + for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" + for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. + + Coverage factor is significant for these rules, since they cover a wide range + of services used to host content for websites within AWS, resulting in an overall + score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 score-category: Protect score-value: Significant tags: [] @@ -590,7 +999,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -609,7 +1018,43 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1498.001 + attack-object-name: Direct Network Flood + capability-id: AWS Config + comments: 'The "elb-cross-zone-load-balancing-enabled" managed rule can verify that + load balancing is properly configured, which can mitigate adversaries'' ability + to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" + can verify that failover policies are in place to increase CloudFront content + availability. + + Coverage factor is minimal for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Minimal.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1498.002 + attack-object-name: Reflection Amplification + capability-id: AWS Config + comments: 'The "elb-cross-zone-load-balancing-enabled" managed rule can verify that + load balancing is properly configured, which can mitigate adversaries'' ability + to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" + can verify that failover policies are in place to increase CloudFront content + availability. + + Coverage factor is minimal for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Minimal.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 score-category: Protect score-value: Minimal tags: [] @@ -628,7 +1073,79 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: AWS Config + comments: 'The "elb-cross-zone-load-balancing-enabled" managed rule can verify that + load balancing is properly configured, which can mitigate adversaries'' ability + to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" + can verify that failover policies are in place to increase CloudFront content + availability. + + Coverage factor is minimal for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Minimal.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: AWS Config + comments: 'The "elb-cross-zone-load-balancing-enabled" managed rule can verify that + load balancing is properly configured, which can mitigate adversaries'' ability + to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" + can verify that failover policies are in place to increase CloudFront content + availability. + + Coverage factor is minimal for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Minimal.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: AWS Config + comments: 'The "elb-cross-zone-load-balancing-enabled" managed rule can verify that + load balancing is properly configured, which can mitigate adversaries'' ability + to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" + can verify that failover policies are in place to increase CloudFront content + availability. + + Coverage factor is minimal for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Minimal.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1499.004 + attack-object-name: Application or System Exploitation + capability-id: AWS Config + comments: 'The "elb-cross-zone-load-balancing-enabled" managed rule can verify that + load balancing is properly configured, which can mitigate adversaries'' ability + to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" + can verify that failover policies are in place to increase CloudFront content + availability. + + Coverage factor is minimal for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Minimal.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 score-category: Protect score-value: Minimal tags: [] @@ -647,7 +1164,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -666,7 +1183,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: [] @@ -685,7 +1202,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: [] @@ -704,7 +1221,70 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify configuration problems + that should be fixed in order to prevent malicious access of data within Amazon + Simple Storage Service (S3) storage, which may include files containing credentials: + "s3-account-level-public-access-blocks", "s3-bucket-level-public-access-prohibited", + "s3-bucket-public-read-prohibited", "s3-bucket-policy-not-more-permissive", "cloudfront-origin-access-identity-enabled", + and "cloudfront-default-root-object-configured" identify objects that are publicly + available or subject to overly permissive access policies; and "s3-bucket-policy-grantee-check" + checks whether bucket policies appropriately control which AWS principals, federated + users, service principals, IP addresses, and VPCs have access. All of these controls + are run on configuration changes. + + The following AWS Config managed rules can identify configuration problems that + should be fixed in order to ensure that cloud storage data - which may include + files containing credentials - are encrypted to prevent malicious access: "s3-bucket-server-side-encryption-enabled" + and "s3-default-encryption-kms" for S3 storage, "ec2-ebs-encryption-by-default" + and "encrypted-volumes" for EBS volumes. + + Coverage factor is partial for these rules, since they are specific to a subset + of the available AWS services, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.005 + attack-object-name: Cloud Instance Metadata API + capability-id: AWS Config + comments: The "ec2-imdsv2-check" managed rule can identify instances which are configured + to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less + secure than IMDSv2. This provides partial coverage, since adversaries may find + ways to exploit the more secure IMDSv2, resulting in an overall score of Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.007 + attack-object-name: Container API + capability-id: AWS Config + comments: The "eks-endpoint-no-public-access" managed rule can identify whether + Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to + allow public endpoint access, which should be fixed in order to prevent malicious + external access to the Kubernetes API server, including malicious attempts to + gather credentials via the API. The "eks-secrets-encrypted" managed rule can identify + configuration problems that should be fixed in order to ensure that Kubernetes + secrets (including those containing credentials) are encrypted to prevent malicious + access. Both controls are run periodically and only provide partial coverage because + they are specific to public access and adversaries without the ability to decrypt + secrets, respectively, resulting in an overall score of Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 score-category: Protect score-value: Partial tags: [] @@ -723,7 +1303,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: [] @@ -742,10 +1322,80 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: [] +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: AWS Config + comments: The "ec2-managedinstance-applications-required" managed rule verifies + that all applications in a pre-defined list of requirements are installed on specified + managed instances, and is run on configuration changes. It will not detect modification + to those applications, but will detect if they are uninstalled. The "ec2-managedinstance-applications-blacklisted" + managed rule verifies that a pre-defined list of applications are not installed + on specified managed instances, and can be used to detect installation of applications + below a minimum version, which can identify adversary attempts to downgrade required + tools to insecure or ineffective older versions. Given the host-based scoping + of this technique, coverage is partial, resulting in an overall score of Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.007 + attack-object-name: Disable or Modify Cloud Firewall + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify potentially malicious + changes to cloud firewall status and ensure that a WAF is enabled and enforcing + specified ACLs: "lab-waf-enabled" for Application Load Balancers; "api-gw-associated-with-waf" + for Amazon API Gateway API stages; "cloudfront-associated-with-waf" for Amazon + CloudFront distributions; "fms-webacl-resource-policy-check", "fms-webacl-resource-policy-check", + and "fms-webacl-rulegroup-association-check" for AWS Firewall Manager; "vpc-default-security-group-closed", + "vpc-network-acl-unused-check", and "vpc-sg-open-only-to-authorized-ports" for + VPC security groups; and "ec2-security-group-attached-to-eni" for EC2 and ENI + security groups; all of which are run on configuration changes. + + The following AWS Config managed rules can identify specific configuration changes + to VPC configuration that may suggest malicious modification to bypass protections: + "internet-gateway-authorized-vpc-only" can identify Internet gateways (IGWs) attached + to unauthorized VPCs, which can allow unwanted communication between a VPC and + the Internet; "lambda-inside-vpc" can identify VPCs that have granted execution + access to unauthorized Lambda functions; "service-vpc-endpoint-enabled" can verify + that endpoints are active for the appropriate services across VPCs; "subnet-auto-assign-public-ip-disabled" + checks for public IP addresses assigned to subnets within VPCs. + + Coverage factor is significant for these rules, since they cover firewall configuration + for and via a wide range of services, resulting in an overall score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1562.008 + attack-object-name: Disable Cloud Logs + capability-id: AWS Config + comments: 'The following AWS Config managed rules can identify potentially malicious + changes to cloud logging: "api-gw-execution-logging-enabled", "cloudfront-accesslogs-enabled", + "elasticsearch-logs-to-cloudwatch", "elb-logging-enabled", "redshift-cluster-configuration-check", + "rds-logging-enabled", and "s3-bucket-logging-enabled" are run on configuration + changes. "cloudtrail-security-trail-enabled", "cloud-trail-cloud-watch-logs-enabled", + "cloudtrail-s3-dataevents-enabled", "vpc-flow-logs-enabled", "waf-classic-logging-enabled", + and "wafv2-logging-enabled" are run periodically. + + Coverage factor is significant for these rules, since they cover logging configuration + for a wide range of services, resulting in an overall score of Significant.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1609 attack-object-name: Container Administration Command capability-id: AWS Config @@ -761,7 +1411,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -780,7 +1430,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -799,7 +1449,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -818,7 +1468,7 @@ attack-objects: - https://docs.aws.amazon.com/config - https://docs.aws.amazon.com/config/latest/developerguide - https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -832,7 +1482,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -847,7 +1497,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -867,7 +1517,33 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1595.001 + attack-object-name: Scanning IP Blocks + capability-id: Amazon GuardDuty + comments: 'There are a few finding types offered by GuardDuty that flag this behavior: + Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, + Impact:EC2/PortSweep.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Amazon GuardDuty + comments: There are finding types that show when an EC2 instance is probing other + AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, + Recon:EC2/Portscan, Impact:EC2/PortSweep + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 score-category: Detect score-value: Partial tags: [] @@ -886,7 +1562,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -905,7 +1581,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -924,7 +1600,43 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1566.001 + attack-object-name: Spearphishing Attachment + capability-id: Amazon GuardDuty + comments: The domain associated with phishing can be delivered by various means + these sub-techniques are added to the mapping and scoring of this Security service. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1566.002 + attack-object-name: Spearphishing Link + capability-id: Amazon GuardDuty + comments: The domain associated with phishing can be delivered by various means + these sub-techniques are added to the mapping and scoring of this Security service. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1566.003 + attack-object-name: Spearphishing via Service + capability-id: Amazon GuardDuty + comments: The domain associated with phishing can be delivered by various means + these sub-techniques are added to the mapping and scoring of this Security service. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 score-category: Detect score-value: Partial tags: [] @@ -943,31 +1655,36 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: [] -- attack-object-id: T1098 - attack-object-name: Account Manipulation +- attack-object-id: T1078.001 + attack-object-name: Default Accounts capability-id: Amazon GuardDuty - comments: "Scores for this service are capped at Partial due to limited coverage\ - \ and accuracy information.\nThe temporal factor for this control is consistent:\ - \ the first instance of a finding taking place is alerted within 5 minutes of\ - \ the event occurring. After that any subsequent events can be customized to be\ - \ reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings\ - \ were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n\ - \ InitialAccess:IAMUser/AnomalousBehavior" + comments: Listed findings above flag instances where there are indications of account + compromise. mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + references: [] + related-score: T1078 score-category: Detect score-value: Partial tags: [] -- attack-object-id: T1562 - attack-object-name: Impair Defenses +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Amazon GuardDuty + comments: Listed findings above flag instances where there are indications of account + compromise. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1098 + attack-object-name: Account Manipulation capability-id: Amazon GuardDuty comments: "Scores for this service are capped at Partial due to limited coverage\ \ and accuracy information.\nThe temporal factor for this control is consistent:\ @@ -981,7 +1698,103 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: Amazon GuardDuty + comments: The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous + API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, + ImportKeyPair. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1098.004 + attack-object-name: SSH Authorized Keys + capability-id: Amazon GuardDuty + comments: The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous + API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, + ImportKeyPair. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562 + attack-object-name: Impair Defenses + capability-id: Amazon GuardDuty + comments: "Scores for this service are capped at Partial due to limited coverage\ + \ and accuracy information.\nThe temporal factor for this control is consistent:\ + \ the first instance of a finding taking place is alerted within 5 minutes of\ + \ the event occurring. After that any subsequent events can be customized to be\ + \ reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings\ + \ were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n\ + \ InitialAccess:IAMUser/AnomalousBehavior" + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan + - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.008 + attack-object-name: Disable Cloud Logs + capability-id: Amazon GuardDuty + comments: 'The following GuardDuty findings provide indicators of malicious activity + in defense measures: + + Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange + Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller + Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux + PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.006 + attack-object-name: Indicator Blocking + capability-id: Amazon GuardDuty + comments: 'The following GuardDuty findings provide indicators of malicious activity + in defense measures: + + Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange + Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller + Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux + PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: Amazon GuardDuty + comments: 'The following GuardDuty findings provide indicators of malicious activity + in defense measures: + + Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange + Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller + Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux + PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 score-category: Detect score-value: Partial tags: [] @@ -1000,7 +1813,43 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Amazon GuardDuty + comments: Due to the detection being limited to a specific set of application protocols, + its coverage is Minimal resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Amazon GuardDuty + comments: Due to the detection being limited to a specific set of application protocols, + its coverage is Minimal resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Amazon GuardDuty + comments: Due to the detection being limited to a specific set of application protocols, + its coverage is Minimal resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 score-category: Detect score-value: Minimal tags: [] @@ -1019,7 +1868,40 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: Amazon GuardDuty + comments: 'The following finding types in Amazon GuardDuty can be used to identify + potentially malicious interactions with S3 which may lead to the compromise of + any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller + Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux + PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller + + The score is capped at Partial since the findings only apply to credential files + stored within S3 buckets and only certain types of suspicious behaviors.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1552.005 + attack-object-name: Cloud Instance Metadata API + capability-id: Amazon GuardDuty + comments: The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding + type flags attempts to run AWS API operations from a host outside of EC2 using + temporary AWS credentials that were created on an EC2 instance in your AWS environment. + This may indicate that the temporary credentials have been compromised. Score + is capped at Minimal because external use is required for detection. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 score-category: Detect score-value: Minimal tags: [] @@ -1038,7 +1920,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1057,7 +1939,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1076,7 +1958,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1095,7 +1977,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1114,7 +1996,79 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: Amazon GuardDuty + comments: 'GuardDuty flags events matching the following finding types that relate + to adversaries attempting to communicate using application layer protocols to + avoid detection. + + UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS + Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint + Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation + Impact:EC2/SuspiciousDomainRequest.Reputation' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071.002 + attack-object-name: File Transfer Protocols + capability-id: Amazon GuardDuty + comments: 'GuardDuty flags events matching the following finding types that relate + to adversaries attempting to communicate using application layer protocols to + avoid detection. + + UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS + Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint + Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation + Impact:EC2/SuspiciousDomainRequest.Reputation' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071.003 + attack-object-name: Mail Protocols + capability-id: Amazon GuardDuty + comments: 'GuardDuty flags events matching the following finding types that relate + to adversaries attempting to communicate using application layer protocols to + avoid detection. + + UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS + Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint + Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation + Impact:EC2/SuspiciousDomainRequest.Reputation' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Amazon GuardDuty + comments: 'GuardDuty flags events matching the following finding types that relate + to adversaries attempting to communicate using application layer protocols to + avoid detection. + + UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS + Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint + Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation + Impact:EC2/SuspiciousDomainRequest.Reputation' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 score-category: Detect score-value: Partial tags: [] @@ -1133,7 +2087,22 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1568.002 + attack-object-name: Domain Generation Algorithms + capability-id: Amazon GuardDuty + comments: 'GuardDuty has the following finding types to flag events where adversaries + may dynamically establish connections to command-and-control infrastructure to + evade common detections and remediations. + + Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1568 score-category: Detect score-value: Partial tags: [] @@ -1152,7 +2121,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1171,7 +2140,58 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1090.001 + attack-object-name: Internal Proxy + capability-id: Amazon GuardDuty + comments: 'The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events + where adversaries may use a connection proxy to direct network traffic between + systems or act as an intermediary for network communications to a command-and-control + server to avoid direct connections to their infrastructure. + + Due to the detection being limited to a specific type of proxy, Tor, its coverage + is Minimal resulting in a Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1090.002 + attack-object-name: External Proxy + capability-id: Amazon GuardDuty + comments: 'The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events + where adversaries may use a connection proxy to direct network traffic between + systems or act as an intermediary for network communications to a command-and-control + server to avoid direct connections to their infrastructure. + + Due to the detection being limited to a specific type of proxy, Tor, its coverage + is Minimal resulting in a Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: Amazon GuardDuty + comments: 'The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events + where adversaries may use a connection proxy to direct network traffic between + systems or act as an intermediary for network communications to a command-and-control + server to avoid direct connections to their infrastructure. + + Due to the detection being limited to a specific type of proxy, Tor, its coverage + is Minimal resulting in a Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 score-category: Detect score-value: Minimal tags: [] @@ -1190,7 +2210,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1209,7 +2229,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -1228,7 +2248,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -1247,7 +2267,22 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Amazon GuardDuty + comments: 'The following GuardDuty finding type flags events where adversaries may + steal data by exfiltrating it over a different protocol than that of the existing + command and control channel. + + Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 score-category: Detect score-value: Partial tags: [] @@ -1266,7 +2301,39 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1567.001 + attack-object-name: Exfiltration to Code Repository + capability-id: Amazon GuardDuty + comments: 'The following finding types in GuardDuty flag events where adversaries + may use an existing, legitimate external Web service to exfiltrate data rather + than their primary command-and-control channel. + + Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior + Behavior:EC2/TrafficVolumeUnusual' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1567.002 + attack-object-name: Exfiltration to Cloud Storage + capability-id: Amazon GuardDuty + comments: 'The following finding types in GuardDuty flag events where adversaries + may use an existing, legitimate external Web service to exfiltrate data rather + than their primary command-and-control channel. + + Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior + Behavior:EC2/TrafficVolumeUnusual' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 score-category: Detect score-value: Partial tags: [] @@ -1285,7 +2352,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1304,7 +2371,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1323,7 +2390,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1342,7 +2409,20 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1565.001 + attack-object-name: Stored Data Manipulation + capability-id: Amazon GuardDuty + comments: The Impact:S3/MaliciousIPCaller finding type is looking for API calls + commonly associated with Impact tactic of techniques where an adversary is trying + to manipulate, interrupt, or destroy data within your AWS environment. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 score-category: Detect score-value: Partial tags: [] @@ -1361,7 +2441,39 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1498.001 + attack-object-name: Direct Network Flood + capability-id: Amazon GuardDuty + comments: 'The following finding types in GuardDuty flag events where adversaries + may perform Network Denial of Service (DoS) attacks to degrade or block the availability + of targeted resources to users. + + Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol + Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1498.002 + attack-object-name: Reflection Amplification + capability-id: Amazon GuardDuty + comments: 'The following finding types in GuardDuty flag events where adversaries + may perform Network Denial of Service (DoS) attacks to degrade or block the availability + of targeted resources to users. + + Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol + Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 score-category: Detect score-value: Partial tags: [] @@ -1380,7 +2492,7 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -1399,7 +2511,67 @@ attack-objects: references: - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1491.002 + attack-object-name: External Defacement + capability-id: Amazon GuardDuty + comments: 'The following finding types can be used to detect behavior that can lead + to the defacement of + + cloud resources: + + Impact:S3/MaliciousIPCaller + + Exfiltration:S3/MaliciousIPCaller + + Exfiltration:S3/ObjectRead.Unusual + + PenTest:S3/KaliLinux + + PenTest:S3/ParrotLinux + + PenTest:S3/PentooLinux + + UnauthorizedAccess:S3/MaliciousIPCaller.Custom + + UnauthorizedAccess:S3/TorIPCaller' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1491.001 + attack-object-name: Internal Defacement + capability-id: Amazon GuardDuty + comments: 'The following finding types can be used to detect behavior that can lead + to the defacement of + + cloud resources: + + Impact:S3/MaliciousIPCaller + + Exfiltration:S3/MaliciousIPCaller + + Exfiltration:S3/ObjectRead.Unusual + + PenTest:S3/KaliLinux + + PenTest:S3/ParrotLinux + + PenTest:S3/PentooLinux + + UnauthorizedAccess:S3/MaliciousIPCaller.Custom + + UnauthorizedAccess:S3/TorIPCaller' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 score-category: Detect score-value: Partial tags: [] @@ -1416,12 +2588,44 @@ attack-objects: references: - https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc - https://aws.amazon.com/shield/features/ - related-score: true + related-score: '' score-category: Respond score-value: Significant tags: - Denial of Service - Network +- attack-object-id: T1498.001 + attack-object-name: Direct Network Flood + capability-id: AWS Shield + comments: 'AWS Shield will set and use a static network flow threshold to detect + incoming traffic to AWS services. This will reduce direct network DOS attacks + by applying an undisclosed combination of traffic signatures, anomaly algorithms, + and other analysis techniques to detect malicious traffic in real-time. AWS Shield + Advance identifies anomalies in network traffic to flag attempted attacks and + execute inline mitigations to resolve the issue. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1498.002 + attack-object-name: Reflection Amplification + capability-id: AWS Shield + comments: 'AWS Shield will set and use a static network flow threshold to detect + incoming traffic to AWS services. This will reduce direct network DOS attacks + by applying an undisclosed combination of traffic signatures, anomaly algorithms, + and other analysis techniques to detect malicious traffic in real-time. AWS Shield + Advance identifies anomalies in network traffic to flag attempted attacks and + execute inline mitigations to resolve the issue. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service capability-id: AWS Shield @@ -1435,12 +2639,50 @@ attack-objects: references: - https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc - https://aws.amazon.com/shield/features/ - related-score: true + related-score: '' score-category: Respond score-value: Significant tags: - Denial of Service - Network +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: AWS Shield + comments: 'AWS Shield Standard provides protection and response to these Denial + of Service attacks in real time by using a network traffic baseline and identifying + anomalies among other techniques. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: AWS Shield + comments: 'AWS Shield Standard provides protection and response to these Denial + of Service attacks in real time by using a network traffic baseline and identifying + anomalies among other techniques. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: AWS Shield + comments: AWS Shield Advance allows for customized detection and mitigations for + custom applications that are running on EC2 instances. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1020 attack-object-name: Automated Exfiltration capability-id: AWS IoT Device Defender @@ -1473,12 +2715,42 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Internet of Things - IoT +- attack-object-id: T1020.001 + attack-object-name: Traffic Duplication + capability-id: AWS IoT Device Defender + comments: 'The following AWS IoT Device Defender audit checks and corresponding + mitigation actions can identify and resolve configuration problems that should + be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect + network traffic to/from IoT devices: "CA certificate expiring" ("CA_CERTIFICATE_EXPIRING_CHECK" + in the CLI and API), "CA certificate key quality" ("CA_CERTIFICATE_KEY_QUALITY_CHECK" + in the CLI and API), and "CA certificate revoked but device certificates still + active" ("REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can identify + problems with certificate authority (CA) certificates being used for signing and + support the "UPDATE_CA_CERTIFICATE" mitigation action which can resolve them. + "Device certificate expiring" ("DEVICE_CERTIFICATE_EXPIRING_CHECK" in the CLI + and API), "Device certificate key quality" ("DEVICE_CERTIFICATE_KEY_QUALITY_CHECK" + in the CLI and API), "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" + in the CLI and API), and "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" + in the CLI and API) can identify problems with IoT devices'' certificates and + support the "UPDATE_DEVICE_CERTIFICATE" and "ADD_THINGS_TO_THING_GROUP" mitigation + actions which can resolve them. + + Coverage factor is partial for these checks and mitigations, since they are specific + to IoT device communication and can only mitigate behavior for adversaries who + are unable to decrypt the relevant traffic, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1020 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing capability-id: AWS IoT Device Defender @@ -1511,7 +2783,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1549,7 +2821,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1587,7 +2859,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1625,23 +2897,104 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Internet of Things - IoT -- attack-object-id: T1071 - attack-object-name: Application Layer Protocol +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability-id: AWS IoT Device Defender - comments: 'Mappings for AWS IoT Device Defender audit are based on the current set - of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender''s - predefined mitigation actions are also included for those audit checks that support - them. Audit checks can be run as needed (on-demand audits) or scheduled to be - run periodically (scheduled audits), so temporal scoring factors are uniformly - high for this control, based on the assumption that checks are run (at minimum) - on a frequent basis. Audit check and mitigation names are identified in quotes - throughout this mapping. + comments: 'The following AWS IoT Device Defender device-side detection metrics can + detect indicators that an adversary may be exfiltrating collected data from compromised + AWS IoT devices over a given channel to/from those devices: "Destination IPs" + ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest + that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), + "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets + out" ("aws:all-packets-out") values outside of expected norms may indicate that + the device is sending and/or receiving non-standard traffic, which may include + exfiltration of stolen data. "Listening TCP ports" ("aws:listening-tcp-ports"), + "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections + count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), + and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside + of expected norms may indicate that devices are communicating via unexpected ports/protocols, + which may include exfiltration of data over those ports/protocols. + + Coverage factor is partial, since these metrics are limited to exfiltration from + IoT devices, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1048.002 + attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol + capability-id: AWS IoT Device Defender + comments: 'The following AWS IoT Device Defender device-side detection metrics can + detect indicators that an adversary may be exfiltrating collected data from compromised + AWS IoT devices over a given channel to/from those devices: "Destination IPs" + ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest + that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), + "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets + out" ("aws:all-packets-out") values outside of expected norms may indicate that + the device is sending and/or receiving non-standard traffic, which may include + exfiltration of stolen data. "Listening TCP ports" ("aws:listening-tcp-ports"), + "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections + count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), + and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside + of expected norms may indicate that devices are communicating via unexpected ports/protocols, + which may include exfiltration of data over those ports/protocols. + + Coverage factor is partial, since these metrics are limited to exfiltration from + IoT devices, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: AWS IoT Device Defender + comments: 'The following AWS IoT Device Defender device-side detection metrics can + detect indicators that an adversary may be exfiltrating collected data from compromised + AWS IoT devices over a given channel to/from those devices: "Destination IPs" + ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest + that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), + "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets + out" ("aws:all-packets-out") values outside of expected norms may indicate that + the device is sending and/or receiving non-standard traffic, which may include + exfiltration of stolen data. "Listening TCP ports" ("aws:listening-tcp-ports"), + "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections + count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), + and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside + of expected norms may indicate that devices are communicating via unexpected ports/protocols, + which may include exfiltration of data over those ports/protocols. + + Coverage factor is partial, since these metrics are limited to exfiltration from + IoT devices, resulting in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071 + attack-object-name: Application Layer Protocol + capability-id: AWS IoT Device Defender + comments: 'Mappings for AWS IoT Device Defender audit are based on the current set + of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender''s + predefined mitigation actions are also included for those audit checks that support + them. Audit checks can be run as needed (on-demand audits) or scheduled to be + run periodically (scheduled audits), so temporal scoring factors are uniformly + high for this control, based on the assumption that checks are run (at minimum) + on a frequent basis. Audit check and mitigation names are identified in quotes + throughout this mapping. Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection @@ -1663,7 +3016,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1701,7 +3054,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1739,12 +3092,88 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Internet of Things - IoT +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS IoT Device Defender + comments: 'The following AWS IoT Device Defender audit checks can identify potentially + malicious use of valid cloud credentials by AWS IoT devices, which may indicate + that devices have been compromised: "CA certificate revoked but device certificates + still active" ("REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) + indicates that device certificates signed using a revoked CA certificate are still + active, which may indicate that devices using those certificates are controlled + by an adversary if the CA certificate was revoked due to compromise. "Device certificate + shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and API), "Revoked device + certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" in + the CLI and API), and "Conflicting MQTT client IDs" ("CONFLICTING_CLIENT_IDS_CHECK" + in the CLI and API) can indicate that devices are in use with duplicate certificates + and/or IDs and/or certificates that have been revoked due to compromise, all of + which suggest that an adversary may be using clones of compromised devices to + leverage their access. + + The following AWS IoT Device Defender cloud-side detection metrics can identify + potentially malicious use of valid cloud credentials by IoT devices, which may + indicate that devices have been compromised: "Source IP" ("aws:source-ip-address") + values outside of expected IP address ranges may suggest that a device has been + stolen. "Authorization failures" ("aws:num-authorization-failures") counts above + a typical threshold may indicate that a compromised device is attempting to use + its connection to AWS IoT to access resources for which it does not have access + and being denied. High counts for "Disconnects" ("aws:num-disconnects"), especially + in conjunction with high counts for "Connection attempts" ("aws:num-connection-attempts"), + which include successful attempts, may indicate that a compromised device is connecting + and disconnecting from AWS IoT using the device''s associated access. + + Coverage factor is partial for these metrics, checks, and mitigations, since they + are specific to use of cloud accounts for AWS IoT access and actions, resulting + in an overall score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS IoT Device Defender + comments: 'The following AWS IoT Device Defender audit checks and corresponding + mitigation actions can identify and in some cases resolve configuration problems + that should be fixed in order to limit the potential impact of compromised accounts + with access to AWS IoT resources: The "Authenticated Cognito role overly permissive" + ("AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" in the CLI and API) audit + check can identify policies which grant excessive privileges and permissions for + AWS IoT actions to Amazon Cognito identity pool roles. The "Unauthenticated Cognito + role overly permissive" ("UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" + in the CLI and API) audit check can identify policies which grant excessive privileges + and permissions for AWS IoT actions to Amazon Cognito identity pool roles and + do not require authentication, which pose a substantial risk because they can + be trivially accessed. The "AWS IoT policies overly permissive" ("IOT_POLICY_OVERLY_PERMISSIVE_CHECK" + in the CLI and API) audit check can identify AWS IoT policies which grant excessive + privileges and permissions for AWS IoT actions and supports the "REPLACE_DEFAULT_POLICY_VERSION" + mitigation action which can reduce permissions to limit potential misuse. The + "Role alias allows access to unused services" ("IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK" + in the CLI and API) and "Role alias overly permissive" ("IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK" + in the CLI and API) audit checks can identify AWS IoT role aliases which allow + connected devices to authenticate using their certificates and obtain short-lived + AWS credentials from an associated IAM role which grant permissions and privileges + beyond those necessary to the devices'' functions and should be fixed in order + to prevent further account compromise from compromised devices. + + Coverage factor is partial for these checks and mitigations, since they are specific + to use of cloud accounts for AWS IoT access and actions, resulting in an overall + score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol capability-id: AWS IoT Device Defender @@ -1777,7 +3206,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1815,7 +3244,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1853,7 +3282,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1891,12 +3320,34 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Internet of Things - IoT +- attack-object-id: T1552.004 + attack-object-name: Private Keys + capability-id: AWS IoT Device Defender + comments: 'The following AWS IoT Device Defender audit checks can identify potentially + malicious use of private keys associated with AWS IoT devices, which may indicate + that the keys have been taken from compromised devices and repurposed by an adversary: + "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and + API) and "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" + in the CLI and API) can indicate that devices are in use with duplicate certificates + and/or certificates that have been revoked due to compromise, both of which suggest + that an adversary may be misusing stolen private keys. + + Coverage factor is partial for these checks and mitigations, since they are specific + to use of private keys associated with AWS IoT devices, resulting in an overall + score of Partial.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle capability-id: AWS IoT Device Defender @@ -1929,7 +3380,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1967,7 +3418,7 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2005,12 +3456,41 @@ attack-objects: - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit - https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect - related-score: true + related-score: '' score-category: Respond score-value: Minimal tags: - Internet of Things - IoT +- attack-object-id: T1562.008 + attack-object-name: Disable Cloud Logs + capability-id: AWS IoT Device Defender + comments: The "Logging disabled" audit check ("LOGGING_DISABLED_CHECK" in the CLI + and API) can identify potentially malicious changes to AWS IoT logs (both V1 and + V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial + since this control only addresses IoT logging. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.008 + attack-object-name: Disable Cloud Logs + capability-id: AWS IoT Device Defender + comments: The "ENABLE_IOT_LOGGING" mitigation action (which is supported by the + "Logging disabled" audit check) enables AWS IoT logging if it is not enabled when + the check is run, effectively reversing the adversary behavior if those logs were + disabled due to malicious changes. Score is limited to Partial since this control + only addresses IoT logging. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Respond + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: AWS Organizations @@ -2020,11 +3500,25 @@ attack-objects: references: - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html - https://aws.amazon.com/organizations/getting-started/best-practices/ - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Identity +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS Organizations + comments: This control may protect against malicious use of cloud accounts by implementing + service control policies that define what actions an account may take. If best + practices are followed, AWS accounts should only have the least amount of privileges + required. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery capability-id: AWS Organizations @@ -2034,11 +3528,24 @@ attack-objects: references: - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html - https://aws.amazon.com/organizations/getting-started/best-practices/ - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Identity +- attack-object-id: T1087.004 + attack-object-name: Cloud Account + capability-id: AWS Organizations + comments: 'This control may protect against cloud account discovery by segmenting + accounts into separate organizational units and restricting to least privileges + between groups. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery capability-id: AWS Organizations @@ -2048,7 +3555,7 @@ attack-objects: references: - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html - https://aws.amazon.com/organizations/getting-started/best-practices/ - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2062,7 +3569,7 @@ attack-objects: references: - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html - https://aws.amazon.com/organizations/getting-started/best-practices/ - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2076,7 +3583,7 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: [] @@ -2089,7 +3596,7 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: [] @@ -2102,7 +3609,7 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: [] @@ -2115,10 +3622,24 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: true + related-score: '' score-category: Respond score-value: Minimal tags: [] +- attack-object-id: T1565.001 + attack-object-name: Stored Data Manipulation + capability-id: AWS CloudEndure Disaster Recovery + comments: AWS CloudEndure Disaster Recovery enables the replication and recovery + of servers into AWS Cloud. In the event that data on servers is manipulated, AWS + CloudEndure can be used to provision an instance of the server from a previous + point in time within minutes. As a result, this mapping is given a score of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1491 attack-object-name: Defacement capability-id: AWS CloudEndure Disaster Recovery @@ -2128,7 +3649,35 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: true + related-score: '' + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1491.001 + attack-object-name: Internal Defacement + capability-id: AWS CloudEndure Disaster Recovery + comments: AWS CloudEndure Disaster Recovery enables the replication and recovery + of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure + can be used to provision an instance of the server from a previous point in time + within minutes. As a result, this mapping is given a score of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1491.002 + attack-object-name: External Defacement + capability-id: AWS CloudEndure Disaster Recovery + comments: AWS CloudEndure Disaster Recovery enables the replication and recovery + of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure + can be used to provision an instance of the server from a previous point in time + within minutes. As a result, this mapping is given a score of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 score-category: Respond score-value: Significant tags: [] @@ -2141,7 +3690,35 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: true + related-score: '' + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1561.001 + attack-object-name: Disk Content Wipe + capability-id: AWS CloudEndure Disaster Recovery + comments: AWS CloudEndure Disaster Recovery enables the replication and recovery + of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure + can be used to provision an instance of the server from a previous point in time + within minutes. As a result, this mapping is given a score of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1561 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1561.002 + attack-object-name: Disk Structure Wipe + capability-id: AWS CloudEndure Disaster Recovery + comments: AWS CloudEndure Disaster Recovery enables the replication and recovery + of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure + can be used to provision an instance of the server from a previous point in time + within minutes. As a result, this mapping is given a score of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1561 score-category: Respond score-value: Significant tags: [] @@ -2154,7 +3731,7 @@ attack-objects: references: - https://aws.amazon.com/cloudendure-disaster-recovery/ - https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: [] @@ -2167,11 +3744,38 @@ attack-objects: references: - https://aws.amazon.com/kms/ - https://docs.aws.amazon.com/kms/latest/developerguide/overview.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Credentials +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: AWS Key Management Service + comments: This service provides a more secure alternative to storing encryption + keys in the file system. As a result of this service only supporting cryptographic + keys and not other types of credentials, the coverage score is assessed as Partial + resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.004 + attack-object-name: Private Keys + capability-id: AWS Key Management Service + comments: This service allows for securely storing encryption keys and enforcing + fine-grained access to the keys. The service does not allow anyone access to retrieve + plaintext keys from the service. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1588 attack-object-name: Obtain Capabilities capability-id: AWS Key Management Service @@ -2181,11 +3785,37 @@ attack-objects: references: - https://aws.amazon.com/kms/ - https://docs.aws.amazon.com/kms/latest/developerguide/overview.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Credentials +- attack-object-id: T1588.003 + attack-object-name: Code Signing Certificates + capability-id: AWS Key Management Service + comments: The encryption key for the certificate can be stored in KMS, reducing + its attack surface. Score is capped at Partial because adversaries can still misuse + keys/certs if KMS and KMS resources are compromised. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1588 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1588.004 + attack-object-name: Digital Certificates + capability-id: AWS Key Management Service + comments: The encryption key for the certificate can be stored in KMS, reducing + its attack surface. Score is capped at Partial because adversaries can still misuse + keys/certs if KMS and KMS resources are compromised. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1588 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise capability-id: Amazon Inspector @@ -2195,7 +3825,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2208,7 +3838,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2221,7 +3851,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2234,7 +3864,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2247,7 +3877,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2260,7 +3890,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2273,7 +3903,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -2286,7 +3916,87 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Amazon Inspector + comments: The Amazon Inspector Best Practices assessment package can detect security + control settings related to authentication and password policies on Linux endpoints. + Specific security controls it can assess include "Disable password authentication + over SSH", "Configure password maximum age", "Configure password minimum length", + and "Configure password complexity" all of which impact the ability to brute force + a password. This information can be used identify insecure configurations and + harden the endpoints. Amazon Inspector does not directly protect against brute + force attacks. Given Amazon Inspector can only assess these security controls + on Linux platforms (although it also supports Windows), the coverage score is + Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: Amazon Inspector + comments: The Amazon Inspector Best Practices assessment package can detect security + control settings related to authentication and password policies on Linux endpoints. + Specific security controls it can assess include "Disable password authentication + over SSH", "Configure password maximum age", "Configure password minimum length", + and "Configure password complexity" all of which impact the ability to brute force + a password. This information can be used identify insecure configurations and + harden the endpoints. Amazon Inspector does not directly protect against brute + force attacks. Given Amazon Inspector can only assess these security controls + on Linux platforms (although it also supports Windows), the coverage score is + Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Amazon Inspector + comments: The Amazon Inspector Best Practices assessment package can detect security + control settings related to authentication and password policies on Linux endpoints. + Specific security controls it can assess include "Disable password authentication + over SSH", "Configure password maximum age", "Configure password minimum length", + and "Configure password complexity" all of which impact the ability to brute force + a password. This information can be used identify insecure configurations and + harden the endpoints. Amazon Inspector does not directly protect against brute + force attacks. Given Amazon Inspector can only assess these security controls + on Linux platforms (although it also supports Windows), the coverage score is + Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Amazon Inspector + comments: The Amazon Inspector Best Practices assessment package can detect security + control settings related to authentication and password policies on Linux endpoints. + Specific security controls it can assess include "Disable password authentication + over SSH", "Configure password maximum age", "Configure password minimum length", + and "Configure password complexity" all of which impact the ability to brute force + a password. This information can be used identify insecure configurations and + harden the endpoints. Amazon Inspector does not directly protect against brute + force attacks. Given Amazon Inspector can only assess these security controls + on Linux platforms (although it also supports Windows), the coverage score is + Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 score-category: Protect score-value: Minimal tags: [] @@ -2299,7 +4009,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: [] @@ -2312,7 +4022,25 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Amazon Inspector + comments: The Amazon Inspector Best Practices assessment package can detect a security + control setting related to remote service access on Linux endpoints. Specifically, + "Disable root login over SSH". This information can be used identify insecure + configurations and harden the endpoints. Amazon Inspector does not directly protect + against adversaries accessing remote services. Given Amazon Inspector can only + assess this security control on Linux platforms (although it also supports Windows) + and it only restricts access to remote services for one user account, the coverage + score is Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 score-category: Protect score-value: Minimal tags: [] @@ -2325,10 +4053,27 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] +- attack-object-id: T1222.002 + attack-object-name: Linux and Mac File and Directory Permissions Modification + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this the score is capped at Partial. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1222 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses capability-id: Amazon Inspector @@ -2338,7 +4083,79 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1562.003 + attack-object-name: Impair Command History Logging + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1562.004 + attack-object-name: Disable or Modify System Firewall + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1562.006 + attack-object-name: Indicator Blocking + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 score-category: Protect score-value: Minimal tags: [] @@ -2351,77 +4168,102 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1599 - attack-object-name: Network Boundary Bridging +- attack-object-id: T1070.002 + attack-object-name: Clear Linux or Mac System Logs capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + references: [] + related-score: T1070 score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1003 - attack-object-name: OS Credential Dumping +- attack-object-id: T1070.003 + attack-object-name: Clear Command History capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + references: [] + related-score: T1070 score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1053 - attack-object-name: Scheduled Task/Job +- attack-object-id: T1070.004 + attack-object-name: File Deletion capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + references: [] + related-score: T1070 score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1489 - attack-object-name: Service Stop +- attack-object-id: T1070.005 + attack-object-name: Network Share Connection Removal capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + references: [] + related-score: T1070 score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1529 - attack-object-name: System Shutdown/Reboot +- attack-object-id: T1070.006 + attack-object-name: Timestomp capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + references: [] + related-score: T1070 score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1548 - attack-object-name: Abuse Elevation Control Mechanism +- attack-object-id: T1599 + attack-object-name: Network Boundary Bridging capability-id: Amazon Inspector comments: The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. @@ -2429,25 +4271,31 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1037 - attack-object-name: Boot or Logon Initialization Scripts +- attack-object-id: T1599.001 + attack-object-name: Network Address Translation Traversal capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Furthermore, Amazon Inspector only supports a subset of the sub-techniques for + this technique. Due to these things and the fact the security control is only + supported for Linux platforms, the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + references: [] + related-score: T1599 score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1543 - attack-object-name: Create or Modify System Process +- attack-object-id: T1003 + attack-object-name: OS Credential Dumping capability-id: Amazon Inspector comments: The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. @@ -2455,25 +4303,48 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] -- attack-object-id: T1046 - attack-object-name: Network Service Scanning +- attack-object-id: T1003.007 + attack-object-name: Proc Filesystem capability-id: Amazon Inspector - comments: The CIS Benchmarks assessment package is considered out of scope because - a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: false + references: [] + related-score: T1003 score-category: Protect - score-value: Partial + score-value: Minimal tags: [] -- attack-object-id: T1595 - attack-object-name: Active Scanning +- attack-object-id: T1003.008 + attack-object-name: /etc/passwd and /etc/shadow + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1053 + attack-object-name: Scheduled Task/Job capability-id: Amazon Inspector comments: The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. @@ -2481,11 +4352,240 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html - related-score: true + related-score: '' score-category: Protect - score-value: Partial + score-value: Minimal tags: [] -- attack-object-id: T1590 +- attack-object-id: T1053.001 + attack-object-name: At (Linux) + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1053.003 + attack-object-name: Cron + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1053.006 + attack-object-name: Systemd Timers + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1489 + attack-object-name: Service Stop + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1529 + attack-object-name: System Shutdown/Reboot + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1548 + attack-object-name: Abuse Elevation Control Mechanism + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1548.003 + attack-object-name: Sudo and Sudo Caching + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this and the fact the security control is only supported for Linux platforms, + the score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1548 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1037 + attack-object-name: Boot or Logon Initialization Scripts + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1037.004 + attack-object-name: RC Scripts + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this, the score is capped at Partial. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1037 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1543 + attack-object-name: Create or Modify System Process + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1543.002 + attack-object-name: Systemd Service + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Best Practices assessment package can assess security + control "Configure permissions for system directories" that prevents privilege + escalation by local users and ensures only the root account can modify/execute + system configuration information and binaries. Amazon Inspector does not directly + protect against system modifications rather it just checks to see if security + controls are in place which can inform decisions around hardening the system. + Due to this, the score is capped at Partial. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1046 + attack-object-name: Network Service Scanning + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595 + attack-object-name: Active Scanning + capability-id: Amazon Inspector + comments: The CIS Benchmarks assessment package is considered out of scope because + a separate project will be responsible for mapping CIS Benchmarks and ATT&CK. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html + related-score: '' + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.001 + attack-object-name: Scanning IP Blocks + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Network Reachability assessment package can assess + whether or not cloud/network components are vulnerable (e.g., publicly accessible + from the Internet). Amazon Inspector does not directly protect cloud/network components + rather reports on vulnerabilities that it identifies which can then be used to + securely configure the cloud/network components. Due to this, the score is capped + at Partial. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Amazon Inspector + comments: 'The Amazon Inspector Network Reachability assessment package can assess + whether or not cloud/network components are vulnerable (e.g., publicly accessible + from the Internet). Amazon Inspector does not directly protect cloud/network components + rather reports on vulnerabilities that it identifies which can then be used to + securely configure the cloud/network components. Due to this, the score is capped + at Partial. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590 attack-object-name: Gather Victim Network Information capability-id: Amazon Virtual Private Cloud comments: 'The mappings contained in this file were based on Amazon''s "Security @@ -2497,11 +4597,71 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1590.001 + attack-object-name: Domain Properties + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can prevent + the gathering of victim network information via (active) scanning methods but + is not effective against other methods of gathering victim network information + such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage + score and an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.004 + attack-object-name: Network Topology + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can prevent + the gathering of victim network information via (active) scanning methods but + is not effective against other methods of gathering victim network information + such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage + score and an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.005 + attack-object-name: IP Addresses + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can prevent + the gathering of victim network information via (active) scanning methods but + is not effective against other methods of gathering victim network information + such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage + score and an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.006 + attack-object-name: Network Security Appliances + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can prevent + the gathering of victim network information via (active) scanning methods but + is not effective against other methods of gathering victim network information + such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage + score and an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1595 attack-object-name: Active Scanning capability-id: Amazon Virtual Private Cloud @@ -2514,11 +4674,43 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1595.001 + attack-object-name: Scanning IP Blocks + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict inbound traffic that can protect against active scanning techniques + such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection + is limited to known malicious IP addresses and domains and does not provide protection + from such attacks from unknown domains and IP addresses, this is scored as partial + coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict inbound traffic that can protect against active scanning techniques + such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection + is limited to known malicious IP addresses and domains and does not provide protection + from such attacks from unknown domains and IP addresses, this is scored as partial + coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services capability-id: Amazon Virtual Private Cloud @@ -2531,7 +4723,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2548,11 +4740,25 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1205.001 + attack-object-name: Port Knocking + capability-id: Amazon Virtual Private Cloud + comments: 'VPC security groups and network access control lists (NACLs) can protect + against this sub-technique by enforcing limited access to only required ports. Consequently, + even if the adversary is able to utilize port knocking to open additional ports + at the host level, it is still blocked at the security group or NACL level. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1205 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning capability-id: Amazon Virtual Private Cloud @@ -2565,7 +4771,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2582,7 +4788,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2599,7 +4805,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2616,7 +4822,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2633,7 +4839,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2650,7 +4856,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2667,11 +4873,68 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can limit + access to the minimum required ports and therefore protect against adversaries + attempting to exfiltrate data using a different protocol than that of the existing + command and control channel. In environments where unrestricted Internet access + is required, security groups and NACLs can still be used to block known malicious + endpoints. Because in such environments the protection is limited to known malicious + IP addresses and domains and does not provide protection from such attacks from + unknown domains and IP addresses, this is scored as partial coverage resulting + in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1048.002 + attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can limit + access to the minimum required ports and therefore protect against adversaries + attempting to exfiltrate data using a different protocol than that of the existing + command and control channel. In environments where unrestricted Internet access + is required, security groups and NACLs can still be used to block known malicious + endpoints. Because in such environments the protection is limited to known malicious + IP addresses and domains and does not provide protection from such attacks from + unknown domains and IP addresses, this is scored as partial coverage resulting + in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can limit + access to the minimum required ports and therefore protect against adversaries + attempting to exfiltrate data using a different protocol than that of the existing + command and control channel. In environments where unrestricted Internet access + is required, security groups and NACLs can still be used to block known malicious + endpoints. Because in such environments the protection is limited to known malicious + IP addresses and domains and does not provide protection from such attacks from + unknown domains and IP addresses, this is scored as partial coverage resulting + in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing capability-id: Amazon Virtual Private Cloud @@ -2684,7 +4947,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2701,11 +4964,33 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Network +- attack-object-id: T1557.002 + attack-object-name: ARP Cache Poisoning + capability-id: Amazon Virtual Private Cloud + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1557.001 + attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay + capability-id: Amazon Virtual Private Cloud + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation capability-id: Amazon Virtual Private Cloud @@ -2718,11 +5003,22 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1565.002 + attack-object-name: Transmitted Data Manipulation + capability-id: Amazon Virtual Private Cloud + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1199 attack-object-name: Trusted Relationship capability-id: Amazon Virtual Private Cloud @@ -2735,7 +5031,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2752,11 +5048,33 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1602.002 + attack-object-name: Network Device Configuration Dump + capability-id: Amazon Virtual Private Cloud + comments: Can limit access to client management interfaces or configuration databases. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1602 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1602.001 + attack-object-name: SNMP (MIB Dump) + capability-id: Amazon Virtual Private Cloud + comments: Can limit access to client management interfaces or configuration databases. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1602 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot capability-id: Amazon Virtual Private Cloud @@ -2769,11 +5087,24 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Network +- attack-object-id: T1542.005 + attack-object-name: TFTP Boot + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict clients to connecting (and therefore booting) from only trusted network + resources. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1542 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services capability-id: Amazon Virtual Private Cloud @@ -2786,7 +5117,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2803,11 +5134,101 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1021.006 + attack-object-name: Windows Remote Management + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict direct access to remote services to trusted networks. This mitigates + even an adversary with a valid account from accessing resources. This can be circumvented + though if an adversary is able to compromise a trusted host and move laterally + to a protected network. This results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.005 + attack-object-name: VNC + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict direct access to remote services to trusted networks. This mitigates + even an adversary with a valid account from accessing resources. This can be circumvented + though if an adversary is able to compromise a trusted host and move laterally + to a protected network. This results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict direct access to remote services to trusted networks. This mitigates + even an adversary with a valid account from accessing resources. This can be circumvented + though if an adversary is able to compromise a trusted host and move laterally + to a protected network. This results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.003 + attack-object-name: Distributed Component Object Model + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict direct access to remote services to trusted networks. This mitigates + even an adversary with a valid account from accessing resources. This can be circumvented + though if an adversary is able to compromise a trusted host and move laterally + to a protected network. This results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.002 + attack-object-name: SMB/Windows Admin Shares + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict direct access to remote services to trusted networks. This mitigates + even an adversary with a valid account from accessing resources. This can be circumvented + though if an adversary is able to compromise a trusted host and move laterally + to a protected network. This results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.001 + attack-object-name: Remote Desktop Protocol + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict direct access to remote services to trusted networks. This mitigates + even an adversary with a valid account from accessing resources. This can be circumvented + though if an adversary is able to compromise a trusted host and move laterally + to a protected network. This results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools capability-id: Amazon Virtual Private Cloud @@ -2820,7 +5241,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2837,7 +5258,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2854,7 +5275,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -2871,11 +5292,50 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Network +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict access to endpoints but will prove effective at mitigating only low-end + DOS attacks resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict access to endpoints but will prove effective at mitigating only low-end + DOS attacks resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can be used + to restrict access to endpoints but will prove effective at mitigating only low-end + DOS attacks resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer capability-id: Amazon Virtual Private Cloud @@ -2888,7 +5348,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2905,11 +5365,50 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/vpc/latest/userguide/security.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can restrict + access between systems, enclaves, and workloads thereby mitigating these proxy + related sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1090.002 + attack-object-name: External Proxy + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can restrict + access between systems, enclaves, and workloads thereby mitigating these proxy + related sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1090.001 + attack-object-name: Internal Proxy + capability-id: Amazon Virtual Private Cloud + comments: VPC security groups and network access control lists (NACLs) can restrict + access between systems, enclaves, and workloads thereby mitigating these proxy + related sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Amazon Cognito @@ -2920,11 +5419,28 @@ attack-objects: - https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Identity +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Amazon Cognito + comments: Amazon Cognito has the ability to alert and block accounts where credentials + were found to be compromised elsewhere (compromised credential protection). The + service also detects unusual sign-in activity, such as sign-in attempts from new + locations and devices and can either prompt users for additional verification + or block the sign-in request. There was insufficient detail on the operation + of these capabilities and therefore a conservative assessment of a Partial score + has been assigned. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Amazon Cognito @@ -2935,11 +5451,63 @@ attack-objects: - https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Identity +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Amazon Cognito + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: Amazon Cognito + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Amazon Cognito + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Amazon Cognito + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: AWS Web Application Firewall @@ -2951,7 +5519,7 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2967,7 +5535,7 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2983,7 +5551,7 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2999,11 +5567,74 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1059.001 + attack-object-name: PowerShell + capability-id: AWS Web Application Firewall + comments: 'The AWS WAF protects web applications from injection attacks that leverage + command and scripting interpreters. AWS WAF provides this protection via the following + rule sets that block malicious traffic across a variety of operating systems and + applications. + + AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet + AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet + + This is given a score of Significant because it provides protections for PowerShell, + Unix, and JavaScript command and scripting interpreters by blocking the malicious + content in near real-time.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1059.004 + attack-object-name: Unix Shell + capability-id: AWS Web Application Firewall + comments: 'The AWS WAF protects web applications from injection attacks that leverage + command and scripting interpreters. AWS WAF provides this protection via the following + rule sets that block malicious traffic across a variety of operating systems and + applications. + + AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet + AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet + + This is given a score of Significant because it provides protections for PowerShell, + Unix, and JavaScript command and scripting interpreters by blocking the malicious + content in near real-time.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1059.007 + attack-object-name: JavaScript + capability-id: AWS Web Application Firewall + comments: 'The AWS WAF protects web applications from injection attacks that leverage + command and scripting interpreters. AWS WAF provides this protection via the following + rule sets that block malicious traffic across a variety of operating systems and + applications. + + AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet + AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet + + This is given a score of Significant because it provides protections for PowerShell, + Unix, and JavaScript command and scripting interpreters by blocking the malicious + content in near real-time.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1090 attack-object-name: Proxy capability-id: AWS Web Application Firewall @@ -3015,11 +5646,53 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1090.002 + attack-object-name: External Proxy + capability-id: AWS Web Application Firewall + comments: 'The AWS WAF protects web applications from access by adversaries that + leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). + AWS WAF provides this protection via the following rule set that blocks incoming + traffic from IP addresses known to anonymize connection information or be less + likely to source end user traffic. + + AWSManagedRulesAnonymousIpList + + This is given a score of Partial because it provide protections for only a subset + of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, + it blocks the malicious content in near real-time.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: AWS Web Application Firewall + comments: 'The AWS WAF protects web applications from access by adversaries that + leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). + AWS WAF provides this protection via the following rule set that blocks incoming + traffic from IP addresses known to anonymize connection information or be less + likely to source end user traffic. + + AWSManagedRulesAnonymousIpList + + This is given a score of Partial because it provide protections for only a subset + of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, + it blocks the malicious content in near real-time.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1595 attack-object-name: Active Scanning capability-id: AWS Web Application Firewall @@ -3031,11 +5704,51 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: true + related-score: '' + score-category: Protect + score-value: Partial + tags: + - Network +- attack-object-id: T1595.001 + attack-object-name: Scanning IP Blocks + capability-id: AWS Web Application Firewall + comments: 'AWS WAF protects against bots that run scans against web applications + such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) + among others. AWS WAF does this by blocking malicious traffic that indicate bad + bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the + following rule sets to provide this protection. + + AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet + + This is scored as Partial because the rule sets, while they block malicious traffic in + near real-time, only protect web applications against scans performed by bots.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: AWS Web Application Firewall + comments: 'AWS WAF protects against bots that run scans against web applications + such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) + among others. AWS WAF does this by blocking malicious traffic that indicate bad + bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the + following rule sets to provide this protection. + + AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet + + This is scored as Partial because the rule sets, while they block malicious traffic in + near real-time, only protect web applications against scans performed by bots.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 score-category: Protect score-value: Partial - tags: - - Network + tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning capability-id: AWS Web Application Firewall @@ -3047,7 +5760,7 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3063,11 +5776,30 @@ attack-objects: - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html - https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Network +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: AWS Web Application Firewall + comments: 'AWS WAF protects against this by inspecting incoming requests and blocking + malicious traffic. AWS WAF uses the following rule sets to provide this protection. + + AWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet + AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet + AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet + + This is scored as Minimal because the rule sets only protect against the web protocols + sub-technique.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1496 attack-object-name: Resource Hijacking capability-id: AWS CloudWatch @@ -3076,7 +5808,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -3089,7 +5821,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -3102,7 +5834,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -3127,7 +5859,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3151,7 +5883,83 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1592.001 + attack-object-name: Hardware + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1592 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1592.002 + attack-object-name: Software + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1592 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1592.003 + attack-object-name: Firmware + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1592 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1592.004 + attack-object-name: Client Configurations + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1592 score-category: Detect score-value: Minimal tags: [] @@ -3175,7 +5983,64 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1589.001 + attack-object-name: Credentials + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1589 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1589.002 + attack-object-name: Email Addresses + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1589 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1589.003 + attack-object-name: Employee Names + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1589 score-category: Detect score-value: Minimal tags: [] @@ -3199,7 +6064,121 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1590.001 + attack-object-name: Domain Properties + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1590.002 + attack-object-name: DNS + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1590.003 + attack-object-name: Network Trust Dependencies + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1590.004 + attack-object-name: Network Topology + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1590.005 + attack-object-name: IP Addresses + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1590.006 + attack-object-name: Network Security Appliances + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 score-category: Detect score-value: Minimal tags: [] @@ -3223,7 +6202,83 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1591.001 + attack-object-name: Determine Physical Locations + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1591 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1591.002 + attack-object-name: Business Relationships + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1591 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1591.003 + attack-object-name: Identify Business Tempo + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1591 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1591.004 + attack-object-name: Identify Roles + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects improperly secured data from S3 buckets such + as public read and write access that may result in an adversary getting access + to information that could be used during targeting. AWS Security Hub provides + these detections with the following managed insights. + + S3 buckets with public write or read permissions S3 buckets with sensitive data + + This is scored as Minimal because S3 only represents one of many available sources + of information that an adversary could use for targeting. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1591 score-category: Detect score-value: Minimal tags: [] @@ -3247,7 +6302,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3271,10 +6326,46 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS Security Hub + comments: 'AWS Security Hub detects suspicious activity by AWS accounts which could + indicate valid accounts being leveraged by an adversary. AWS Security Hub provides + these detections with the following managed insights. + + AWS principals with suspicious access key activity Credentials that may have leaked + AWS resources with unauthorized access attempts IAM users with suspicious activity + + AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and + PCI-DSS security standard that, if implemented, would help towards detecting + the misuse of valid accounts. AWS Security Hub provides these detections with + the following checks. + + 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 + Ensure a log metric filter and alarm exist for Management Console sign-in without + MFA 3.3 Ensure a log metric filter and alarm exist for usage of "root" account 3.4 + Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a + log metric filter and alarm exist for AWS Management Console authentication failures + [PCI.CW.1] A log metric filter and alarm should exist for usage of the "root" + user + + By monitoring the root account, activity where accounts make unauthorized API + calls, and changes to IAM permissions among other things, it may be possible + to detect valid accounts that are being misused and are potentially compromised. + + This is scored as Significant because it reports on suspicious activity by AWS + accounts. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: AWS Security Hub @@ -3295,7 +6386,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3319,7 +6410,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3343,7 +6434,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3367,7 +6458,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3391,7 +6482,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3415,7 +6506,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3439,7 +6530,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -3463,10 +6554,26 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: [] +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: AWS Security Hub + comments: "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark\ + \ that, if implemented, would help towards detecting the manipulation of accounts.\ + \ AWS Security Hub provides this detection with the following check.\n3.4 Ensure\ + \ a log metric filter and alarm exist for IAM policy changes \nThis is scored\ + \ as Significant because it can monitor all changes to IAM policy which can be\ + \ used to detect any changes made to accounts. " + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses capability-id: AWS Security Hub @@ -3487,10 +6594,85 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: [] +- attack-object-id: T1562.008 + attack-object-name: Disable Cloud Logs + capability-id: AWS Security Hub + comments: 'AWS Security Hub performs checks from the AWS Foundations CIS Benchmark + that, if implemented, would help towards detecting changes to key AWS services. + AWS Security Hub provides these detections with the following checks. + + 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes + 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes + 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 + Ensure a log metric filter and alarm exist for changes to Network Access Control + Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network + gateways 3.13 Ensure a log metric filter and alarm exist for route table changes + 3.14 Ensure a log metric filter and alarm exist for VPC changes + + This is scored as Significant because it can detect when changes are made to key + AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or + other configuration changes are made. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: AWS Security Hub + comments: 'AWS Security Hub performs checks from the AWS Foundations CIS Benchmark + that, if implemented, would help towards detecting changes to key AWS services. + AWS Security Hub provides these detections with the following checks. + + 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes + 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes + 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 + Ensure a log metric filter and alarm exist for changes to Network Access Control + Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network + gateways 3.13 Ensure a log metric filter and alarm exist for route table changes + 3.14 Ensure a log metric filter and alarm exist for VPC changes + + This is scored as Significant because it can detect when changes are made to key + AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or + other configuration changes are made. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1562.007 + attack-object-name: Disable or Modify Cloud Firewall + capability-id: AWS Security Hub + comments: 'AWS Security Hub performs checks from the AWS Foundations CIS Benchmark + that, if implemented, would help towards detecting changes to key AWS services. + AWS Security Hub provides these detections with the following checks. + + 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes + 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes + 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 + Ensure a log metric filter and alarm exist for changes to Network Access Control + Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network + gateways 3.13 Ensure a log metric filter and alarm exist for route table changes + 3.14 Ensure a log metric filter and alarm exist for VPC changes + + This is scored as Significant because it can detect when changes are made to key + AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or + other configuration changes are made. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: AWS Security Hub @@ -3511,7 +6693,67 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: AWS Security Hub + comments: 'AWS Security Hub performs a check from the AWS Foundations CIS Benchmark + that, if implemented, would help towards detecting the brute forcing of accounts. + AWS Security Hub provides this detection with the following checks. + + 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication + failures + + This is scored as Minimal because it only applies to the AWS Management Console + and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does + not detect brute-forcing methods for other components such as EC2 instances. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: AWS Security Hub + comments: 'AWS Security Hub performs a check from the AWS Foundations CIS Benchmark + that, if implemented, would help towards detecting the brute forcing of accounts. + AWS Security Hub provides this detection with the following checks. + + 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication + failures + + This is scored as Minimal because it only applies to the AWS Management Console + and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does + not detect brute-forcing methods for other components such as EC2 instances. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: AWS Security Hub + comments: 'AWS Security Hub performs a check from the AWS Foundations CIS Benchmark + that, if implemented, would help towards detecting the brute forcing of accounts. + AWS Security Hub provides this detection with the following checks. + + 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication + failures + + This is scored as Minimal because it only applies to the AWS Management Console + and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does + not detect brute-forcing methods for other components such as EC2 instances. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 score-category: Detect score-value: Minimal tags: [] @@ -3535,7 +6777,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -3547,7 +6789,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/iam/index.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -3561,12 +6803,40 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/iam/index.html - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Identity - Credentials +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS Identity and Access Management + comments: This control may mitigate the impact of compromised valid accounts by + enabling fine-grained access policies and implementing least-privilege policies. + MFA can provide protection against an adversary that obtains valid credentials + by requiring the adversary to complete an additional authentication process before + access is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS Identity and Access Management + comments: The Access Analyzer tool may detect when an external entity has been granted + access to cloud resources through use of access policies. This tool will scan + upon any change to access policies or periodically within 24 hours. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: AWS Identity and Access Management @@ -3575,12 +6845,25 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/iam/index.html - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Identity - Credentials +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: AWS Identity and Access Management + comments: The Access Analyzer tool may detect when an external entity has been granted + access to cloud resources through use of access policies. This tool will scan + upon any change to access policies or periodically within 24 hours. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material capability-id: AWS Identity and Access Management @@ -3589,26 +6872,82 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/iam/index.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Identity - Credentials +- attack-object-id: T1550.001 + attack-object-name: Application Access Token + capability-id: AWS Identity and Access Management + comments: 'This control may mitigate against application access token theft if the + application is configured to retrieve temporary security credentials using an + IAM role. This recommendation is a best practice for IAM but must be explicitly + implemented by the application developer. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1550 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: AWS Identity and Access Management - comments: '' + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.aws.amazon.com/iam/index.html + related-score: '' + score-category: Protect + score-value: Significant + tags: + - Identity + - Credentials +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: AWS Identity and Access Management + comments: This control may mitigate brute force attacks by enforcing multi-factor + authentication, enforcing strong password policies, and rotating credentials periodically. + These recommendations are IAM best practices but must be explicitly implemented + by a cloud administrator. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: AWS Identity and Access Management + comments: This control may mitigate brute force attacks by enforcing multi-factor + authentication, enforcing strong password policies, and rotating credentials periodically. + These recommendations are IAM best practices but must be explicitly implemented + by a cloud administrator. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: AWS Identity and Access Management + comments: This control may mitigate brute force attacks by enforcing multi-factor + authentication, enforcing strong password policies, and rotating credentials periodically. + These recommendations are IAM best practices but must be explicitly implemented + by a cloud administrator. mapping-description: '' mapping-type: technique-scores - references: - - https://docs.aws.amazon.com/iam/index.html - related-score: true + references: [] + related-score: T1110 score-category: Protect score-value: Significant - tags: - - Identity - - Credentials + tags: [] - attack-object-id: T1528 attack-object-name: Steal Application Access Token capability-id: AWS Identity and Access Management @@ -3617,7 +6956,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/iam/index.html - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -3632,7 +6971,7 @@ attack-objects: references: - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html - https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3646,7 +6985,7 @@ attack-objects: references: - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html - https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3660,7 +6999,7 @@ attack-objects: references: - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html - https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3674,11 +7013,56 @@ attack-objects: references: - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html - https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Credentials +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: AWS Secrets Manager + comments: This control may prevent harvesting of unsecured credentials by removing + credentials and secrets from applications and configuration files and requiring + authenticated API calls to retrieve those credentials and secrets. This control + is relevant for credentials stored in applications or configuration files but + not credentials entered directly by a user. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.002 + attack-object-name: Credentials in Registry + capability-id: AWS Secrets Manager + comments: This control may prevent harvesting of unsecured credentials by removing + credentials and secrets from applications and configuration files and requiring + authenticated API calls to retrieve those credentials and secrets. This control + is relevant for credentials stored in applications or configuration files but + not credentials entered directly by a user. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.004 + attack-object-name: Private Keys + capability-id: AWS Secrets Manager + comments: This control may prevent harvesting of unsecured credentials by removing + credentials and secrets from applications and configuration files and requiring + authenticated API calls to retrieve those credentials and secrets. This control + is relevant for credentials stored in applications or configuration files but + not credentials entered directly by a user. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol capability-id: AWS Network Firewall @@ -3687,11 +7071,71 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Network +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block malicious or unwanted traffic + leveraging application layer protocols. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1071.002 + attack-object-name: File Transfer Protocols + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block malicious or unwanted traffic + leveraging application layer protocols. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1071.003 + attack-object-name: Mail Protocols + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block malicious or unwanted traffic + leveraging application layer protocols. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block malicious or unwanted traffic + leveraging application layer protocols. As a result, this mapping is given a score + of Significant. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object capability-id: AWS Network Firewall @@ -3700,7 +7144,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3713,11 +7157,68 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block adversaries from carrying out + denial of service attacks by implementing restrictions on which IP addresses and + domains can access the resources (e.g., allow lists) as well as which protocol + traffic is permitted. That is, the AWS Network Firewall could block the source + of the denial of service attack. This mapping is given a score of Partial because + the source of the attack would have to be known before rules could be put in place + to protect against it. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block adversaries from carrying out + denial of service attacks by implementing restrictions on which IP addresses and + domains can access the resources (e.g., allow lists) as well as which protocol + traffic is permitted. That is, the AWS Network Firewall could block the source + of the denial of service attack. This mapping is given a score of Partial because + the source of the attack would have to be known before rules could be put in place + to protect against it. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block adversaries from carrying out + denial of service attacks by implementing restrictions on which IP addresses and + domains can access the resources (e.g., allow lists) as well as which protocol + traffic is permitted. That is, the AWS Network Firewall could block the source + of the denial of service attack. This mapping is given a score of Partial because + the source of the attack would have to be known before rules could be put in place + to protect against it. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol capability-id: AWS Network Firewall @@ -3726,11 +7227,65 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1048.002 + attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block adversaries from accessing resources + from which to exfiltrate data as well as prevent resources from communicating + with known-bad IP addresses and domains that might be used to receive exfiltrated + data. This mapping is given a score of Partial because the known-bad IP addresses + and domains would need to be known in advance and AWS Network Firewall wouldn''t + have deep packet inspection visibility into encrypted non-C2 protocols. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block adversaries from accessing resources + from which to exfiltrate data as well as prevent resources from communicating + with known-bad IP addresses and domains that might be used to receive exfiltrated + data. This mapping is given a score of Partial because the known-bad IP addresses + and domains would need to be known in advance and AWS Network Firewall wouldn''t + have deep packet inspection visibility into encrypted non-C2 protocols. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block adversaries from accessing resources + from which to exfiltrate data as well as prevent resources from communicating + with known-bad IP addresses and domains that might be used to receive exfiltrated + data. This mapping is given a score of Partial because the known-bad IP addresses + and domains would need to be known in advance and AWS Network Firewall wouldn''t + have deep packet inspection visibility into encrypted non-C2 protocols. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1187 attack-object-name: Forced Authentication capability-id: AWS Network Firewall @@ -3739,7 +7294,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -3752,11 +7307,43 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Network +- attack-object-id: T1498.001 + attack-object-name: Direct Network Flood + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block the sources of smaller-scale + network denial of service attacks. This mapping is given a score of Minimal because + often times it is necessary to block the traffic at an Internet Service Provider + or Content Provider Network level. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1498.002 + attack-object-name: Reflection Amplification + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block the sources of smaller-scale + network denial of service attacks. This mapping is given a score of Minimal because + often times it is necessary to block the traffic at an Internet Service Provider + or Content Provider Network level. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1095 attack-object-name: Non-Application Layer Protocol capability-id: AWS Network Firewall @@ -3765,7 +7352,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -3778,7 +7365,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3791,11 +7378,43 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1090.002 + attack-object-name: External Proxy + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block traffic from known bad IP addresses + and to known bad domains that serve as proxies for adversaries. This mapping is + given a score of partial because it only blocks known bad IP addresses and domains + and does not protect against unknown ones. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block traffic from known bad IP addresses + and to known bad domains that serve as proxies for adversaries. This mapping is + given a score of partial because it only blocks known bad IP addresses and domains + and does not protect against unknown ones. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software capability-id: AWS Network Firewall @@ -3804,7 +7423,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3817,11 +7436,96 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1021.001 + attack-object-name: Remote Desktop Protocol + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to only allow remote services from trusted + hosts (i.e., only allow remote access traffic from certain hosts). This mapping + is given a score of Partial because even though it can restrict remote services + traffic from untrusted hosts, it cannot protect against an adversary using a trusted + host that is permitted to use remote services as part of an attack. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.002 + attack-object-name: SMB/Windows Admin Shares + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to only allow remote services from trusted + hosts (i.e., only allow remote access traffic from certain hosts). This mapping + is given a score of Partial because even though it can restrict remote services + traffic from untrusted hosts, it cannot protect against an adversary using a trusted + host that is permitted to use remote services as part of an attack. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to only allow remote services from trusted + hosts (i.e., only allow remote access traffic from certain hosts). This mapping + is given a score of Partial because even though it can restrict remote services + traffic from untrusted hosts, it cannot protect against an adversary using a trusted + host that is permitted to use remote services as part of an attack. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.005 + attack-object-name: VNC + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to only allow remote services from trusted + hosts (i.e., only allow remote access traffic from certain hosts). This mapping + is given a score of Partial because even though it can restrict remote services + traffic from untrusted hosts, it cannot protect against an adversary using a trusted + host that is permitted to use remote services as part of an attack. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.006 + attack-object-name: Windows Remote Management + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to only allow remote services from trusted + hosts (i.e., only allow remote access traffic from certain hosts). This mapping + is given a score of Partial because even though it can restrict remote services + traffic from untrusted hosts, it cannot protect against an adversary using a trusted + host that is permitted to use remote services as part of an attack. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1205 attack-object-name: Traffic Signaling capability-id: AWS Network Firewall @@ -3830,11 +7534,28 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1205.001 + attack-object-name: Port Knocking + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block traffic to unused ports from + reaching hosts on the network which may help protect against port knocking from + external systems. This mapping is given a score of partial because the AWS Network + Firewall does not do anything to protect against port knocking among hosts within + the network and behind the firewall. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1205 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1008 attack-object-name: Fallback Channels capability-id: AWS Network Firewall @@ -3843,7 +7564,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3856,7 +7577,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3869,7 +7590,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3882,11 +7603,45 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1595.001 + attack-object-name: Scanning IP Blocks + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to restrict access to the endpoints within + the virtual private cloud and protect against active scanning. This mapping is + given a score of Partial because it only protects against active scanning attacks + that originate from outside the firewall and not from within network protected + by the firewall. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to restrict access to the endpoints within + the virtual private cloud and protect against active scanning. This mapping is + given a score of Partial because it only protects against active scanning attacks + that originate from outside the firewall and not from within network protected + by the firewall. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1571 attack-object-name: Non-Standard Port capability-id: AWS Network Firewall @@ -3895,7 +7650,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -3908,11 +7663,27 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Network +- attack-object-id: T1542.005 + attack-object-name: TFTP Boot + capability-id: AWS Network Firewall + comments: AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to block traffic over known TFTP ports. + This mapping is given a score of Partial because AWS Network Firewall does not + do anything to protect against TFTP booting among hosts within the network and + behind the firewall. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1542 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel capability-id: AWS Network Firewall @@ -3921,7 +7692,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3934,7 +7705,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3947,7 +7718,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -3960,11 +7731,79 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1590.001 + attack-object-name: Domain Properties + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to restrict access to the endpoints within + the virtual private cloud and protect against adversaries gathering information + about the network. This mapping is given a score of Partial because it only protects + against attempts to gather information via scanning that originate from outside + the firewall and it does not protect against phishing. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.004 + attack-object-name: Network Topology + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to restrict access to the endpoints within + the virtual private cloud and protect against adversaries gathering information + about the network. This mapping is given a score of Partial because it only protects + against attempts to gather information via scanning that originate from outside + the firewall and it does not protect against phishing. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.005 + attack-object-name: IP Addresses + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to restrict access to the endpoints within + the virtual private cloud and protect against adversaries gathering information + about the network. This mapping is given a score of Partial because it only protects + against attempts to gather information via scanning that originate from outside + the firewall and it does not protect against phishing. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.006 + attack-object-name: Network Security Appliances + capability-id: AWS Network Firewall + comments: 'AWS Network Firewall has the ability to pass, drop, or alert on traffic + based on the network protocol as well as perform deep packet inspection on the + payload. This functionality can be used to restrict access to the endpoints within + the virtual private cloud and protect against adversaries gathering information + about the network. This mapping is given a score of Partial because it only protects + against attempts to gather information via scanning that originate from outside + the firewall and it does not protect against phishing. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: AWS Single Sign-On @@ -3973,12 +7812,44 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Identity - Credentials +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: AWS Single Sign-On + comments: This control may protect against malicious use of valid accounts by implementing + fine grained and least privilege access through use of permission sets (a collection + of administrator-defined policies that AWS SSO uses to determine a user's effective + permissions to access a given AWS account). The ability to reduce the set of credentials + and accounts needed for a user allows for simpler and safer access and privilege + management. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1078.002 + attack-object-name: Domain Accounts + capability-id: AWS Single Sign-On + comments: This control may protect against malicious use of valid accounts by implementing + fine grained and least privilege access through use of permission sets (a collection + of administrator-defined policies that AWS SSO uses to determine a user's effective + permissions to access a given AWS account). The ability to reduce the set of credentials + and accounts needed for a user allows for simpler and safer access and privilege + management. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services capability-id: AWS Single Sign-On @@ -3987,7 +7858,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -4001,12 +7872,51 @@ attack-objects: mapping-type: technique-scores references: - https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Identity - Credentials +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: AWS Single Sign-On + comments: This control may protect against brute force techniques by enabling multi-factor + authentication. All accounts that can be replace with single sign-on can benefit + from a unified multi-factor authentication requirement. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: AWS Single Sign-On + comments: This control may protect against brute force techniques by enabling multi-factor + authentication. All accounts that can be replace with single sign-on can benefit + from a unified multi-factor authentication requirement. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: AWS Single Sign-On + comments: This control may protect against brute force techniques by enabling multi-factor + authentication. All accounts that can be replace with single sign-on can benefit + from a unified multi-factor authentication requirement. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials capability-id: AWS CloudHSM @@ -4017,11 +7927,38 @@ attack-objects: - https://aws.amazon.com/cloudhsm/ - https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html - https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Credentials +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: AWS CloudHSM + comments: This service provides a more secure alternative to storing encryption + keys in the file system. As a result of this service only supporting cryptographic + keys and not other types of credentials, the coverage score is assessed as Partial + resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1552.004 + attack-object-name: Private Keys + capability-id: AWS CloudHSM + comments: This service allows for securely storing encryption keys and enforcing + fine-grained access to the keys. The service does not allow anyone access to retrieve + plaintext keys from the service. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1588 attack-object-name: Obtain Capabilities capability-id: AWS CloudHSM @@ -4032,11 +7969,35 @@ attack-objects: - https://aws.amazon.com/cloudhsm/ - https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html - https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Credentials +- attack-object-id: T1588.004 + attack-object-name: Digital Certificates + capability-id: AWS CloudHSM + comments: Certificate credentials can be stored in AWS CloudHSM which reduces the + attack surface and threat from these sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1588 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1588.003 + attack-object-name: Code Signing Certificates + capability-id: AWS CloudHSM + comments: Certificate credentials can be stored in AWS CloudHSM which reduces the + attack surface and threat from these sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1588 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls capability-id: AWS CloudHSM @@ -4047,11 +8008,35 @@ attack-objects: - https://aws.amazon.com/cloudhsm/ - https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html - https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Credentials +- attack-object-id: T1553.004 + attack-object-name: Install Root Certificate + capability-id: AWS CloudHSM + comments: Use cases in documentation show that certificate credentials can be stored + in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1553.002 + attack-object-name: Code Signing + capability-id: AWS CloudHSM + comments: Use cases in documentation show that certificate credentials can be stored + in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Protect + score-value: Partial + tags: [] metadata: attack-version: 9 author: '' diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack-objects.csv b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack-objects.csv index 4c5c7080..3c5d541e 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack-objects.csv +++ b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack-objects.csv @@ -1,455 +1,821 @@ ,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata_key -0,,T1040,Network Sniffing,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,False,2 -1,,T1565,Data Manipulation,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,True,2 -2,,T1565,Data Manipulation,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,True,2 -3,,T1557,Man-in-the-Middle,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,False,2 -4,,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,False,2 -5,,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,False,2 -6,,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,False,2 -7,,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,False,2 -8,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,False,2 -9,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,False,2 -10,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,False,2 -11,,T1486,Data Encrypted for Impact,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,False,2 -12,,T1490,Inhibit System Recovery,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,False,2 -13,,T1490,Inhibit System Recovery,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,False,2 -14,,T1561,Disk Wipe,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Minimal,True,2 -15,,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,False,2 -16,,T1529,System Shutdown/Reboot,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,False,2 -17,,T1489,Service Stop,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,False,2 -18,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1020,Automated Exfiltration,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 -19,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1040,Network Sniffing,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -20,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1053,Scheduled Task/Job,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 -21,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1068,Exploitation for Privilege Escalation,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -22,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1078,Valid Accounts,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 -23,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1098,Account Manipulation,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 +0,,T1040,Network Sniffing,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +1,,T1565,Data Manipulation,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,,2 +2,,T1565,Data Manipulation,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +3,"AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.",T1565.001,Stored Data Manipulation,[],[],,AWS RDS,technique-scores,Protect,Significant,T1565,2 +4,"AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.",T1565.001,Stored Data Manipulation,[],[],,AWS RDS,technique-scores,Respond,Significant,T1565,2 +5,"AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.",T1565.002,Transmitted Data Manipulation,[],[],,AWS RDS,technique-scores,Protect,Significant,T1565,2 +6,"AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.",T1565.002,Transmitted Data Manipulation,[],[],,AWS RDS,technique-scores,Respond,Significant,T1565,2 +7,,T1557,Man-in-the-Middle,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +8,,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,,2 +9,,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +10,,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,,2 +11,,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +12,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +13,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +14,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +15,,T1486,Data Encrypted for Impact,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +16,,T1490,Inhibit System Recovery,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +17,,T1490,Inhibit System Recovery,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +18,,T1561,Disk Wipe,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Minimal,,2 +19,"AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.",T1561.001,Disk Content Wipe,[],[],,AWS RDS,technique-scores,Respond,Minimal,T1561,2 +20,"AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.",T1561.002,Disk Structure Wipe,[],[],,AWS RDS,technique-scores,Respond,Minimal,T1561,2 +21,,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +22,,T1529,System Shutdown/Reboot,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +23,,T1489,Service Stop,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 24,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1110,Brute Force,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,True,2 -25,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1119,Automated Collection,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1020,Automated Exfiltration,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +25,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: ""acm-certificate-expiration-check"" for nearly expired certificates in AWS Certificate Manager (ACM); ""alb-http-to-https-redirection-check"" for Application Load Balancer (ALB) HTTP listeners; ""api-gw-ssl-enabled"" for API Gateway REST API stages; ""cloudfront-custom-ssl-certificate"", ""cloudfront-sni-enabled"", and ""cloudfront-viewer-policy-https"", for Amazon CloudFront distributions; ""elb-acm-certificate-required"", ""elb-custom-security-policy-ssl-check"", ""elb-predefined-security-policy-ssl-check"", and ""elb-tls-https-listeners-only"" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; ""redshift-require-tls-ssl"" for Amazon Redshift cluster connections to SQL clients; ""s3-bucket-ssl-requests-only"" for requests for S3 bucket contents; and ""elasticsearch-node-to-node-encryption-check"" for Amazon ElasticSearch Service node-to-node communications. +All of these are run on configuration changes except ""alb-http-to-https-redirection-check"", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.",T1020.001,Traffic Duplication,[],[],,AWS Config,technique-scores,Protect,Partial,T1020,2 26,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1136,Create Account,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1040,Network Sniffing,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 27,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1190,Exploit Public-Facing Application,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -28,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1203,Exploitation for Client Execution,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1053,Scheduled Task/Job,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +28,"The ""eks-endpoint-no-public-access"" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.",T1053.007,Container Orchestration Job,[],[],,AWS Config,technique-scores,Protect,Partial,T1053,2 29,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1210,Exploitation of Remote Services,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1068,Exploitation for Privilege Escalation,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 30,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1211,Exploitation for Defense Evasion,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -31,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1212,Exploitation for Credential Access,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1078,Valid Accounts,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +31,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted misuse of cloud accounts: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". All of these controls are run periodically. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that appropriate AWS Identity and Access Management (IAM) policies are in place to enforce fine-grained access policies and mitigate the impact of compromised valid accounts: ""iam-customer-policy-blocked-kms-actions"", ""iam-inline-policy-blocked-kms-actions"", ""iam-no-inline-policy-check"", ""iam-group-has-users-check"", ""iam-policy-blacklisted-check"", ""iam-policy-no-statements-with-admin-access"", ""iam-policy-no-statements-with-full-access"", ""iam-role-managed-policy-check"", ""iam-user-group-membership-check"", ""iam-user-no-policies-check"", and ""ec2-instance-profile-attached"" are run on configuration changes. ""iam-password-policy"", ""iam-policy-in-use"", ""iam-root-access-key-check"", ""iam-user-mfa-enabled"", ""iam-user-unused-credentials-check"", and ""mfa-enabled-for-iam-console-access"" are run periodically. The ""access-keys-rotated"" managed rule ensures that IAM access keys are rotated at an appropriate rate. +Given that these rules provide robust coverage for a variety of IAM configuration problems and most are evaluated on configuration changes, they result in an overall score of Significant.",T1078.004,Cloud Accounts,[],[],,AWS Config,technique-scores,Protect,Significant,T1078,2 32,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1204,User Execution,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,True,2 -33,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1485,Data Destruction,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1098,Account Manipulation,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +33,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted manipulation of cloud accounts: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". All of these controls are run periodically and provide partial coverage, since adversaries may be able to manipulate cloud credentials via other mechanisms, resulting in an overall score of Partial.",T1098.001,Additional Cloud Credentials,[],[],,AWS Config,technique-scores,Protect,Partial,T1098,2 34,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1486,Data Encrypted for Impact,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -35,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1491,Defacement,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,True,2 -36,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1496,Resource Hijacking,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Partial,False,2 -37,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1498,Network Denial of Service,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 -38,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1499,Endpoint Denial of Service,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,True,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1110,Brute Force,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +35,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.001,Password Guessing,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +36,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.002,Password Cracking,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +37,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.003,Password Spraying,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +38,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.004,Credential Stuffing,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 39,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1525,Implant Internal Image,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1119,Automated Collection,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 40,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1530,Data from Cloud Storage Object,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,False,2 -41,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1538,Cloud Service Dashboard,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1136,Create Account,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +41,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide significant protection against attempted manipulation of cloud accounts, including the creation of new ones: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". All of these controls are run periodically and provide partial coverage, since adversaries may be able to create cloud credentials via other mechanisms, resulting in an overall score of Partial.",T1136.003,Cloud Account,[],[],,AWS Config,technique-scores,Protect,Partial,T1136,2 42,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,True,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1190,Exploit Public-Facing Application,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 43,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1557,Man-in-the-Middle,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1203,Exploitation for Client Execution,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 44,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1562,Impair Defenses,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,True,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1210,Exploitation of Remote Services,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 45,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1609,Container Administration Command,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1211,Exploitation for Defense Evasion,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 46,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1610,Deploy Container,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1212,Exploitation for Credential Access,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 47,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1611,Escape to Host,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -48,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. -AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1613,Container and Resource Discovery,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,False,2 -49,The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html'],['Storage'],,AWS S3,technique-scores,Protect,Significant,False,2 -50,The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html'],['Storage'],,AWS S3,technique-scores,Protect,Significant,False,2 -51,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1204,User Execution,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,,2 +48,"The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: ""approved-amis-by-id"" and ""approved-amis-by-tag"", both of which are run on configuration changes. They provide significant coverage, resulting in an overall score of Significant.",T1204.003,Malicious Image,[],[],,AWS Config,technique-scores,Detect,Significant,T1204,2 +49,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1485,Data Destruction,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +50,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1486,Data Encrypted for Impact,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +51,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1491,Defacement,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +52,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: ""s3-bucket-blacklisted-actions-prohibited"" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, ""s3-bucket-default-lock-enabled"" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and ""s3-bucket-public-write-prohibited"" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: ""aurora-mysql-backtracking-enabled"" for data in Aurora MySQL; ""db-instance-backup-enabled"" and ""rds-in-backup-plan"" for Amazon Relational Database Service (RDS) data; ""dynamodb-in-backup-plan"" and ""dynamodb-pitr-enabled"" for Amazon DynamoDB table contents; ""ebs-in-backup-plan"" for Elastic Block Store (EBS) volumes; ""efs-in-backup-plan"" for Amazon Elastic File System (EFS) file systems; ""elasticache-redis-cluster-automatic-backup-check"" for Amazon ElastiCache Redis cluster data; ""redshift-backup-enabled"" and ""redshift-cluster-maintenancesettings-check"" for Redshift; ""s3-bucket-replication-enabled"" and ""s3-bucket-versioning-enabled"" for S3 storage; and ""cloudfront-origin-failover-enabled"" for CloudFront. +Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.",T1491.001,Internal Defacement,[],[],,AWS Config,technique-scores,Protect,Significant,T1491,2 +53,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: ""s3-bucket-blacklisted-actions-prohibited"" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, ""s3-bucket-default-lock-enabled"" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and ""s3-bucket-public-write-prohibited"" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: ""aurora-mysql-backtracking-enabled"" for data in Aurora MySQL; ""db-instance-backup-enabled"" and ""rds-in-backup-plan"" for Amazon Relational Database Service (RDS) data; ""dynamodb-in-backup-plan"" and ""dynamodb-pitr-enabled"" for Amazon DynamoDB table contents; ""ebs-in-backup-plan"" for Elastic Block Store (EBS) volumes; ""efs-in-backup-plan"" for Amazon Elastic File System (EFS) file systems; ""elasticache-redis-cluster-automatic-backup-check"" for Amazon ElastiCache Redis cluster data; ""redshift-backup-enabled"" and ""redshift-cluster-maintenancesettings-check"" for Redshift; ""s3-bucket-replication-enabled"" and ""s3-bucket-versioning-enabled"" for S3 storage; and ""cloudfront-origin-failover-enabled"" for CloudFront. +Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.",T1491.002,External Defacement,[],[],,AWS Config,technique-scores,Protect,Significant,T1491,2 +54,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1496,Resource Hijacking,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Partial,,2 +55,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1498,Network Denial of Service,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +56,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1498.001,Direct Network Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1498,2 +57,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1498.002,Reflection Amplification,[],[],,AWS Config,technique-scores,Protect,Minimal,T1498,2 +58,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1499,Endpoint Denial of Service,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +59,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.001,OS Exhaustion Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +60,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.002,Service Exhaustion Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +61,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.003,Application Exhaustion Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +62,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.004,Application or System Exploitation,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +63,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1525,Implant Internal Image,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,,2 +64,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1530,Data from Cloud Storage Object,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +65,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1538,Cloud Service Dashboard,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +66,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +67,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage, which may include files containing credentials: ""s3-account-level-public-access-blocks"", ""s3-bucket-level-public-access-prohibited"", ""s3-bucket-public-read-prohibited"", ""s3-bucket-policy-not-more-permissive"", ""cloudfront-origin-access-identity-enabled"", and ""cloudfront-default-root-object-configured"" identify objects that are publicly available or subject to overly permissive access policies; and ""s3-bucket-policy-grantee-check"" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data - which may include files containing credentials - are encrypted to prevent malicious access: ""s3-bucket-server-side-encryption-enabled"" and ""s3-default-encryption-kms"" for S3 storage, ""ec2-ebs-encryption-by-default"" and ""encrypted-volumes"" for EBS volumes. +Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Partial.",T1552.001,Credentials In Files,[],[],,AWS Config,technique-scores,Protect,Partial,T1552,2 +68,"The ""ec2-imdsv2-check"" managed rule can identify instances which are configured to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less secure than IMDSv2. This provides partial coverage, since adversaries may find ways to exploit the more secure IMDSv2, resulting in an overall score of Partial.",T1552.005,Cloud Instance Metadata API,[],[],,AWS Config,technique-scores,Protect,Partial,T1552,2 +69,"The ""eks-endpoint-no-public-access"" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The ""eks-secrets-encrypted"" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial.",T1552.007,Container API,[],[],,AWS Config,technique-scores,Protect,Partial,T1552,2 +70,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1557,Man-in-the-Middle,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +71,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1562,Impair Defenses,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,,2 +72,"The ""ec2-managedinstance-applications-required"" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The ""ec2-managedinstance-applications-blacklisted"" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial.",T1562.001,Disable or Modify Tools,[],[],,AWS Config,technique-scores,Detect,Partial,T1562,2 +73,"The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: ""lab-waf-enabled"" for Application Load Balancers; ""api-gw-associated-with-waf"" for Amazon API Gateway API stages; ""cloudfront-associated-with-waf"" for Amazon CloudFront distributions; ""fms-webacl-resource-policy-check"", ""fms-webacl-resource-policy-check"", and ""fms-webacl-rulegroup-association-check"" for AWS Firewall Manager; ""vpc-default-security-group-closed"", ""vpc-network-acl-unused-check"", and ""vpc-sg-open-only-to-authorized-ports"" for VPC security groups; and ""ec2-security-group-attached-to-eni"" for EC2 and ENI security groups; all of which are run on configuration changes. +The following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: ""internet-gateway-authorized-vpc-only"" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; ""lambda-inside-vpc"" can identify VPCs that have granted execution access to unauthorized Lambda functions; ""service-vpc-endpoint-enabled"" can verify that endpoints are active for the appropriate services across VPCs; ""subnet-auto-assign-public-ip-disabled"" checks for public IP addresses assigned to subnets within VPCs. +Coverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant.",T1562.007,Disable or Modify Cloud Firewall,[],[],,AWS Config,technique-scores,Detect,Significant,T1562,2 +74,"The following AWS Config managed rules can identify potentially malicious changes to cloud logging: ""api-gw-execution-logging-enabled"", ""cloudfront-accesslogs-enabled"", ""elasticsearch-logs-to-cloudwatch"", ""elb-logging-enabled"", ""redshift-cluster-configuration-check"", ""rds-logging-enabled"", and ""s3-bucket-logging-enabled"" are run on configuration changes. ""cloudtrail-security-trail-enabled"", ""cloud-trail-cloud-watch-logs-enabled"", ""cloudtrail-s3-dataevents-enabled"", ""vpc-flow-logs-enabled"", ""waf-classic-logging-enabled"", and ""wafv2-logging-enabled"" are run periodically. +Coverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant.",T1562.008,Disable Cloud Logs,[],[],,AWS Config,technique-scores,Detect,Significant,T1562,2 +75,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1609,Container Administration Command,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +76,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1610,Deploy Container,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +77,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1611,Escape to Host,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +78,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1613,Container and Resource Discovery,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +79,The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html'],['Storage'],,AWS S3,technique-scores,Protect,Significant,,2 +80,The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html'],['Storage'],,AWS S3,technique-scores,Protect,Significant,,2 +81,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1595,Active Scanning,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -52,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1595,Active Scanning,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +82,"There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep.",T1595.001,Scanning IP Blocks,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1595,2 +83,"There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep",T1595.002,Vulnerability Scanning,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1595,2 +84,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1189,Drive-by Compromise,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -53,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1189,Drive-by Compromise,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +85,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1190,Exploit Public-Facing Application,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,False,2 -54,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1190,Exploit Public-Facing Application,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +86,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1566,Phishing,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -55,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1566,Phishing,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +87,The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.,T1566.001,Spearphishing Attachment,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1566,2 +88,The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.,T1566.002,Spearphishing Link,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1566,2 +89,The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.,T1566.003,Spearphishing via Service,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1566,2 +90,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1078,Valid Accounts,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -56,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1078,Valid Accounts,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +91,Listed findings above flag instances where there are indications of account compromise.,T1078.001,Default Accounts,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1078,2 +92,Listed findings above flag instances where there are indications of account compromise.,T1078.004,Cloud Accounts,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1078,2 +93,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1098,Account Manipulation,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -57,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1098,Account Manipulation,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +94,"The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.",T1098.001,Additional Cloud Credentials,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1098,2 +95,"The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.",T1098.004,SSH Authorized Keys,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1098,2 +96,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1562,Impair Defenses,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -58,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1562,Impair Defenses,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +97,"The following GuardDuty findings provide indicators of malicious activity in defense measures: +Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller",T1562.008,Disable Cloud Logs,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1562,2 +98,"The following GuardDuty findings provide indicators of malicious activity in defense measures: +Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller",T1562.006,Indicator Blocking,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1562,2 +99,"The following GuardDuty findings provide indicators of malicious activity in defense measures: +Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller",T1562.001,Disable or Modify Tools,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1562,2 +100,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1110,Brute Force,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,True,2 -59,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1110,Brute Force,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +101,"Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.",T1110.001,Password Guessing,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1110,2 +102,"Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.",T1110.003,Password Spraying,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1110,2 +103,"Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.",T1110.004,Credential Stuffing,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1110,2 +104,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,True,2 -60,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +105,"The following finding types in Amazon GuardDuty can be used to identify potentially malicious interactions with S3 which may lead to the compromise of any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller +The score is capped at Partial since the findings only apply to credential files stored within S3 buckets and only certain types of suspicious behaviors.",T1552.001,Credentials In Files,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1552,2 +106,The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection.,T1552.005,Cloud Instance Metadata API,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1552,2 +107,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1580,Cloud Infrastructure Discovery,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -61,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1580,Cloud Infrastructure Discovery,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +108,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1526,Cloud Service Discovery,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -62,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1526,Cloud Service Discovery,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +109,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1046,Network Service Scanning,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -63,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1046,Network Service Scanning,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +110,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1530,Data from Cloud Storage Object,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -64,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1530,Data from Cloud Storage Object,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +111,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1071,Application Layer Protocol,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -65,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1071,Application Layer Protocol,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +112,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.001,Web Protocols,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +113,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.002,File Transfer Protocols,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +114,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.003,Mail Protocols,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +115,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.004,DNS,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +116,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1568,Dynamic Resolution,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -66,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1568,Dynamic Resolution,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +117,"GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations. +Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS",T1568.002,Domain Generation Algorithms,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1568,2 +118,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1571,Non-Standard Port,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -67,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1571,Non-Standard Port,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +119,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1090,Proxy,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,True,2 -68,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1090,Proxy,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +120,"The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. +Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.",T1090.001,Internal Proxy,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1090,2 +121,"The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. +Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.",T1090.002,External Proxy,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1090,2 +122,"The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. +Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.",T1090.003,Multi-hop Proxy,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1090,2 +123,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1020,Automated Exfiltration,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -69,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1020,Automated Exfiltration,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +124,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1029,Scheduled Transfer,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,False,2 -70,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1029,Scheduled Transfer,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +125,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1041,Exfiltration Over C2 Channel,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,False,2 -71,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1041,Exfiltration Over C2 Channel,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +126,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1048,Exfiltration Over Alternative Protocol,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -72,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1048,Exfiltration Over Alternative Protocol,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +127,"The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. +Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1048,2 +128,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1567,Exfiltration Over Web Service,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -73,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1567,Exfiltration Over Web Service,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +129,"The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. +Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual",T1567.001,Exfiltration to Code Repository,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1567,2 +130,"The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. +Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual",T1567.002,Exfiltration to Cloud Storage,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1567,2 +131,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1531,Account Access Removal,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -74,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1531,Account Access Removal,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +132,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1485,Data Destruction,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -75,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1485,Data Destruction,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +133,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1486,Data Encrypted for Impact,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -76,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1486,Data Encrypted for Impact,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +134,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1565,Data Manipulation,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -77,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1565,Data Manipulation,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +135,"The Impact:S3/MaliciousIPCaller finding type is looking for API calls commonly associated with Impact tactic of techniques where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.",T1565.001,Stored Data Manipulation,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1565,2 +136,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1498,Network Denial of Service,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -78,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1498,Network Denial of Service,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +137,"The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. +Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns",T1498.001,Direct Network Flood,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1498,2 +138,"The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. +Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns",T1498.002,Reflection Amplification,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1498,2 +139,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1496,Resource Hijacking,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,False,2 -79,"Scores for this service are capped at Partial due to limited coverage and accuracy information. + InitialAccess:IAMUser/AnomalousBehavior",T1496,Resource Hijacking,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +140,"Scores for this service are capped at Partial due to limited coverage and accuracy information. The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. The following findings were not mappable: Backdoor:EC2/Spambot Impact:EC2/AbusedDomainRequest.Reputation - InitialAccess:IAMUser/AnomalousBehavior",T1491,Defacement,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,True,2 -80,There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.,T1498,Network Denial of Service,"['https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc', 'https://aws.amazon.com/shield/features/']","['Denial of Service', 'Network']",,AWS Shield,technique-scores,Respond,Significant,True,2 -81,There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.,T1499,Endpoint Denial of Service,"['https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc', 'https://aws.amazon.com/shield/features/']","['Denial of Service', 'Network']",,AWS Shield,technique-scores,Respond,Significant,True,2 -82,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1020,Automated Exfiltration,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,True,2 -83,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1040,Network Sniffing,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Partial,False,2 -84,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1041,Exfiltration Over C2 Channel,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,False,2 -85,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1046,Network Service Scanning,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,False,2 -86,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1048,Exfiltration Over Alternative Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,True,2 -87,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1071,Application Layer Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,False,2 -88,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1078,Valid Accounts,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,True,2 -89,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1078,Valid Accounts,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,True,2 -90,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1095,Non-Application Layer Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,False,2 -91,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1496,Resource Hijacking,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,False,2 -92,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1530,Data from Cloud Storage Object,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,False,2 -93,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1552,Unsecured Credentials,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,True,2 -94,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1557,Man-in-the-Middle,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,False,2 -95,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1562,Impair Defenses,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,True,2 -96,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. -Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1562,Impair Defenses,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Respond,Minimal,True,2 -97,,T1078,Valid Accounts,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,True,2 -98,,T1087,Account Discovery,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Minimal,True,2 -99,,T1580,Cloud Infrastructure Discovery,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,False,2 -100,,T1538,Cloud Service Dashboard,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,False,2 -101,,T1190,Exploit Public-Facing Application,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,False,2 -102,,T1485,Data Destruction,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,False,2 -103,,T1486,Data Encrypted for Impact,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,False,2 -104,,T1565,Data Manipulation,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Minimal,True,2 -105,,T1491,Defacement,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,True,2 -106,,T1561,Disk Wipe,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,True,2 -107,,T1490,Inhibit System Recovery,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,False,2 -108,,T1552,Unsecured Credentials,"['https://aws.amazon.com/kms/', 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html']",['Credentials'],,AWS Key Management Service,technique-scores,Protect,Minimal,True,2 -109,,T1588,Obtain Capabilities,"['https://aws.amazon.com/kms/', 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html']",['Credentials'],,AWS Key Management Service,technique-scores,Protect,Partial,True,2 -110,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1189,Drive-by Compromise,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -111,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -112,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1203,Exploitation for Client Execution,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -113,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1068,Exploitation for Privilege Escalation,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -114,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1211,Exploitation for Defense Evasion,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -115,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1212,Exploitation for Credential Access,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -116,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -117,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1110,Brute Force,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -118,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1133,External Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,False,2 -119,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1021,Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -120,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1222,File and Directory Permissions Modification,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -121,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1562,Impair Defenses,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -122,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1070,Indicator Removal on Host,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -123,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1599,Network Boundary Bridging,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -124,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1003,OS Credential Dumping,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -125,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1053,Scheduled Task/Job,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -126,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1489,Service Stop,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,False,2 -127,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1529,System Shutdown/Reboot,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,False,2 -128,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1548,Abuse Elevation Control Mechanism,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -129,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1037,Boot or Logon Initialization Scripts,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -130,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1543,Create or Modify System Process,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,True,2 -131,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1046,Network Service Scanning,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,False,2 -132,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1595,Active Scanning,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,True,2 -133,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -134,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1595,Active Scanning,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -135,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1133,External Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -136,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1205,Traffic Signaling,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -137,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1046,Network Service Scanning,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,False,2 -138,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1018,Remote System Discovery,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -139,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1008,Fallback Channels,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -140,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1095,Non-Application Layer Protocol,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -141,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1571,Non-Standard Port,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,False,2 -142,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1219,Remote Access Software,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -143,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1048,Exfiltration Over Alternative Protocol,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -144,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1040,Network Sniffing,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,False,2 -145,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1557,Man-in-the-Middle,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,True,2 -146,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1565,Data Manipulation,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -147,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1199,Trusted Relationship,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -148,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1602,Data from Configuration Repository,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -149,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1542,Pre-OS Boot,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,True,2 -150,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -151,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1021,Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -152,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1072,Software Deployment Tools,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -153,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1482,Domain Trust Discovery,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -154,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1498,Network Denial of Service,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,False,2 -155,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1499,Endpoint Denial of Service,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,True,2 -156,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1570,Lateral Tool Transfer,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,False,2 -157,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1090,Proxy,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,True,2 -158,,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,True,2 -159,,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,True,2 -160,,T1190,Exploit Public-Facing Application,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,False,2 -161,,T1189,Drive-by Compromise,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,False,2 -162,,T1203,Exploitation for Client Execution,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,False,2 -163,,T1059,Command and Scripting Interpreter,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,True,2 -164,,T1090,Proxy,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,True,2 -165,,T1595,Active Scanning,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,True,2 -166,,T1046,Network Service Scanning,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,False,2 -167,,T1071,Application Layer Protocol,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Minimal,True,2 -168,,T1496,Resource Hijacking,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Detect,Partial,False,2 -169,,T1610,Deploy Container,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Detect,Partial,False,2 -170,,T1040,Network Sniffing,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Protect,Significant,False,2 -171,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). + InitialAccess:IAMUser/AnomalousBehavior",T1491,Defacement,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +141,"The following finding types can be used to detect behavior that can lead to the defacement of +cloud resources: +Impact:S3/MaliciousIPCaller +Exfiltration:S3/MaliciousIPCaller +Exfiltration:S3/ObjectRead.Unusual +PenTest:S3/KaliLinux +PenTest:S3/ParrotLinux +PenTest:S3/PentooLinux +UnauthorizedAccess:S3/MaliciousIPCaller.Custom +UnauthorizedAccess:S3/TorIPCaller",T1491.002,External Defacement,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1491,2 +142,"The following finding types can be used to detect behavior that can lead to the defacement of +cloud resources: +Impact:S3/MaliciousIPCaller +Exfiltration:S3/MaliciousIPCaller +Exfiltration:S3/ObjectRead.Unusual +PenTest:S3/KaliLinux +PenTest:S3/ParrotLinux +PenTest:S3/PentooLinux +UnauthorizedAccess:S3/MaliciousIPCaller.Custom +UnauthorizedAccess:S3/TorIPCaller",T1491.001,Internal Defacement,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1491,2 +143,There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.,T1498,Network Denial of Service,"['https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc', 'https://aws.amazon.com/shield/features/']","['Denial of Service', 'Network']",,AWS Shield,technique-scores,Respond,Significant,,2 +144,"AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ",T1498.001,Direct Network Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1498,2 +145,"AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ",T1498.002,Reflection Amplification,[],[],,AWS Shield,technique-scores,Respond,Significant,T1498,2 +146,There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.,T1499,Endpoint Denial of Service,"['https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc', 'https://aws.amazon.com/shield/features/']","['Denial of Service', 'Network']",,AWS Shield,technique-scores,Respond,Significant,,2 +147,AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ,T1499.001,OS Exhaustion Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1499,2 +148,AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ,T1499.002,Service Exhaustion Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1499,2 +149,AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances.,T1499.003,Application Exhaustion Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1499,2 +150,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1020,Automated Exfiltration,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,,2 +151,"The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: ""CA certificate expiring"" (""CA_CERTIFICATE_EXPIRING_CHECK"" in the CLI and API), ""CA certificate key quality"" (""CA_CERTIFICATE_KEY_QUALITY_CHECK"" in the CLI and API), and ""CA certificate revoked but device certificates still active"" (""REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the ""UPDATE_CA_CERTIFICATE"" mitigation action which can resolve them. ""Device certificate expiring"" (""DEVICE_CERTIFICATE_EXPIRING_CHECK"" in the CLI and API), ""Device certificate key quality"" (""DEVICE_CERTIFICATE_KEY_QUALITY_CHECK"" in the CLI and API), ""Device certificate shared"" (""DEVICE_CERTIFICATE_SHARED_CHECK"" in the CLI and API), and ""Revoked device certificate still active"" (""REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) can identify problems with IoT devices' certificates and support the ""UPDATE_DEVICE_CERTIFICATE"" and ""ADD_THINGS_TO_THING_GROUP"" mitigation actions which can resolve them. +Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.",T1020.001,Traffic Duplication,[],[],,AWS IoT Device Defender,technique-scores,Protect,Partial,T1020,2 +152,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1040,Network Sniffing,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Partial,,2 +153,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1041,Exfiltration Over C2 Channel,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +154,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1046,Network Service Scanning,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +155,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1048,Exfiltration Over Alternative Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +156,"The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: ""Destination IPs"" (""aws:destination-ip-addresses"") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. ""Bytes in"" (""aws:all-bytes-in""), ""Bytes out"" (""aws:all-bytes-out""), ""Packets in"" (""aws:all-packets-in""), and ""Packets out"" (""aws:all-packets-out"") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. ""Listening TCP ports"" (""aws:listening-tcp-ports""), ""Listening TCP port count"" (""aws:num-listening-tcp-ports""), ""Established TCP connections count"" (""aws:num-established-tcp-connections""), ""Listening UDP ports"" (""aws:listening-udp-ports""), and ""Listening UDP port count"" (""aws:num-listening-udp-ports"") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols. +Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1048,2 +157,"The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: ""Destination IPs"" (""aws:destination-ip-addresses"") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. ""Bytes in"" (""aws:all-bytes-in""), ""Bytes out"" (""aws:all-bytes-out""), ""Packets in"" (""aws:all-packets-in""), and ""Packets out"" (""aws:all-packets-out"") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. ""Listening TCP ports"" (""aws:listening-tcp-ports""), ""Listening TCP port count"" (""aws:num-listening-tcp-ports""), ""Established TCP connections count"" (""aws:num-established-tcp-connections""), ""Listening UDP ports"" (""aws:listening-udp-ports""), and ""Listening UDP port count"" (""aws:num-listening-udp-ports"") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols. +Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1048,2 +158,"The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: ""Destination IPs"" (""aws:destination-ip-addresses"") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. ""Bytes in"" (""aws:all-bytes-in""), ""Bytes out"" (""aws:all-bytes-out""), ""Packets in"" (""aws:all-packets-in""), and ""Packets out"" (""aws:all-packets-out"") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. ""Listening TCP ports"" (""aws:listening-tcp-ports""), ""Listening TCP port count"" (""aws:num-listening-tcp-ports""), ""Established TCP connections count"" (""aws:num-established-tcp-connections""), ""Listening UDP ports"" (""aws:listening-udp-ports""), and ""Listening UDP port count"" (""aws:num-listening-udp-ports"") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols. +Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1048,2 +159,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1071,Application Layer Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +160,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1078,Valid Accounts,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +161,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1078,Valid Accounts,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,,2 +162,"The following AWS IoT Device Defender audit checks can identify potentially malicious use of valid cloud credentials by AWS IoT devices, which may indicate that devices have been compromised: ""CA certificate revoked but device certificates still active"" (""REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) indicates that device certificates signed using a revoked CA certificate are still active, which may indicate that devices using those certificates are controlled by an adversary if the CA certificate was revoked due to compromise. ""Device certificate shared"" (""DEVICE_CERTIFICATE_SHARED_CHECK"" in the CLI and API), ""Revoked device certificate still active"" (""REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API), and ""Conflicting MQTT client IDs"" (""CONFLICTING_CLIENT_IDS_CHECK"" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or IDs and/or certificates that have been revoked due to compromise, all of which suggest that an adversary may be using clones of compromised devices to leverage their access. +The following AWS IoT Device Defender cloud-side detection metrics can identify potentially malicious use of valid cloud credentials by IoT devices, which may indicate that devices have been compromised: ""Source IP"" (""aws:source-ip-address"") values outside of expected IP address ranges may suggest that a device has been stolen. ""Authorization failures"" (""aws:num-authorization-failures"") counts above a typical threshold may indicate that a compromised device is attempting to use its connection to AWS IoT to access resources for which it does not have access and being denied. High counts for ""Disconnects"" (""aws:num-disconnects""), especially in conjunction with high counts for ""Connection attempts"" (""aws:num-connection-attempts""), which include successful attempts, may indicate that a compromised device is connecting and disconnecting from AWS IoT using the device's associated access. +Coverage factor is partial for these metrics, checks, and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.",T1078.004,Cloud Accounts,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1078,2 +163,"The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and in some cases resolve configuration problems that should be fixed in order to limit the potential impact of compromised accounts with access to AWS IoT resources: The ""Authenticated Cognito role overly permissive"" (""AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles. The ""Unauthenticated Cognito role overly permissive"" (""UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles and do not require authentication, which pose a substantial risk because they can be trivially accessed. The ""AWS IoT policies overly permissive"" (""IOT_POLICY_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit check can identify AWS IoT policies which grant excessive privileges and permissions for AWS IoT actions and supports the ""REPLACE_DEFAULT_POLICY_VERSION"" mitigation action which can reduce permissions to limit potential misuse. The ""Role alias allows access to unused services"" (""IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK"" in the CLI and API) and ""Role alias overly permissive"" (""IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit checks can identify AWS IoT role aliases which allow connected devices to authenticate using their certificates and obtain short-lived AWS credentials from an associated IAM role which grant permissions and privileges beyond those necessary to the devices' functions and should be fixed in order to prevent further account compromise from compromised devices. +Coverage factor is partial for these checks and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.",T1078.004,Cloud Accounts,[],[],,AWS IoT Device Defender,technique-scores,Protect,Partial,T1078,2 +164,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1095,Non-Application Layer Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +165,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1496,Resource Hijacking,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +166,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1530,Data from Cloud Storage Object,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +167,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1552,Unsecured Credentials,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +168,"The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: ""Device certificate shared"" (""DEVICE_CERTIFICATE_SHARED_CHECK"" in the CLI and API) and ""Revoked device certificate still active"" (""REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys. +Coverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial.",T1552.004,Private Keys,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1552,2 +169,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1557,Man-in-the-Middle,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,,2 +170,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1562,Impair Defenses,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +171,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1562,Impair Defenses,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Respond,Minimal,,2 +172,"The ""Logging disabled"" audit check (""LOGGING_DISABLED_CHECK"" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging.",T1562.008,Disable Cloud Logs,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1562,2 +173,"The ""ENABLE_IOT_LOGGING"" mitigation action (which is supported by the ""Logging disabled"" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging.",T1562.008,Disable Cloud Logs,[],[],,AWS IoT Device Defender,technique-scores,Respond,Partial,T1562,2 +174,,T1078,Valid Accounts,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,,2 +175,"This control may protect against malicious use of cloud accounts by implementing service control policies that define what actions an account may take. If best practices are followed, AWS accounts should only have the least amount of privileges required.",T1078.004,Cloud Accounts,[],[],,AWS Organizations,technique-scores,Protect,Significant,T1078,2 +176,,T1087,Account Discovery,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Minimal,,2 +177,This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups. ,T1087.004,Cloud Account,[],[],,AWS Organizations,technique-scores,Protect,Partial,T1087,2 +178,,T1580,Cloud Infrastructure Discovery,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,,2 +179,,T1538,Cloud Service Dashboard,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,,2 +180,,T1190,Exploit Public-Facing Application,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +181,,T1485,Data Destruction,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +182,,T1486,Data Encrypted for Impact,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +183,,T1565,Data Manipulation,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Minimal,,2 +184,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1565.001,Stored Data Manipulation,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1565,2 +185,,T1491,Defacement,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +186,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1491.001,Internal Defacement,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1491,2 +187,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1491.002,External Defacement,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1491,2 +188,,T1561,Disk Wipe,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +189,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1561.001,Disk Content Wipe,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1561,2 +190,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1561.002,Disk Structure Wipe,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1561,2 +191,,T1490,Inhibit System Recovery,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +192,,T1552,Unsecured Credentials,"['https://aws.amazon.com/kms/', 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html']",['Credentials'],,AWS Key Management Service,technique-scores,Protect,Minimal,,2 +193,"This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.",T1552.001,Credentials In Files,[],[],,AWS Key Management Service,technique-scores,Protect,Partial,T1552,2 +194,This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.,T1552.004,Private Keys,[],[],,AWS Key Management Service,technique-scores,Protect,Significant,T1552,2 +195,,T1588,Obtain Capabilities,"['https://aws.amazon.com/kms/', 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html']",['Credentials'],,AWS Key Management Service,technique-scores,Protect,Partial,,2 +196,"The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.",T1588.003,Code Signing Certificates,[],[],,AWS Key Management Service,technique-scores,Protect,Partial,T1588,2 +197,"The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.",T1588.004,Digital Certificates,[],[],,AWS Key Management Service,technique-scores,Protect,Partial,T1588,2 +198,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1189,Drive-by Compromise,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +199,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +200,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1203,Exploitation for Client Execution,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +201,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1068,Exploitation for Privilege Escalation,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +202,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1211,Exploitation for Defense Evasion,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +203,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1212,Exploitation for Credential Access,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +204,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +205,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1110,Brute Force,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +206,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.001,Password Guessing,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +207,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.002,Password Cracking,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +208,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.003,Password Spraying,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +209,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.004,Credential Stuffing,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +210,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1133,External Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +211,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1021,Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +212,"The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, ""Disable root login over SSH"". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.",T1021.004,SSH,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1021,2 +213,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1222,File and Directory Permissions Modification,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +214,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this the score is capped at Partial. ",T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1222,2 +215,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1562,Impair Defenses,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +216,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.001,Disable or Modify Tools,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +217,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.003,Impair Command History Logging,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +218,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.004,Disable or Modify System Firewall,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +219,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.006,Indicator Blocking,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +220,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1070,Indicator Removal on Host,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +221,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.002,Clear Linux or Mac System Logs,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +222,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.003,Clear Command History,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +223,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.004,File Deletion,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +224,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.005,Network Share Connection Removal,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +225,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.006,Timestomp,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +226,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1599,Network Boundary Bridging,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +227,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1599.001,Network Address Translation Traversal,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1599,2 +228,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1003,OS Credential Dumping,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +229,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1003.007,Proc Filesystem,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1003,2 +230,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1003.008,/etc/passwd and /etc/shadow,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1003,2 +231,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1053,Scheduled Task/Job,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +232,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1053.001,At (Linux),[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1053,2 +233,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1053.003,Cron,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1053,2 +234,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1053.006,Systemd Timers,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1053,2 +235,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1489,Service Stop,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +236,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1529,System Shutdown/Reboot,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +237,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1548,Abuse Elevation Control Mechanism,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +238,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1548.003,Sudo and Sudo Caching,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1548,2 +239,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1037,Boot or Logon Initialization Scripts,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +240,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ",T1037.004,RC Scripts,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1037,2 +241,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1543,Create or Modify System Process,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +242,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ",T1543.002,Systemd Service,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1543,2 +243,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1046,Network Service Scanning,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +244,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1595,Active Scanning,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +245,"The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ",T1595.001,Scanning IP Blocks,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1595,2 +246,"The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ",T1595.002,Vulnerability Scanning,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1595,2 +247,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +248,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.001,Domain Properties,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +249,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.004,Network Topology,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +250,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.005,IP Addresses,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +251,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.006,Network Security Appliances,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +252,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1595,Active Scanning,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +253,"VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.001,Scanning IP Blocks,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1595,2 +254,"VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.002,Vulnerability Scanning,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1595,2 +255,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1133,External Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +256,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1205,Traffic Signaling,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +257,"VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level. ",T1205.001,Port Knocking,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1205,2 +258,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1046,Network Service Scanning,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +259,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1018,Remote System Discovery,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +260,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1008,Fallback Channels,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +261,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1095,Non-Application Layer Protocol,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +262,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1571,Non-Standard Port,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +263,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1219,Remote Access Software,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +264,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1048,Exfiltration Over Alternative Protocol,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +265,"VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1048,2 +266,"VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1048,2 +267,"VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1048,2 +268,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1040,Network Sniffing,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +269,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1557,Man-in-the-Middle,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +270,,T1557.002,ARP Cache Poisoning,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1557,2 +271,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1557,2 +272,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1565,Data Manipulation,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +273,,T1565.002,Transmitted Data Manipulation,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1565,2 +274,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1199,Trusted Relationship,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +275,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1602,Data from Configuration Repository,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +276,Can limit access to client management interfaces or configuration databases.,T1602.002,Network Device Configuration Dump,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1602,2 +277,Can limit access to client management interfaces or configuration databases.,T1602.001,SNMP (MIB Dump),[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1602,2 +278,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1542,Pre-OS Boot,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,,2 +279,VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.,T1542.005,TFTP Boot,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1542,2 +280,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +281,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1021,Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +282,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.006,Windows Remote Management,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +283,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.005,VNC,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +284,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.004,SSH,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +285,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.003,Distributed Component Object Model,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +286,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.002,SMB/Windows Admin Shares,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +287,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.001,Remote Desktop Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +288,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1072,Software Deployment Tools,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +289,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1482,Domain Trust Discovery,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +290,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1498,Network Denial of Service,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,,2 +291,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1499,Endpoint Denial of Service,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,,2 +292,VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.,T1499.003,Application Exhaustion Flood,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,T1499,2 +293,VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.,T1499.002,Service Exhaustion Flood,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,T1499,2 +294,VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.,T1499.001,OS Exhaustion Flood,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,T1499,2 +295,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1570,Lateral Tool Transfer,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +296,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1090,Proxy,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +297,"VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.003,Multi-hop Proxy,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1090,2 +298,"VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.002,External Proxy,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1090,2 +299,"VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.001,Internal Proxy,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1090,2 +300,,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,,2 +301,"Amazon Cognito has the ability to alert and block accounts where credentials were found to be compromised elsewhere (compromised credential protection). The service also detects unusual sign-in activity, such as sign-in attempts from new locations and devices and can either prompt users for additional verification or block the sign-in request. There was insufficient detail on the operation of these capabilities and therefore a conservative assessment of a Partial score has been assigned.",T1078.004,Cloud Accounts,[],[],,Amazon Cognito,technique-scores,Protect,Partial,T1078,2 +302,,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,,2 +303,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.001,Password Guessing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +304,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.002,Password Cracking,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +305,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.003,Password Spraying,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +306,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.004,Credential Stuffing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +307,,T1190,Exploit Public-Facing Application,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,,2 +308,,T1189,Drive-by Compromise,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,,2 +309,,T1203,Exploitation for Client Execution,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,,2 +310,,T1059,Command and Scripting Interpreter,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +311,"The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. +AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet +This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.",T1059.001,PowerShell,[],[],,AWS Web Application Firewall,technique-scores,Protect,Significant,T1059,2 +312,"The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. +AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet +This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.",T1059.004,Unix Shell,[],[],,AWS Web Application Firewall,technique-scores,Protect,Significant,T1059,2 +313,"The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. +AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet +This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.",T1059.007,JavaScript,[],[],,AWS Web Application Firewall,technique-scores,Protect,Significant,T1059,2 +314,,T1090,Proxy,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +315,"The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic. +AWSManagedRulesAnonymousIpList +This is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.",T1090.002,External Proxy,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1090,2 +316,"The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic. +AWSManagedRulesAnonymousIpList +This is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.",T1090.003,Multi-hop Proxy,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1090,2 +317,,T1595,Active Scanning,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +318,"AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. +AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet +This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.",T1595.001,Scanning IP Blocks,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1595,2 +319,"AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. +AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet +This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.",T1595.002,Vulnerability Scanning,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1595,2 +320,,T1046,Network Service Scanning,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +321,,T1071,Application Layer Protocol,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Minimal,,2 +322,"AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection. +AWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet +This is scored as Minimal because the rule sets only protect against the web protocols sub-technique.",T1071.001,Web Protocols,[],[],,AWS Web Application Firewall,technique-scores,Protect,Minimal,T1071,2 +323,,T1496,Resource Hijacking,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Detect,Partial,,2 +324,,T1610,Deploy Container,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Detect,Partial,,2 +325,,T1040,Network Sniffing,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Protect,Significant,,2 +326,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -172,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +327,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1592,Gather Victim Host Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -173,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1592,Gather Victim Host Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +328,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.001,Hardware,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +329,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.002,Software,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +330,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.003,Firmware,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +331,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.004,Client Configurations,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +332,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1589,Gather Victim Identity Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -174,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1589,Gather Victim Identity Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +333,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1589.001,Credentials,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1589,2 +334,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1589.002,Email Addresses,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1589,2 +335,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1589.003,Employee Names,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1589,2 +336,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -175,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +337,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.001,Domain Properties,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +338,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.002,DNS,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +339,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.003,Network Trust Dependencies,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +340,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.004,Network Topology,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +341,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.005,IP Addresses,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +342,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.006,Network Security Appliances,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +343,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1591,Gather Victim Org Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -176,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1591,Gather Victim Org Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +344,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.001,Determine Physical Locations,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +345,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.002,Business Relationships,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +346,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.003,Identify Business Tempo,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +347,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.004,Identify Roles,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +348,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1580,Cloud Infrastructure Discovery,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -177,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1580,Cloud Infrastructure Discovery,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +349,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1078,Valid Accounts,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -178,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1078,Valid Accounts,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +350,"AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights. +AWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity +AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks. +3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of ""root"" account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the ""root"" user +By monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised. +This is scored as Significant because it reports on suspicious activity by AWS accounts. ",T1078.004,Cloud Accounts,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1078,2 +351,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -179,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +352,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1203,Exploitation for Client Execution,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -180,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1203,Exploitation for Client Execution,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +353,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1068,Exploitation for Privilege Escalation,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -181,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1068,Exploitation for Privilege Escalation,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +354,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1211,Exploitation for Defense Evasion,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -182,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1211,Exploitation for Defense Evasion,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +355,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1212,Exploitation for Credential Access,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -183,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1212,Exploitation for Credential Access,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +356,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -184,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +357,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1531,Account Access Removal,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,False,2 -185,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1531,Account Access Removal,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +358,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1098,Account Manipulation,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -186,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1098,Account Manipulation,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +359,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check. +3.4 Ensure a log metric filter and alarm exist for IAM policy changes +This is scored as Significant because it can monitor all changes to IAM policy which can be used to detect any changes made to accounts. ",T1098.001,Additional Cloud Credentials,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1098,2 +360,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1562,Impair Defenses,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,True,2 -187,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1562,Impair Defenses,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +361,"AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. +3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes +This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ",T1562.008,Disable Cloud Logs,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1562,2 +362,"AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. +3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes +This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ",T1562.001,Disable or Modify Tools,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1562,2 +363,"AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. +3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes +This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ",T1562.007,Disable or Modify Cloud Firewall,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1562,2 +364,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1110,Brute Force,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,True,2 -188,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +",T1110,Brute Force,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +365,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. +3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ",T1110.001,Password Guessing,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1110,2 +366,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. +3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ",T1110.003,Password Spraying,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1110,2 +367,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. +3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ",T1110.004,Credential Stuffing,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1110,2 +368,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. -",T1485,Data Destruction,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,False,2 -189,,T1078,Valid Accounts,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Partial,True,2 -190,,T1078,Valid Accounts,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Detect,Partial,True,2 -191,,T1098,Account Manipulation,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Detect,Minimal,True,2 -192,,T1550,Use Alternate Authentication Material,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Minimal,True,2 -193,,T1110,Brute Force,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Significant,True,2 -194,,T1528,Steal Application Access Token,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Minimal,False,2 -195,,T1555,Credentials from Password Stores,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,False,2 -196,,T1212,Exploitation for Credential Access,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,False,2 -197,,T1528,Steal Application Access Token,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,False,2 -198,,T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,True,2 -199,,T1071,Application Layer Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,True,2 -200,,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -201,,T1499,Endpoint Denial of Service,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -202,,T1048,Exfiltration Over Alternative Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -203,,T1187,Forced Authentication,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,False,2 -204,,T1498,Network Denial of Service,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Minimal,True,2 -205,,T1095,Non-Application Layer Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,False,2 -206,,T1572,Protocol Tunneling,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -207,,T1090,Proxy,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -208,,T1219,Remote Access Software,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -209,,T1021,Remote Services,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -210,,T1205,Traffic Signaling,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -211,,T1008,Fallback Channels,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -212,,T1104,Multi-Stage Channels,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -213,,T1046,Network Service Scanning,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -214,,T1595,Active Scanning,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -215,,T1571,Non-Standard Port,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,False,2 -216,,T1542,Pre-OS Boot,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Minimal,True,2 -217,,T1041,Exfiltration Over C2 Channel,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -218,,T1018,Remote System Discovery,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -219,,T1133,External Remote Services,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,False,2 -220,,T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,True,2 -221,,T1078,Valid Accounts,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Partial,True,2 -222,,T1133,External Remote Services,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Significant,False,2 -223,,T1110,Brute Force,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Partial,True,2 -224,,T1552,Unsecured Credentials,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Minimal,True,2 -225,,T1588,Obtain Capabilities,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Partial,True,2 -226,,T1553,Subvert Trust Controls,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Partial,True,2 +",T1485,Data Destruction,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +369,,T1078,Valid Accounts,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Partial,,2 +370,,T1078,Valid Accounts,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Detect,Partial,,2 +371,This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.,T1078.004,Cloud Accounts,[],[],,AWS Identity and Access Management,technique-scores,Protect,Partial,T1078,2 +372,The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.,T1078.004,Cloud Accounts,[],[],,AWS Identity and Access Management,technique-scores,Detect,Minimal,T1078,2 +373,,T1098,Account Manipulation,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Detect,Minimal,,2 +374,The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.,T1098.001,Additional Cloud Credentials,[],[],,AWS Identity and Access Management,technique-scores,Detect,Minimal,T1098,2 +375,,T1550,Use Alternate Authentication Material,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Minimal,,2 +376,This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer. ,T1550.001,Application Access Token,[],[],,AWS Identity and Access Management,technique-scores,Protect,Minimal,T1550,2 +377,,T1110,Brute Force,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Significant,,2 +378,"This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.",T1110.004,Credential Stuffing,[],[],,AWS Identity and Access Management,technique-scores,Protect,Significant,T1110,2 +379,"This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.",T1110.001,Password Guessing,[],[],,AWS Identity and Access Management,technique-scores,Protect,Significant,T1110,2 +380,"This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.",T1110.003,Password Spraying,[],[],,AWS Identity and Access Management,technique-scores,Protect,Significant,T1110,2 +381,,T1528,Steal Application Access Token,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Minimal,,2 +382,,T1555,Credentials from Password Stores,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +383,,T1212,Exploitation for Credential Access,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +384,,T1528,Steal Application Access Token,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +385,,T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +386,This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.,T1552.001,Credentials In Files,[],[],,AWS Secrets Manager,technique-scores,Protect,Partial,T1552,2 +387,This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.,T1552.002,Credentials in Registry,[],[],,AWS Secrets Manager,technique-scores,Protect,Partial,T1552,2 +388,This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.,T1552.004,Private Keys,[],[],,AWS Secrets Manager,technique-scores,Protect,Partial,T1552,2 +389,,T1071,Application Layer Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +390,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.001,Web Protocols,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +391,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.002,File Transfer Protocols,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +392,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.003,Mail Protocols,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +393,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.004,DNS,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +394,,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +395,,T1499,Endpoint Denial of Service,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +396,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ",T1499.001,OS Exhaustion Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1499,2 +397,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ",T1499.002,Service Exhaustion Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1499,2 +398,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ",T1499.003,Application Exhaustion Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1499,2 +399,,T1048,Exfiltration Over Alternative Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +400,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1048,2 +401,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1048,2 +402,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1048,2 +403,,T1187,Forced Authentication,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +404,,T1498,Network Denial of Service,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Minimal,,2 +405,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ",T1498.001,Direct Network Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Minimal,T1498,2 +406,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ",T1498.002,Reflection Amplification,[],[],,AWS Network Firewall,technique-scores,Protect,Minimal,T1498,2 +407,,T1095,Non-Application Layer Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +408,,T1572,Protocol Tunneling,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +409,,T1090,Proxy,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +410,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.",T1090.002,External Proxy,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1090,2 +411,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.",T1090.003,Multi-hop Proxy,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1090,2 +412,,T1219,Remote Access Software,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +413,,T1021,Remote Services,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +414,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.001,Remote Desktop Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +415,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.002,SMB/Windows Admin Shares,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +416,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.004,SSH,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +417,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.005,VNC,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +418,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.006,Windows Remote Management,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +419,,T1205,Traffic Signaling,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +420,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall.",T1205.001,Port Knocking,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1205,2 +421,,T1008,Fallback Channels,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +422,,T1104,Multi-Stage Channels,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +423,,T1046,Network Service Scanning,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +424,,T1595,Active Scanning,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +425,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ",T1595.001,Scanning IP Blocks,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1595,2 +426,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ",T1595.002,Vulnerability Scanning,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1595,2 +427,,T1571,Non-Standard Port,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +428,,T1542,Pre-OS Boot,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Minimal,,2 +429,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.",T1542.005,TFTP Boot,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1542,2 +430,,T1041,Exfiltration Over C2 Channel,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +431,,T1018,Remote System Discovery,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +432,,T1133,External Remote Services,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +433,,T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +434,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.001,Domain Properties,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +435,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.004,Network Topology,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +436,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.005,IP Addresses,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +437,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.006,Network Security Appliances,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +438,,T1078,Valid Accounts,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Partial,,2 +439,This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.,T1078.004,Cloud Accounts,[],[],,AWS Single Sign-On,technique-scores,Protect,Partial,T1078,2 +440,This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.,T1078.002,Domain Accounts,[],[],,AWS Single Sign-On,technique-scores,Protect,Partial,T1078,2 +441,,T1133,External Remote Services,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Significant,,2 +442,,T1110,Brute Force,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Partial,,2 +443,This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.,T1110.001,Password Guessing,[],[],,AWS Single Sign-On,technique-scores,Protect,Significant,T1110,2 +444,This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.,T1110.003,Password Spraying,[],[],,AWS Single Sign-On,technique-scores,Protect,Significant,T1110,2 +445,This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.,T1110.004,Credential Stuffing,[],[],,AWS Single Sign-On,technique-scores,Protect,Significant,T1110,2 +446,,T1552,Unsecured Credentials,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Minimal,,2 +447,"This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.",T1552.001,Credentials In Files,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1552,2 +448,This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.,T1552.004,Private Keys,[],[],,AWS CloudHSM,technique-scores,Protect,Significant,T1552,2 +449,,T1588,Obtain Capabilities,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Partial,,2 +450,Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1588.004,Digital Certificates,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1588,2 +451,Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1588.003,Code Signing Certificates,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1588,2 +452,,T1553,Subvert Trust Controls,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Partial,,2 +453,Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1553.004,Install Root Certificate,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1553,2 +454,Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1553.002,Code Signing,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1553,2 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack_objects.csv new file mode 100644 index 00000000..1cf3e6d8 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_attack_objects.csv @@ -0,0 +1,821 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata-key +0,,T1040,Network Sniffing,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +1,,T1565,Data Manipulation,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,,2 +2,,T1565,Data Manipulation,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +3,"AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.",T1565.001,Stored Data Manipulation,[],[],,AWS RDS,technique-scores,Protect,Significant,T1565,2 +4,"AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.",T1565.001,Stored Data Manipulation,[],[],,AWS RDS,technique-scores,Respond,Significant,T1565,2 +5,"AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.",T1565.002,Transmitted Data Manipulation,[],[],,AWS RDS,technique-scores,Protect,Significant,T1565,2 +6,"AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.",T1565.002,Transmitted Data Manipulation,[],[],,AWS RDS,technique-scores,Respond,Significant,T1565,2 +7,,T1557,Man-in-the-Middle,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +8,,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,,2 +9,,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +10,,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Partial,,2 +11,,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +12,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +13,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +14,,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +15,,T1486,Data Encrypted for Impact,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +16,,T1490,Inhibit System Recovery,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +17,,T1490,Inhibit System Recovery,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Significant,,2 +18,,T1561,Disk Wipe,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Respond,Minimal,,2 +19,"AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.",T1561.001,Disk Content Wipe,[],[],,AWS RDS,technique-scores,Respond,Minimal,T1561,2 +20,"AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.",T1561.002,Disk Structure Wipe,[],[],,AWS RDS,technique-scores,Respond,Minimal,T1561,2 +21,,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Protect,Significant,,2 +22,,T1529,System Shutdown/Reboot,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +23,,T1489,Service Stop,['https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html'],['Database'],,AWS RDS,technique-scores,Detect,Partial,,2 +24,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1020,Automated Exfiltration,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +25,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: ""acm-certificate-expiration-check"" for nearly expired certificates in AWS Certificate Manager (ACM); ""alb-http-to-https-redirection-check"" for Application Load Balancer (ALB) HTTP listeners; ""api-gw-ssl-enabled"" for API Gateway REST API stages; ""cloudfront-custom-ssl-certificate"", ""cloudfront-sni-enabled"", and ""cloudfront-viewer-policy-https"", for Amazon CloudFront distributions; ""elb-acm-certificate-required"", ""elb-custom-security-policy-ssl-check"", ""elb-predefined-security-policy-ssl-check"", and ""elb-tls-https-listeners-only"" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; ""redshift-require-tls-ssl"" for Amazon Redshift cluster connections to SQL clients; ""s3-bucket-ssl-requests-only"" for requests for S3 bucket contents; and ""elasticsearch-node-to-node-encryption-check"" for Amazon ElasticSearch Service node-to-node communications. +All of these are run on configuration changes except ""alb-http-to-https-redirection-check"", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.",T1020.001,Traffic Duplication,[],[],,AWS Config,technique-scores,Protect,Partial,T1020,2 +26,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1040,Network Sniffing,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +27,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1053,Scheduled Task/Job,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +28,"The ""eks-endpoint-no-public-access"" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.",T1053.007,Container Orchestration Job,[],[],,AWS Config,technique-scores,Protect,Partial,T1053,2 +29,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1068,Exploitation for Privilege Escalation,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +30,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1078,Valid Accounts,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +31,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted misuse of cloud accounts: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". All of these controls are run periodically. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that appropriate AWS Identity and Access Management (IAM) policies are in place to enforce fine-grained access policies and mitigate the impact of compromised valid accounts: ""iam-customer-policy-blocked-kms-actions"", ""iam-inline-policy-blocked-kms-actions"", ""iam-no-inline-policy-check"", ""iam-group-has-users-check"", ""iam-policy-blacklisted-check"", ""iam-policy-no-statements-with-admin-access"", ""iam-policy-no-statements-with-full-access"", ""iam-role-managed-policy-check"", ""iam-user-group-membership-check"", ""iam-user-no-policies-check"", and ""ec2-instance-profile-attached"" are run on configuration changes. ""iam-password-policy"", ""iam-policy-in-use"", ""iam-root-access-key-check"", ""iam-user-mfa-enabled"", ""iam-user-unused-credentials-check"", and ""mfa-enabled-for-iam-console-access"" are run periodically. The ""access-keys-rotated"" managed rule ensures that IAM access keys are rotated at an appropriate rate. +Given that these rules provide robust coverage for a variety of IAM configuration problems and most are evaluated on configuration changes, they result in an overall score of Significant.",T1078.004,Cloud Accounts,[],[],,AWS Config,technique-scores,Protect,Significant,T1078,2 +32,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1098,Account Manipulation,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +33,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted manipulation of cloud accounts: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". All of these controls are run periodically and provide partial coverage, since adversaries may be able to manipulate cloud credentials via other mechanisms, resulting in an overall score of Partial.",T1098.001,Additional Cloud Credentials,[],[],,AWS Config,technique-scores,Protect,Partial,T1098,2 +34,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1110,Brute Force,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +35,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.001,Password Guessing,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +36,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.002,Password Cracking,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +37,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.003,Password Spraying,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +38,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". +The ""iam-password-policy"" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts. +All of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.",T1110.004,Credential Stuffing,[],[],,AWS Config,technique-scores,Protect,Significant,T1110,2 +39,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1119,Automated Collection,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +40,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1136,Create Account,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +41,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide significant protection against attempted manipulation of cloud accounts, including the creation of new ones: ""iam-user-mfa-enabled"", ""mfa-enabled-for-iam-console-access"", ""root-account-hardware-mfa-enabled"", and ""root-account-mfa-enabled"". All of these controls are run periodically and provide partial coverage, since adversaries may be able to create cloud credentials via other mechanisms, resulting in an overall score of Partial.",T1136.003,Cloud Account,[],[],,AWS Config,technique-scores,Protect,Partial,T1136,2 +42,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1190,Exploit Public-Facing Application,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +43,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1203,Exploitation for Client Execution,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +44,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1210,Exploitation of Remote Services,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +45,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1211,Exploitation for Defense Evasion,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +46,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1212,Exploitation for Credential Access,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +47,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1204,User Execution,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,,2 +48,"The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: ""approved-amis-by-id"" and ""approved-amis-by-tag"", both of which are run on configuration changes. They provide significant coverage, resulting in an overall score of Significant.",T1204.003,Malicious Image,[],[],,AWS Config,technique-scores,Detect,Significant,T1204,2 +49,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1485,Data Destruction,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +50,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1486,Data Encrypted for Impact,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +51,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1491,Defacement,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +52,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: ""s3-bucket-blacklisted-actions-prohibited"" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, ""s3-bucket-default-lock-enabled"" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and ""s3-bucket-public-write-prohibited"" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: ""aurora-mysql-backtracking-enabled"" for data in Aurora MySQL; ""db-instance-backup-enabled"" and ""rds-in-backup-plan"" for Amazon Relational Database Service (RDS) data; ""dynamodb-in-backup-plan"" and ""dynamodb-pitr-enabled"" for Amazon DynamoDB table contents; ""ebs-in-backup-plan"" for Elastic Block Store (EBS) volumes; ""efs-in-backup-plan"" for Amazon Elastic File System (EFS) file systems; ""elasticache-redis-cluster-automatic-backup-check"" for Amazon ElastiCache Redis cluster data; ""redshift-backup-enabled"" and ""redshift-cluster-maintenancesettings-check"" for Redshift; ""s3-bucket-replication-enabled"" and ""s3-bucket-versioning-enabled"" for S3 storage; and ""cloudfront-origin-failover-enabled"" for CloudFront. +Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.",T1491.001,Internal Defacement,[],[],,AWS Config,technique-scores,Protect,Significant,T1491,2 +53,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: ""s3-bucket-blacklisted-actions-prohibited"" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, ""s3-bucket-default-lock-enabled"" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and ""s3-bucket-public-write-prohibited"" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: ""aurora-mysql-backtracking-enabled"" for data in Aurora MySQL; ""db-instance-backup-enabled"" and ""rds-in-backup-plan"" for Amazon Relational Database Service (RDS) data; ""dynamodb-in-backup-plan"" and ""dynamodb-pitr-enabled"" for Amazon DynamoDB table contents; ""ebs-in-backup-plan"" for Elastic Block Store (EBS) volumes; ""efs-in-backup-plan"" for Amazon Elastic File System (EFS) file systems; ""elasticache-redis-cluster-automatic-backup-check"" for Amazon ElastiCache Redis cluster data; ""redshift-backup-enabled"" and ""redshift-cluster-maintenancesettings-check"" for Redshift; ""s3-bucket-replication-enabled"" and ""s3-bucket-versioning-enabled"" for S3 storage; and ""cloudfront-origin-failover-enabled"" for CloudFront. +Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.",T1491.002,External Defacement,[],[],,AWS Config,technique-scores,Protect,Significant,T1491,2 +54,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1496,Resource Hijacking,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Partial,,2 +55,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1498,Network Denial of Service,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +56,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1498.001,Direct Network Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1498,2 +57,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1498.002,Reflection Amplification,[],[],,AWS Config,technique-scores,Protect,Minimal,T1498,2 +58,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1499,Endpoint Denial of Service,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +59,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.001,OS Exhaustion Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +60,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.002,Service Exhaustion Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +61,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.003,Application Exhaustion Flood,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +62,"The ""elb-cross-zone-load-balancing-enabled"" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. ""cloudfront-origin-failover-enabled"" can verify that failover policies are in place to increase CloudFront content availability. +Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.",T1499.004,Application or System Exploitation,[],[],,AWS Config,technique-scores,Protect,Minimal,T1499,2 +63,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1525,Implant Internal Image,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,,2 +64,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1530,Data from Cloud Storage Object,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +65,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1538,Cloud Service Dashboard,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Significant,,2 +66,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +67,"The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage, which may include files containing credentials: ""s3-account-level-public-access-blocks"", ""s3-bucket-level-public-access-prohibited"", ""s3-bucket-public-read-prohibited"", ""s3-bucket-policy-not-more-permissive"", ""cloudfront-origin-access-identity-enabled"", and ""cloudfront-default-root-object-configured"" identify objects that are publicly available or subject to overly permissive access policies; and ""s3-bucket-policy-grantee-check"" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes. +The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data - which may include files containing credentials - are encrypted to prevent malicious access: ""s3-bucket-server-side-encryption-enabled"" and ""s3-default-encryption-kms"" for S3 storage, ""ec2-ebs-encryption-by-default"" and ""encrypted-volumes"" for EBS volumes. +Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Partial.",T1552.001,Credentials In Files,[],[],,AWS Config,technique-scores,Protect,Partial,T1552,2 +68,"The ""ec2-imdsv2-check"" managed rule can identify instances which are configured to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less secure than IMDSv2. This provides partial coverage, since adversaries may find ways to exploit the more secure IMDSv2, resulting in an overall score of Partial.",T1552.005,Cloud Instance Metadata API,[],[],,AWS Config,technique-scores,Protect,Partial,T1552,2 +69,"The ""eks-endpoint-no-public-access"" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The ""eks-secrets-encrypted"" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial.",T1552.007,Container API,[],[],,AWS Config,technique-scores,Protect,Partial,T1552,2 +70,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1557,Man-in-the-Middle,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Minimal,,2 +71,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1562,Impair Defenses,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Detect,Minimal,,2 +72,"The ""ec2-managedinstance-applications-required"" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The ""ec2-managedinstance-applications-blacklisted"" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial.",T1562.001,Disable or Modify Tools,[],[],,AWS Config,technique-scores,Detect,Partial,T1562,2 +73,"The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: ""lab-waf-enabled"" for Application Load Balancers; ""api-gw-associated-with-waf"" for Amazon API Gateway API stages; ""cloudfront-associated-with-waf"" for Amazon CloudFront distributions; ""fms-webacl-resource-policy-check"", ""fms-webacl-resource-policy-check"", and ""fms-webacl-rulegroup-association-check"" for AWS Firewall Manager; ""vpc-default-security-group-closed"", ""vpc-network-acl-unused-check"", and ""vpc-sg-open-only-to-authorized-ports"" for VPC security groups; and ""ec2-security-group-attached-to-eni"" for EC2 and ENI security groups; all of which are run on configuration changes. +The following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: ""internet-gateway-authorized-vpc-only"" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; ""lambda-inside-vpc"" can identify VPCs that have granted execution access to unauthorized Lambda functions; ""service-vpc-endpoint-enabled"" can verify that endpoints are active for the appropriate services across VPCs; ""subnet-auto-assign-public-ip-disabled"" checks for public IP addresses assigned to subnets within VPCs. +Coverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant.",T1562.007,Disable or Modify Cloud Firewall,[],[],,AWS Config,technique-scores,Detect,Significant,T1562,2 +74,"The following AWS Config managed rules can identify potentially malicious changes to cloud logging: ""api-gw-execution-logging-enabled"", ""cloudfront-accesslogs-enabled"", ""elasticsearch-logs-to-cloudwatch"", ""elb-logging-enabled"", ""redshift-cluster-configuration-check"", ""rds-logging-enabled"", and ""s3-bucket-logging-enabled"" are run on configuration changes. ""cloudtrail-security-trail-enabled"", ""cloud-trail-cloud-watch-logs-enabled"", ""cloudtrail-s3-dataevents-enabled"", ""vpc-flow-logs-enabled"", ""waf-classic-logging-enabled"", and ""wafv2-logging-enabled"" are run periodically. +Coverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant.",T1562.008,Disable Cloud Logs,[],[],,AWS Config,technique-scores,Detect,Significant,T1562,2 +75,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1609,Container Administration Command,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +76,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1610,Deploy Container,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +77,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1611,Escape to Host,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +78,"Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices. +AWS Config rules can be set to one of two types, ""configuration changes"" and ""periodic"", which are evaluated upon configuration changes and at a user-defined period, respectively.",T1613,Container and Resource Discovery,"['https://docs.aws.amazon.com/config', 'https://docs.aws.amazon.com/config/latest/developerguide', 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html']",[],,AWS Config,technique-scores,Protect,Partial,,2 +79,The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.,T1485,Data Destruction,['https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html'],['Storage'],,AWS S3,technique-scores,Protect,Significant,,2 +80,The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html'],['Storage'],,AWS S3,technique-scores,Protect,Significant,,2 +81,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1595,Active Scanning,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +82,"There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep.",T1595.001,Scanning IP Blocks,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1595,2 +83,"There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep",T1595.002,Vulnerability Scanning,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1595,2 +84,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1189,Drive-by Compromise,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +85,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1190,Exploit Public-Facing Application,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +86,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1566,Phishing,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +87,The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.,T1566.001,Spearphishing Attachment,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1566,2 +88,The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.,T1566.002,Spearphishing Link,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1566,2 +89,The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.,T1566.003,Spearphishing via Service,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1566,2 +90,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1078,Valid Accounts,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +91,Listed findings above flag instances where there are indications of account compromise.,T1078.001,Default Accounts,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1078,2 +92,Listed findings above flag instances where there are indications of account compromise.,T1078.004,Cloud Accounts,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1078,2 +93,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1098,Account Manipulation,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +94,"The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.",T1098.001,Additional Cloud Credentials,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1098,2 +95,"The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.",T1098.004,SSH Authorized Keys,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1098,2 +96,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1562,Impair Defenses,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +97,"The following GuardDuty findings provide indicators of malicious activity in defense measures: +Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller",T1562.008,Disable Cloud Logs,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1562,2 +98,"The following GuardDuty findings provide indicators of malicious activity in defense measures: +Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller",T1562.006,Indicator Blocking,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1562,2 +99,"The following GuardDuty findings provide indicators of malicious activity in defense measures: +Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller",T1562.001,Disable or Modify Tools,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1562,2 +100,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1110,Brute Force,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +101,"Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.",T1110.001,Password Guessing,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1110,2 +102,"Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.",T1110.003,Password Spraying,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1110,2 +103,"Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.",T1110.004,Credential Stuffing,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1110,2 +104,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +105,"The following finding types in Amazon GuardDuty can be used to identify potentially malicious interactions with S3 which may lead to the compromise of any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller +The score is capped at Partial since the findings only apply to credential files stored within S3 buckets and only certain types of suspicious behaviors.",T1552.001,Credentials In Files,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1552,2 +106,The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection.,T1552.005,Cloud Instance Metadata API,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1552,2 +107,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1580,Cloud Infrastructure Discovery,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +108,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1526,Cloud Service Discovery,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +109,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1046,Network Service Scanning,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +110,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1530,Data from Cloud Storage Object,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +111,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1071,Application Layer Protocol,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +112,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.001,Web Protocols,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +113,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.002,File Transfer Protocols,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +114,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.003,Mail Protocols,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +115,"GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. +UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation",T1071.004,DNS,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1071,2 +116,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1568,Dynamic Resolution,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +117,"GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations. +Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS",T1568.002,Domain Generation Algorithms,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1568,2 +118,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1571,Non-Standard Port,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +119,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1090,Proxy,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +120,"The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. +Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.",T1090.001,Internal Proxy,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1090,2 +121,"The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. +Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.",T1090.002,External Proxy,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1090,2 +122,"The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. +Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.",T1090.003,Multi-hop Proxy,[],[],,Amazon GuardDuty,technique-scores,Detect,Minimal,T1090,2 +123,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1020,Automated Exfiltration,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +124,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1029,Scheduled Transfer,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +125,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1041,Exfiltration Over C2 Channel,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Minimal,,2 +126,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1048,Exfiltration Over Alternative Protocol,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +127,"The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. +Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1048,2 +128,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1567,Exfiltration Over Web Service,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +129,"The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. +Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual",T1567.001,Exfiltration to Code Repository,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1567,2 +130,"The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. +Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual",T1567.002,Exfiltration to Cloud Storage,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1567,2 +131,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1531,Account Access Removal,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +132,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1485,Data Destruction,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +133,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1486,Data Encrypted for Impact,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +134,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1565,Data Manipulation,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +135,"The Impact:S3/MaliciousIPCaller finding type is looking for API calls commonly associated with Impact tactic of techniques where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.",T1565.001,Stored Data Manipulation,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1565,2 +136,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1498,Network Denial of Service,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +137,"The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. +Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns",T1498.001,Direct Network Flood,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1498,2 +138,"The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. +Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns",T1498.002,Reflection Amplification,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1498,2 +139,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1496,Resource Hijacking,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +140,"Scores for this service are capped at Partial due to limited coverage and accuracy information. +The temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours. +The following findings were not mappable: + Backdoor:EC2/Spambot + Impact:EC2/AbusedDomainRequest.Reputation + InitialAccess:IAMUser/AnomalousBehavior",T1491,Defacement,"['https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan', 'https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html']",[],,Amazon GuardDuty,technique-scores,Detect,Partial,,2 +141,"The following finding types can be used to detect behavior that can lead to the defacement of +cloud resources: +Impact:S3/MaliciousIPCaller +Exfiltration:S3/MaliciousIPCaller +Exfiltration:S3/ObjectRead.Unusual +PenTest:S3/KaliLinux +PenTest:S3/ParrotLinux +PenTest:S3/PentooLinux +UnauthorizedAccess:S3/MaliciousIPCaller.Custom +UnauthorizedAccess:S3/TorIPCaller",T1491.002,External Defacement,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1491,2 +142,"The following finding types can be used to detect behavior that can lead to the defacement of +cloud resources: +Impact:S3/MaliciousIPCaller +Exfiltration:S3/MaliciousIPCaller +Exfiltration:S3/ObjectRead.Unusual +PenTest:S3/KaliLinux +PenTest:S3/ParrotLinux +PenTest:S3/PentooLinux +UnauthorizedAccess:S3/MaliciousIPCaller.Custom +UnauthorizedAccess:S3/TorIPCaller",T1491.001,Internal Defacement,[],[],,Amazon GuardDuty,technique-scores,Detect,Partial,T1491,2 +143,There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.,T1498,Network Denial of Service,"['https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc', 'https://aws.amazon.com/shield/features/']","['Denial of Service', 'Network']",,AWS Shield,technique-scores,Respond,Significant,,2 +144,"AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ",T1498.001,Direct Network Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1498,2 +145,"AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ",T1498.002,Reflection Amplification,[],[],,AWS Shield,technique-scores,Respond,Significant,T1498,2 +146,There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.,T1499,Endpoint Denial of Service,"['https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc', 'https://aws.amazon.com/shield/features/']","['Denial of Service', 'Network']",,AWS Shield,technique-scores,Respond,Significant,,2 +147,AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ,T1499.001,OS Exhaustion Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1499,2 +148,AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ,T1499.002,Service Exhaustion Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1499,2 +149,AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances.,T1499.003,Application Exhaustion Flood,[],[],,AWS Shield,technique-scores,Respond,Significant,T1499,2 +150,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1020,Automated Exfiltration,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,,2 +151,"The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: ""CA certificate expiring"" (""CA_CERTIFICATE_EXPIRING_CHECK"" in the CLI and API), ""CA certificate key quality"" (""CA_CERTIFICATE_KEY_QUALITY_CHECK"" in the CLI and API), and ""CA certificate revoked but device certificates still active"" (""REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the ""UPDATE_CA_CERTIFICATE"" mitigation action which can resolve them. ""Device certificate expiring"" (""DEVICE_CERTIFICATE_EXPIRING_CHECK"" in the CLI and API), ""Device certificate key quality"" (""DEVICE_CERTIFICATE_KEY_QUALITY_CHECK"" in the CLI and API), ""Device certificate shared"" (""DEVICE_CERTIFICATE_SHARED_CHECK"" in the CLI and API), and ""Revoked device certificate still active"" (""REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) can identify problems with IoT devices' certificates and support the ""UPDATE_DEVICE_CERTIFICATE"" and ""ADD_THINGS_TO_THING_GROUP"" mitigation actions which can resolve them. +Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.",T1020.001,Traffic Duplication,[],[],,AWS IoT Device Defender,technique-scores,Protect,Partial,T1020,2 +152,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1040,Network Sniffing,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Partial,,2 +153,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1041,Exfiltration Over C2 Channel,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +154,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1046,Network Service Scanning,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +155,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1048,Exfiltration Over Alternative Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +156,"The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: ""Destination IPs"" (""aws:destination-ip-addresses"") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. ""Bytes in"" (""aws:all-bytes-in""), ""Bytes out"" (""aws:all-bytes-out""), ""Packets in"" (""aws:all-packets-in""), and ""Packets out"" (""aws:all-packets-out"") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. ""Listening TCP ports"" (""aws:listening-tcp-ports""), ""Listening TCP port count"" (""aws:num-listening-tcp-ports""), ""Established TCP connections count"" (""aws:num-established-tcp-connections""), ""Listening UDP ports"" (""aws:listening-udp-ports""), and ""Listening UDP port count"" (""aws:num-listening-udp-ports"") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols. +Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1048,2 +157,"The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: ""Destination IPs"" (""aws:destination-ip-addresses"") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. ""Bytes in"" (""aws:all-bytes-in""), ""Bytes out"" (""aws:all-bytes-out""), ""Packets in"" (""aws:all-packets-in""), and ""Packets out"" (""aws:all-packets-out"") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. ""Listening TCP ports"" (""aws:listening-tcp-ports""), ""Listening TCP port count"" (""aws:num-listening-tcp-ports""), ""Established TCP connections count"" (""aws:num-established-tcp-connections""), ""Listening UDP ports"" (""aws:listening-udp-ports""), and ""Listening UDP port count"" (""aws:num-listening-udp-ports"") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols. +Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1048,2 +158,"The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: ""Destination IPs"" (""aws:destination-ip-addresses"") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. ""Bytes in"" (""aws:all-bytes-in""), ""Bytes out"" (""aws:all-bytes-out""), ""Packets in"" (""aws:all-packets-in""), and ""Packets out"" (""aws:all-packets-out"") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. ""Listening TCP ports"" (""aws:listening-tcp-ports""), ""Listening TCP port count"" (""aws:num-listening-tcp-ports""), ""Established TCP connections count"" (""aws:num-established-tcp-connections""), ""Listening UDP ports"" (""aws:listening-udp-ports""), and ""Listening UDP port count"" (""aws:num-listening-udp-ports"") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols. +Coverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1048,2 +159,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1071,Application Layer Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +160,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1078,Valid Accounts,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +161,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1078,Valid Accounts,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,,2 +162,"The following AWS IoT Device Defender audit checks can identify potentially malicious use of valid cloud credentials by AWS IoT devices, which may indicate that devices have been compromised: ""CA certificate revoked but device certificates still active"" (""REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) indicates that device certificates signed using a revoked CA certificate are still active, which may indicate that devices using those certificates are controlled by an adversary if the CA certificate was revoked due to compromise. ""Device certificate shared"" (""DEVICE_CERTIFICATE_SHARED_CHECK"" in the CLI and API), ""Revoked device certificate still active"" (""REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API), and ""Conflicting MQTT client IDs"" (""CONFLICTING_CLIENT_IDS_CHECK"" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or IDs and/or certificates that have been revoked due to compromise, all of which suggest that an adversary may be using clones of compromised devices to leverage their access. +The following AWS IoT Device Defender cloud-side detection metrics can identify potentially malicious use of valid cloud credentials by IoT devices, which may indicate that devices have been compromised: ""Source IP"" (""aws:source-ip-address"") values outside of expected IP address ranges may suggest that a device has been stolen. ""Authorization failures"" (""aws:num-authorization-failures"") counts above a typical threshold may indicate that a compromised device is attempting to use its connection to AWS IoT to access resources for which it does not have access and being denied. High counts for ""Disconnects"" (""aws:num-disconnects""), especially in conjunction with high counts for ""Connection attempts"" (""aws:num-connection-attempts""), which include successful attempts, may indicate that a compromised device is connecting and disconnecting from AWS IoT using the device's associated access. +Coverage factor is partial for these metrics, checks, and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.",T1078.004,Cloud Accounts,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1078,2 +163,"The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and in some cases resolve configuration problems that should be fixed in order to limit the potential impact of compromised accounts with access to AWS IoT resources: The ""Authenticated Cognito role overly permissive"" (""AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles. The ""Unauthenticated Cognito role overly permissive"" (""UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles and do not require authentication, which pose a substantial risk because they can be trivially accessed. The ""AWS IoT policies overly permissive"" (""IOT_POLICY_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit check can identify AWS IoT policies which grant excessive privileges and permissions for AWS IoT actions and supports the ""REPLACE_DEFAULT_POLICY_VERSION"" mitigation action which can reduce permissions to limit potential misuse. The ""Role alias allows access to unused services"" (""IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK"" in the CLI and API) and ""Role alias overly permissive"" (""IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK"" in the CLI and API) audit checks can identify AWS IoT role aliases which allow connected devices to authenticate using their certificates and obtain short-lived AWS credentials from an associated IAM role which grant permissions and privileges beyond those necessary to the devices' functions and should be fixed in order to prevent further account compromise from compromised devices. +Coverage factor is partial for these checks and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.",T1078.004,Cloud Accounts,[],[],,AWS IoT Device Defender,technique-scores,Protect,Partial,T1078,2 +164,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1095,Non-Application Layer Protocol,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +165,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1496,Resource Hijacking,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +166,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1530,Data from Cloud Storage Object,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Partial,,2 +167,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1552,Unsecured Credentials,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +168,"The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: ""Device certificate shared"" (""DEVICE_CERTIFICATE_SHARED_CHECK"" in the CLI and API) and ""Revoked device certificate still active"" (""REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK"" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys. +Coverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial.",T1552.004,Private Keys,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1552,2 +169,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1557,Man-in-the-Middle,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Protect,Minimal,,2 +170,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1562,Impair Defenses,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Detect,Minimal,,2 +171,"Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping. +Mappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.",T1562,Impair Defenses,"['https://aws.amazon.com/iot-device-defender/', 'https://docs.aws.amazon.com/iot-device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions', 'https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit', 'https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect']","['Internet of Things', 'IoT']",,AWS IoT Device Defender,technique-scores,Respond,Minimal,,2 +172,"The ""Logging disabled"" audit check (""LOGGING_DISABLED_CHECK"" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging.",T1562.008,Disable Cloud Logs,[],[],,AWS IoT Device Defender,technique-scores,Detect,Partial,T1562,2 +173,"The ""ENABLE_IOT_LOGGING"" mitigation action (which is supported by the ""Logging disabled"" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging.",T1562.008,Disable Cloud Logs,[],[],,AWS IoT Device Defender,technique-scores,Respond,Partial,T1562,2 +174,,T1078,Valid Accounts,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,,2 +175,"This control may protect against malicious use of cloud accounts by implementing service control policies that define what actions an account may take. If best practices are followed, AWS accounts should only have the least amount of privileges required.",T1078.004,Cloud Accounts,[],[],,AWS Organizations,technique-scores,Protect,Significant,T1078,2 +176,,T1087,Account Discovery,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Minimal,,2 +177,This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups. ,T1087.004,Cloud Account,[],[],,AWS Organizations,technique-scores,Protect,Partial,T1087,2 +178,,T1580,Cloud Infrastructure Discovery,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,,2 +179,,T1538,Cloud Service Dashboard,"['https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html', 'https://aws.amazon.com/organizations/getting-started/best-practices/']",['Identity'],,AWS Organizations,technique-scores,Protect,Partial,,2 +180,,T1190,Exploit Public-Facing Application,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +181,,T1485,Data Destruction,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +182,,T1486,Data Encrypted for Impact,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +183,,T1565,Data Manipulation,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Minimal,,2 +184,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1565.001,Stored Data Manipulation,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1565,2 +185,,T1491,Defacement,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +186,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1491.001,Internal Defacement,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1491,2 +187,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1491.002,External Defacement,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1491,2 +188,,T1561,Disk Wipe,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +189,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1561.001,Disk Content Wipe,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1561,2 +190,"AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.",T1561.002,Disk Structure Wipe,[],[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,T1561,2 +191,,T1490,Inhibit System Recovery,"['https://aws.amazon.com/cloudendure-disaster-recovery/', 'https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm']",[],,AWS CloudEndure Disaster Recovery,technique-scores,Respond,Significant,,2 +192,,T1552,Unsecured Credentials,"['https://aws.amazon.com/kms/', 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html']",['Credentials'],,AWS Key Management Service,technique-scores,Protect,Minimal,,2 +193,"This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.",T1552.001,Credentials In Files,[],[],,AWS Key Management Service,technique-scores,Protect,Partial,T1552,2 +194,This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.,T1552.004,Private Keys,[],[],,AWS Key Management Service,technique-scores,Protect,Significant,T1552,2 +195,,T1588,Obtain Capabilities,"['https://aws.amazon.com/kms/', 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html']",['Credentials'],,AWS Key Management Service,technique-scores,Protect,Partial,,2 +196,"The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.",T1588.003,Code Signing Certificates,[],[],,AWS Key Management Service,technique-scores,Protect,Partial,T1588,2 +197,"The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.",T1588.004,Digital Certificates,[],[],,AWS Key Management Service,technique-scores,Protect,Partial,T1588,2 +198,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1189,Drive-by Compromise,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +199,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +200,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1203,Exploitation for Client Execution,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +201,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1068,Exploitation for Privilege Escalation,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +202,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1211,Exploitation for Defense Evasion,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +203,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1212,Exploitation for Credential Access,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +204,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +205,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1110,Brute Force,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +206,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.001,Password Guessing,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +207,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.002,Password Cracking,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +208,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.003,Password Spraying,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +209,"The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include ""Disable password authentication over SSH"", ""Configure password maximum age"", ""Configure password minimum length"", and ""Configure password complexity"" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.",T1110.004,Credential Stuffing,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1110,2 +210,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1133,External Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +211,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1021,Remote Services,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +212,"The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, ""Disable root login over SSH"". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.",T1021.004,SSH,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1021,2 +213,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1222,File and Directory Permissions Modification,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +214,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this the score is capped at Partial. ",T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1222,2 +215,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1562,Impair Defenses,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +216,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.001,Disable or Modify Tools,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +217,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.003,Impair Command History Logging,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +218,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.004,Disable or Modify System Firewall,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +219,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1562.006,Indicator Blocking,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1562,2 +220,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1070,Indicator Removal on Host,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +221,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.002,Clear Linux or Mac System Logs,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +222,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.003,Clear Command History,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +223,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.004,File Deletion,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +224,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.005,Network Share Connection Removal,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +225,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1070.006,Timestomp,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1070,2 +226,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1599,Network Boundary Bridging,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +227,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1599.001,Network Address Translation Traversal,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1599,2 +228,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1003,OS Credential Dumping,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +229,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1003.007,Proc Filesystem,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1003,2 +230,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1003.008,/etc/passwd and /etc/shadow,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1003,2 +231,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1053,Scheduled Task/Job,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +232,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1053.001,At (Linux),[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1053,2 +233,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1053.003,Cron,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1053,2 +234,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1053.006,Systemd Timers,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1053,2 +235,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1489,Service Stop,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +236,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1529,System Shutdown/Reboot,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +237,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1548,Abuse Elevation Control Mechanism,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +238,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ",T1548.003,Sudo and Sudo Caching,[],[],,Amazon Inspector,technique-scores,Protect,Minimal,T1548,2 +239,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1037,Boot or Logon Initialization Scripts,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +240,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ",T1037.004,RC Scripts,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1037,2 +241,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1543,Create or Modify System Process,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Minimal,,2 +242,"The Amazon Inspector Best Practices assessment package can assess security control ""Configure permissions for system directories"" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ",T1543.002,Systemd Service,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1543,2 +243,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1046,Network Service Scanning,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +244,The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.,T1595,Active Scanning,['https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html'],[],,Amazon Inspector,technique-scores,Protect,Partial,,2 +245,"The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ",T1595.001,Scanning IP Blocks,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1595,2 +246,"The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ",T1595.002,Vulnerability Scanning,[],[],,Amazon Inspector,technique-scores,Protect,Partial,T1595,2 +247,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +248,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.001,Domain Properties,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +249,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.004,Network Topology,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +250,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.005,IP Addresses,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +251,VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.,T1590.006,Network Security Appliances,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1590,2 +252,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1595,Active Scanning,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +253,"VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.001,Scanning IP Blocks,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1595,2 +254,"VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.002,Vulnerability Scanning,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1595,2 +255,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1133,External Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +256,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1205,Traffic Signaling,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +257,"VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level. ",T1205.001,Port Knocking,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1205,2 +258,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1046,Network Service Scanning,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +259,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1018,Remote System Discovery,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +260,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1008,Fallback Channels,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +261,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1095,Non-Application Layer Protocol,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +262,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1571,Non-Standard Port,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +263,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1219,Remote Access Software,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +264,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1048,Exfiltration Over Alternative Protocol,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +265,"VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1048,2 +266,"VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1048,2 +267,"VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1048,2 +268,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1040,Network Sniffing,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +269,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1557,Man-in-the-Middle,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,,2 +270,,T1557.002,ARP Cache Poisoning,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1557,2 +271,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1557,2 +272,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1565,Data Manipulation,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +273,,T1565.002,Transmitted Data Manipulation,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Significant,T1565,2 +274,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1199,Trusted Relationship,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +275,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1602,Data from Configuration Repository,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +276,Can limit access to client management interfaces or configuration databases.,T1602.002,Network Device Configuration Dump,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1602,2 +277,Can limit access to client management interfaces or configuration databases.,T1602.001,SNMP (MIB Dump),[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1602,2 +278,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1542,Pre-OS Boot,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,,2 +279,VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.,T1542.005,TFTP Boot,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1542,2 +280,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +281,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1021,Remote Services,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +282,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.006,Windows Remote Management,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +283,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.005,VNC,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +284,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.004,SSH,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +285,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.003,Distributed Component Object Model,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +286,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.002,SMB/Windows Admin Shares,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +287,VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.001,Remote Desktop Protocol,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1021,2 +288,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1072,Software Deployment Tools,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +289,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1482,Domain Trust Discovery,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +290,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1498,Network Denial of Service,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,,2 +291,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1499,Endpoint Denial of Service,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,,2 +292,VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.,T1499.003,Application Exhaustion Flood,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,T1499,2 +293,VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.,T1499.002,Service Exhaustion Flood,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,T1499,2 +294,VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.,T1499.001,OS Exhaustion Flood,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Minimal,T1499,2 +295,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1570,Lateral Tool Transfer,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +296,"The mappings contained in this file were based on Amazon's ""Security in Amazon Virtual Private Cloud"" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).",T1090,Proxy,['https://docs.aws.amazon.com/vpc/latest/userguide/security.html'],['Network'],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,,2 +297,"VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.003,Multi-hop Proxy,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1090,2 +298,"VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.002,External Proxy,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1090,2 +299,"VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.001,Internal Proxy,[],[],,Amazon Virtual Private Cloud,technique-scores,Protect,Partial,T1090,2 +300,,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,,2 +301,"Amazon Cognito has the ability to alert and block accounts where credentials were found to be compromised elsewhere (compromised credential protection). The service also detects unusual sign-in activity, such as sign-in attempts from new locations and devices and can either prompt users for additional verification or block the sign-in request. There was insufficient detail on the operation of these capabilities and therefore a conservative assessment of a Partial score has been assigned.",T1078.004,Cloud Accounts,[],[],,Amazon Cognito,technique-scores,Protect,Partial,T1078,2 +302,,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,,2 +303,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.001,Password Guessing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +304,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.002,Password Cracking,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +305,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.003,Password Spraying,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +306,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.004,Credential Stuffing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,2 +307,,T1190,Exploit Public-Facing Application,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,,2 +308,,T1189,Drive-by Compromise,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,,2 +309,,T1203,Exploitation for Client Execution,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Significant,,2 +310,,T1059,Command and Scripting Interpreter,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +311,"The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. +AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet +This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.",T1059.001,PowerShell,[],[],,AWS Web Application Firewall,technique-scores,Protect,Significant,T1059,2 +312,"The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. +AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet +This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.",T1059.004,Unix Shell,[],[],,AWS Web Application Firewall,technique-scores,Protect,Significant,T1059,2 +313,"The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. +AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet +This is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.",T1059.007,JavaScript,[],[],,AWS Web Application Firewall,technique-scores,Protect,Significant,T1059,2 +314,,T1090,Proxy,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +315,"The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic. +AWSManagedRulesAnonymousIpList +This is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.",T1090.002,External Proxy,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1090,2 +316,"The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic. +AWSManagedRulesAnonymousIpList +This is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.",T1090.003,Multi-hop Proxy,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1090,2 +317,,T1595,Active Scanning,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +318,"AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. +AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet +This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.",T1595.001,Scanning IP Blocks,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1595,2 +319,"AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. +AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet +This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.",T1595.002,Vulnerability Scanning,[],[],,AWS Web Application Firewall,technique-scores,Protect,Partial,T1595,2 +320,,T1046,Network Service Scanning,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Partial,,2 +321,,T1071,Application Layer Protocol,"['https://aws.amazon.com/waf/', 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html', 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html']",['Network'],,AWS Web Application Firewall,technique-scores,Protect,Minimal,,2 +322,"AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection. +AWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet +This is scored as Minimal because the rule sets only protect against the web protocols sub-technique.",T1071.001,Web Protocols,[],[],,AWS Web Application Firewall,technique-scores,Protect,Minimal,T1071,2 +323,,T1496,Resource Hijacking,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Detect,Partial,,2 +324,,T1610,Deploy Container,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Detect,Partial,,2 +325,,T1040,Network Sniffing,['https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html'],['Metrics'],,AWS CloudWatch,technique-scores,Protect,Significant,,2 +326,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +327,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1592,Gather Victim Host Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +328,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.001,Hardware,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +329,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.002,Software,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +330,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.003,Firmware,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +331,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1592.004,Client Configurations,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1592,2 +332,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1589,Gather Victim Identity Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +333,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1589.001,Credentials,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1589,2 +334,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1589.002,Email Addresses,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1589,2 +335,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1589.003,Employee Names,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1589,2 +336,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +337,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.001,Domain Properties,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +338,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.002,DNS,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +339,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.003,Network Trust Dependencies,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +340,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.004,Network Topology,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +341,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.005,IP Addresses,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +342,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1590.006,Network Security Appliances,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1590,2 +343,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1591,Gather Victim Org Information,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +344,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.001,Determine Physical Locations,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +345,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.002,Business Relationships,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +346,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.003,Identify Business Tempo,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +347,"AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights. +S3 buckets with public write or read permissions S3 buckets with sensitive data +This is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ",T1591.004,Identify Roles,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1591,2 +348,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1580,Cloud Infrastructure Discovery,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +349,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1078,Valid Accounts,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +350,"AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights. +AWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity +AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks. +3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of ""root"" account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the ""root"" user +By monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised. +This is scored as Significant because it reports on suspicious activity by AWS accounts. ",T1078.004,Cloud Accounts,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1078,2 +351,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1190,Exploit Public-Facing Application,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +352,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1203,Exploitation for Client Execution,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +353,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1068,Exploitation for Privilege Escalation,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +354,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1211,Exploitation for Defense Evasion,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +355,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1212,Exploitation for Credential Access,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +356,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1210,Exploitation of Remote Services,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +357,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1531,Account Access Removal,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +358,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1098,Account Manipulation,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +359,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check. +3.4 Ensure a log metric filter and alarm exist for IAM policy changes +This is scored as Significant because it can monitor all changes to IAM policy which can be used to detect any changes made to accounts. ",T1098.001,Additional Cloud Credentials,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1098,2 +360,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1562,Impair Defenses,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Partial,,2 +361,"AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. +3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes +This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ",T1562.008,Disable Cloud Logs,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1562,2 +362,"AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. +3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes +This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ",T1562.001,Disable or Modify Tools,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1562,2 +363,"AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. +3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes +This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ",T1562.007,Disable or Modify Cloud Firewall,[],[],,AWS Security Hub,technique-scores,Detect,Significant,T1562,2 +364,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1110,Brute Force,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +365,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. +3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ",T1110.001,Password Guessing,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1110,2 +366,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. +3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ",T1110.003,Password Spraying,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1110,2 +367,"AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. +3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ",T1110.004,Credential Stuffing,[],[],,AWS Security Hub,technique-scores,Detect,Minimal,T1110,2 +368,"Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., ""S3 buckets with public write or read permissions""). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., ""EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)""). +AWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. +",T1485,Data Destruction,['https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html'],[],,AWS Security Hub,technique-scores,Detect,Minimal,,2 +369,,T1078,Valid Accounts,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Partial,,2 +370,,T1078,Valid Accounts,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Detect,Partial,,2 +371,This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.,T1078.004,Cloud Accounts,[],[],,AWS Identity and Access Management,technique-scores,Protect,Partial,T1078,2 +372,The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.,T1078.004,Cloud Accounts,[],[],,AWS Identity and Access Management,technique-scores,Detect,Minimal,T1078,2 +373,,T1098,Account Manipulation,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Detect,Minimal,,2 +374,The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.,T1098.001,Additional Cloud Credentials,[],[],,AWS Identity and Access Management,technique-scores,Detect,Minimal,T1098,2 +375,,T1550,Use Alternate Authentication Material,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Minimal,,2 +376,This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer. ,T1550.001,Application Access Token,[],[],,AWS Identity and Access Management,technique-scores,Protect,Minimal,T1550,2 +377,,T1110,Brute Force,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Significant,,2 +378,"This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.",T1110.004,Credential Stuffing,[],[],,AWS Identity and Access Management,technique-scores,Protect,Significant,T1110,2 +379,"This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.",T1110.001,Password Guessing,[],[],,AWS Identity and Access Management,technique-scores,Protect,Significant,T1110,2 +380,"This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.",T1110.003,Password Spraying,[],[],,AWS Identity and Access Management,technique-scores,Protect,Significant,T1110,2 +381,,T1528,Steal Application Access Token,['https://docs.aws.amazon.com/iam/index.html'],"['Identity', 'Credentials']",,AWS Identity and Access Management,technique-scores,Protect,Minimal,,2 +382,,T1555,Credentials from Password Stores,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +383,,T1212,Exploitation for Credential Access,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +384,,T1528,Steal Application Access Token,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +385,,T1552,Unsecured Credentials,"['https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html', 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html']",['Credentials'],,AWS Secrets Manager,technique-scores,Protect,Partial,,2 +386,This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.,T1552.001,Credentials In Files,[],[],,AWS Secrets Manager,technique-scores,Protect,Partial,T1552,2 +387,This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.,T1552.002,Credentials in Registry,[],[],,AWS Secrets Manager,technique-scores,Protect,Partial,T1552,2 +388,This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.,T1552.004,Private Keys,[],[],,AWS Secrets Manager,technique-scores,Protect,Partial,T1552,2 +389,,T1071,Application Layer Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +390,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.001,Web Protocols,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +391,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.002,File Transfer Protocols,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +392,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.003,Mail Protocols,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +393,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.",T1071.004,DNS,[],[],,AWS Network Firewall,technique-scores,Protect,Significant,T1071,2 +394,,T1530,Data from Cloud Storage Object,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +395,,T1499,Endpoint Denial of Service,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +396,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ",T1499.001,OS Exhaustion Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1499,2 +397,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ",T1499.002,Service Exhaustion Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1499,2 +398,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ",T1499.003,Application Exhaustion Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1499,2 +399,,T1048,Exfiltration Over Alternative Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +400,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1048,2 +401,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1048,2 +402,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1048,2 +403,,T1187,Forced Authentication,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +404,,T1498,Network Denial of Service,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Minimal,,2 +405,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ",T1498.001,Direct Network Flood,[],[],,AWS Network Firewall,technique-scores,Protect,Minimal,T1498,2 +406,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ",T1498.002,Reflection Amplification,[],[],,AWS Network Firewall,technique-scores,Protect,Minimal,T1498,2 +407,,T1095,Non-Application Layer Protocol,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +408,,T1572,Protocol Tunneling,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +409,,T1090,Proxy,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +410,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.",T1090.002,External Proxy,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1090,2 +411,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.",T1090.003,Multi-hop Proxy,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1090,2 +412,,T1219,Remote Access Software,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +413,,T1021,Remote Services,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +414,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.001,Remote Desktop Protocol,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +415,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.002,SMB/Windows Admin Shares,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +416,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.004,SSH,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +417,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.005,VNC,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +418,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.",T1021.006,Windows Remote Management,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1021,2 +419,,T1205,Traffic Signaling,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +420,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall.",T1205.001,Port Knocking,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1205,2 +421,,T1008,Fallback Channels,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +422,,T1104,Multi-Stage Channels,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +423,,T1046,Network Service Scanning,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +424,,T1595,Active Scanning,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +425,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ",T1595.001,Scanning IP Blocks,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1595,2 +426,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ",T1595.002,Vulnerability Scanning,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1595,2 +427,,T1571,Non-Standard Port,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Significant,,2 +428,,T1542,Pre-OS Boot,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Minimal,,2 +429,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.",T1542.005,TFTP Boot,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1542,2 +430,,T1041,Exfiltration Over C2 Channel,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +431,,T1018,Remote System Discovery,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +432,,T1133,External Remote Services,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +433,,T1590,Gather Victim Network Information,['https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html'],['Network'],,AWS Network Firewall,technique-scores,Protect,Partial,,2 +434,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.001,Domain Properties,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +435,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.004,Network Topology,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +436,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.005,IP Addresses,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +437,"AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ",T1590.006,Network Security Appliances,[],[],,AWS Network Firewall,technique-scores,Protect,Partial,T1590,2 +438,,T1078,Valid Accounts,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Partial,,2 +439,This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.,T1078.004,Cloud Accounts,[],[],,AWS Single Sign-On,technique-scores,Protect,Partial,T1078,2 +440,This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.,T1078.002,Domain Accounts,[],[],,AWS Single Sign-On,technique-scores,Protect,Partial,T1078,2 +441,,T1133,External Remote Services,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Significant,,2 +442,,T1110,Brute Force,['https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html'],"['Identity', 'Credentials']",,AWS Single Sign-On,technique-scores,Protect,Partial,,2 +443,This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.,T1110.001,Password Guessing,[],[],,AWS Single Sign-On,technique-scores,Protect,Significant,T1110,2 +444,This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.,T1110.003,Password Spraying,[],[],,AWS Single Sign-On,technique-scores,Protect,Significant,T1110,2 +445,This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.,T1110.004,Credential Stuffing,[],[],,AWS Single Sign-On,technique-scores,Protect,Significant,T1110,2 +446,,T1552,Unsecured Credentials,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Minimal,,2 +447,"This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.",T1552.001,Credentials In Files,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1552,2 +448,This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.,T1552.004,Private Keys,[],[],,AWS CloudHSM,technique-scores,Protect,Significant,T1552,2 +449,,T1588,Obtain Capabilities,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Partial,,2 +450,Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1588.004,Digital Certificates,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1588,2 +451,Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1588.003,Code Signing Certificates,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1588,2 +452,,T1553,Subvert Trust Controls,"['https://aws.amazon.com/cloudhsm/', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html', 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html']",['Credentials'],,AWS CloudHSM,technique-scores,Protect,Partial,,2 +453,Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1553.004,Install Root Certificate,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1553,2 +454,Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.,T1553.002,Code Signing,[],[],,AWS CloudHSM,technique-scores,Protect,Partial,T1553,2 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_metadata.csv new file mode 100644 index 00000000..ee0adff9 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,1,9,enterprise,,ctid@mitre-engenuity.org,07/22/2021,,,AWS,,2 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_navigator_layer.json index 5eb39a58..8e48bacb 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/security_stack_files/AWS/parsed_security_stack_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "security stack overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": 9}, "sorting": 3, "description": "security stack heatmap overview of security stack mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 5, "comment": "Related to AWS RDS, AWS Config, AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS CloudWatch"}, {"techniqueID": "T1565", "score": 5, "comment": "Related to AWS RDS, AWS RDS, Amazon GuardDuty, AWS CloudEndure Disaster Recovery, Amazon Virtual Private Cloud"}, {"techniqueID": "T1557", "score": 4, "comment": "Related to AWS RDS, AWS Config, AWS IoT Device Defender, Amazon Virtual Private Cloud"}, {"techniqueID": "T1190", "score": 8, "comment": "Related to AWS RDS, AWS RDS, AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery, Amazon Inspector, AWS Web Application Firewall, AWS Security Hub"}, {"techniqueID": "T1210", "score": 6, "comment": "Related to AWS RDS, AWS RDS, AWS Config, Amazon Inspector, Amazon Virtual Private Cloud, AWS Security Hub"}, {"techniqueID": "T1485", "score": 8, "comment": "Related to AWS RDS, AWS RDS, AWS RDS, AWS Config, AWS S3, Amazon GuardDuty, AWS CloudEndure Disaster Recovery, AWS Security Hub"}, {"techniqueID": "T1486", "score": 4, "comment": "Related to AWS RDS, AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1490", "score": 3, "comment": "Related to AWS RDS, AWS RDS, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1561", "score": 2, "comment": "Related to AWS RDS, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1530", "score": 7, "comment": "Related to AWS RDS, AWS Config, AWS S3, Amazon GuardDuty, AWS IoT Device Defender, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1529", "score": 2, "comment": "Related to AWS RDS, Amazon Inspector"}, {"techniqueID": "T1489", "score": 2, "comment": "Related to AWS RDS, Amazon Inspector"}, {"techniqueID": "T1020", "score": 3, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender"}, {"techniqueID": "T1053", "score": 2, "comment": "Related to AWS Config, Amazon Inspector"}, {"techniqueID": "T1068", "score": 3, "comment": "Related to AWS Config, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1078", "score": 10, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS IoT Device Defender, AWS Organizations, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1098", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Security Hub, AWS Identity and Access Management"}, {"techniqueID": "T1110", "score": 7, "comment": "Related to AWS Config, Amazon GuardDuty, Amazon Inspector, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1119", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1136", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1203", "score": 4, "comment": "Related to AWS Config, Amazon Inspector, AWS Web Application Firewall, AWS Security Hub"}, {"techniqueID": "T1211", "score": 3, "comment": "Related to AWS Config, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1212", "score": 4, "comment": "Related to AWS Config, Amazon Inspector, AWS Security Hub, AWS Secrets Manager"}, {"techniqueID": "T1204", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1491", "score": 3, "comment": "Related to AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1496", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS CloudWatch"}, {"techniqueID": "T1498", "score": 5, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1499", "score": 4, "comment": "Related to AWS Config, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1525", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1538", "score": 2, "comment": "Related to AWS Config, AWS Organizations"}, {"techniqueID": "T1552", "score": 6, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS Key Management Service, AWS Secrets Manager, AWS CloudHSM"}, {"techniqueID": "T1562", "score": 6, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS IoT Device Defender, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1609", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1610", "score": 2, "comment": "Related to AWS Config, AWS CloudWatch"}, {"techniqueID": "T1611", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1613", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1595", "score": 5, "comment": "Related to Amazon GuardDuty, Amazon Inspector, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1189", "score": 3, "comment": "Related to Amazon GuardDuty, Amazon Inspector, AWS Web Application Firewall"}, {"techniqueID": "T1566", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1580", "score": 3, "comment": "Related to Amazon GuardDuty, AWS Organizations, AWS Security Hub"}, {"techniqueID": "T1526", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1046", "score": 6, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, Amazon Inspector, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1071", "score": 4, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1568", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1571", "score": 3, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1090", "score": 4, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1029", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1041", "score": 3, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, AWS Network Firewall"}, {"techniqueID": "T1048", "score": 4, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1567", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1531", "score": 2, "comment": "Related to Amazon GuardDuty, AWS Security Hub"}, {"techniqueID": "T1095", "score": 3, "comment": "Related to AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1087", "score": 1, "comment": "Related to AWS Organizations"}, {"techniqueID": "T1588", "score": 2, "comment": "Related to AWS Key Management Service, AWS CloudHSM"}, {"techniqueID": "T1133", "score": 4, "comment": "Related to Amazon Inspector, Amazon Virtual Private Cloud, AWS Network Firewall, AWS Single Sign-On"}, {"techniqueID": "T1021", "score": 3, "comment": "Related to Amazon Inspector, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1222", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1599", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1003", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1548", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1037", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1543", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1590", "score": 3, "comment": "Related to Amazon Virtual Private Cloud, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1205", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1018", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1008", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1219", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1199", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1602", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1542", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1072", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1482", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1570", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1059", "score": 1, "comment": "Related to AWS Web Application Firewall"}, {"techniqueID": "T1592", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1589", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1591", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1550", "score": 1, "comment": "Related to AWS Identity and Access Management"}, {"techniqueID": "T1528", "score": 2, "comment": "Related to AWS Identity and Access Management, AWS Secrets Manager"}, {"techniqueID": "T1555", "score": 1, "comment": "Related to AWS Secrets Manager"}, {"techniqueID": "T1187", "score": 1, "comment": "Related to AWS Network Firewall"}, {"techniqueID": "T1572", "score": 1, "comment": "Related to AWS Network Firewall"}, {"techniqueID": "T1104", "score": 1, "comment": "Related to AWS Network Firewall"}, {"techniqueID": "T1553", "score": 1, "comment": "Related to AWS CloudHSM"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 10}} \ No newline at end of file +{"name": "security stack overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": 9}, "sorting": 3, "description": "security stack heatmap overview of security stack mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 5, "comment": "Related to AWS RDS, AWS Config, AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS CloudWatch"}, {"techniqueID": "T1565", "score": 5, "comment": "Related to AWS RDS, AWS RDS, Amazon GuardDuty, AWS CloudEndure Disaster Recovery, Amazon Virtual Private Cloud"}, {"techniqueID": "T1565.001", "score": 4, "comment": "Related to AWS RDS, AWS RDS, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1565.002", "score": 3, "comment": "Related to AWS RDS, AWS RDS, Amazon Virtual Private Cloud"}, {"techniqueID": "T1557", "score": 4, "comment": "Related to AWS RDS, AWS Config, AWS IoT Device Defender, Amazon Virtual Private Cloud"}, {"techniqueID": "T1190", "score": 8, "comment": "Related to AWS RDS, AWS RDS, AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery, Amazon Inspector, AWS Web Application Firewall, AWS Security Hub"}, {"techniqueID": "T1210", "score": 6, "comment": "Related to AWS RDS, AWS RDS, AWS Config, Amazon Inspector, Amazon Virtual Private Cloud, AWS Security Hub"}, {"techniqueID": "T1485", "score": 8, "comment": "Related to AWS RDS, AWS RDS, AWS RDS, AWS Config, AWS S3, Amazon GuardDuty, AWS CloudEndure Disaster Recovery, AWS Security Hub"}, {"techniqueID": "T1486", "score": 4, "comment": "Related to AWS RDS, AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1490", "score": 3, "comment": "Related to AWS RDS, AWS RDS, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1561", "score": 2, "comment": "Related to AWS RDS, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1561.001", "score": 2, "comment": "Related to AWS RDS, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1561.002", "score": 2, "comment": "Related to AWS RDS, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1530", "score": 7, "comment": "Related to AWS RDS, AWS Config, AWS S3, Amazon GuardDuty, AWS IoT Device Defender, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1529", "score": 2, "comment": "Related to AWS RDS, Amazon Inspector"}, {"techniqueID": "T1489", "score": 2, "comment": "Related to AWS RDS, Amazon Inspector"}, {"techniqueID": "T1020", "score": 3, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender"}, {"techniqueID": "T1020.001", "score": 2, "comment": "Related to AWS Config, AWS IoT Device Defender"}, {"techniqueID": "T1053", "score": 2, "comment": "Related to AWS Config, Amazon Inspector"}, {"techniqueID": "T1053.007", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1068", "score": 3, "comment": "Related to AWS Config, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1078", "score": 10, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS IoT Device Defender, AWS Organizations, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1078.004", "score": 10, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS IoT Device Defender, AWS Organizations, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1098", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Security Hub, AWS Identity and Access Management"}, {"techniqueID": "T1098.001", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Security Hub, AWS Identity and Access Management"}, {"techniqueID": "T1110", "score": 7, "comment": "Related to AWS Config, Amazon GuardDuty, Amazon Inspector, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1110.001", "score": 7, "comment": "Related to AWS Config, Amazon GuardDuty, Amazon Inspector, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1110.002", "score": 3, "comment": "Related to AWS Config, Amazon Inspector, Amazon Cognito"}, {"techniqueID": "T1110.003", "score": 7, "comment": "Related to AWS Config, Amazon GuardDuty, Amazon Inspector, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1110.004", "score": 7, "comment": "Related to AWS Config, Amazon GuardDuty, Amazon Inspector, Amazon Cognito, AWS Security Hub, AWS Identity and Access Management, AWS Single Sign-On"}, {"techniqueID": "T1119", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1136", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1136.003", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1203", "score": 4, "comment": "Related to AWS Config, Amazon Inspector, AWS Web Application Firewall, AWS Security Hub"}, {"techniqueID": "T1211", "score": 3, "comment": "Related to AWS Config, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1212", "score": 4, "comment": "Related to AWS Config, Amazon Inspector, AWS Security Hub, AWS Secrets Manager"}, {"techniqueID": "T1204", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1204.003", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1491", "score": 3, "comment": "Related to AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1491.001", "score": 3, "comment": "Related to AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1491.002", "score": 3, "comment": "Related to AWS Config, Amazon GuardDuty, AWS CloudEndure Disaster Recovery"}, {"techniqueID": "T1496", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS CloudWatch"}, {"techniqueID": "T1498", "score": 5, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1498.001", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Shield, AWS Network Firewall"}, {"techniqueID": "T1498.002", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Shield, AWS Network Firewall"}, {"techniqueID": "T1499", "score": 4, "comment": "Related to AWS Config, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1499.001", "score": 4, "comment": "Related to AWS Config, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1499.002", "score": 4, "comment": "Related to AWS Config, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1499.003", "score": 4, "comment": "Related to AWS Config, AWS Shield, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1499.004", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1525", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1538", "score": 2, "comment": "Related to AWS Config, AWS Organizations"}, {"techniqueID": "T1552", "score": 6, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS Key Management Service, AWS Secrets Manager, AWS CloudHSM"}, {"techniqueID": "T1552.001", "score": 5, "comment": "Related to AWS Config, Amazon GuardDuty, AWS Key Management Service, AWS Secrets Manager, AWS CloudHSM"}, {"techniqueID": "T1552.005", "score": 2, "comment": "Related to AWS Config, Amazon GuardDuty"}, {"techniqueID": "T1552.007", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1562", "score": 6, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS IoT Device Defender, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1562.001", "score": 4, "comment": "Related to AWS Config, Amazon GuardDuty, Amazon Inspector, AWS Security Hub"}, {"techniqueID": "T1562.007", "score": 2, "comment": "Related to AWS Config, AWS Security Hub"}, {"techniqueID": "T1562.008", "score": 5, "comment": "Related to AWS Config, Amazon GuardDuty, AWS IoT Device Defender, AWS IoT Device Defender, AWS Security Hub"}, {"techniqueID": "T1609", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1610", "score": 2, "comment": "Related to AWS Config, AWS CloudWatch"}, {"techniqueID": "T1611", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1613", "score": 1, "comment": "Related to AWS Config"}, {"techniqueID": "T1595", "score": 5, "comment": "Related to Amazon GuardDuty, Amazon Inspector, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1595.001", "score": 5, "comment": "Related to Amazon GuardDuty, Amazon Inspector, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1595.002", "score": 5, "comment": "Related to Amazon GuardDuty, Amazon Inspector, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1189", "score": 3, "comment": "Related to Amazon GuardDuty, Amazon Inspector, AWS Web Application Firewall"}, {"techniqueID": "T1566", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1566.001", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1566.002", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1566.003", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1078.001", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1098.004", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1562.006", "score": 2, "comment": "Related to Amazon GuardDuty, Amazon Inspector"}, {"techniqueID": "T1580", "score": 3, "comment": "Related to Amazon GuardDuty, AWS Organizations, AWS Security Hub"}, {"techniqueID": "T1526", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1046", "score": 6, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, Amazon Inspector, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1071", "score": 4, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1071.001", "score": 3, "comment": "Related to Amazon GuardDuty, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1071.002", "score": 2, "comment": "Related to Amazon GuardDuty, AWS Network Firewall"}, {"techniqueID": "T1071.003", "score": 2, "comment": "Related to Amazon GuardDuty, AWS Network Firewall"}, {"techniqueID": "T1071.004", "score": 2, "comment": "Related to Amazon GuardDuty, AWS Network Firewall"}, {"techniqueID": "T1568", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1568.002", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1571", "score": 3, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1090", "score": 4, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1090.001", "score": 2, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud"}, {"techniqueID": "T1090.002", "score": 4, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1090.003", "score": 4, "comment": "Related to Amazon GuardDuty, Amazon Virtual Private Cloud, AWS Web Application Firewall, AWS Network Firewall"}, {"techniqueID": "T1029", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1041", "score": 3, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, AWS Network Firewall"}, {"techniqueID": "T1048", "score": 4, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1048.003", "score": 4, "comment": "Related to Amazon GuardDuty, AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1567", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1567.001", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1567.002", "score": 1, "comment": "Related to Amazon GuardDuty"}, {"techniqueID": "T1531", "score": 2, "comment": "Related to Amazon GuardDuty, AWS Security Hub"}, {"techniqueID": "T1048.001", "score": 3, "comment": "Related to AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1048.002", "score": 3, "comment": "Related to AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1095", "score": 3, "comment": "Related to AWS IoT Device Defender, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1552.004", "score": 4, "comment": "Related to AWS IoT Device Defender, AWS Key Management Service, AWS Secrets Manager, AWS CloudHSM"}, {"techniqueID": "T1087", "score": 1, "comment": "Related to AWS Organizations"}, {"techniqueID": "T1087.004", "score": 1, "comment": "Related to AWS Organizations"}, {"techniqueID": "T1588", "score": 2, "comment": "Related to AWS Key Management Service, AWS CloudHSM"}, {"techniqueID": "T1588.003", "score": 2, "comment": "Related to AWS Key Management Service, AWS CloudHSM"}, {"techniqueID": "T1588.004", "score": 2, "comment": "Related to AWS Key Management Service, AWS CloudHSM"}, {"techniqueID": "T1133", "score": 4, "comment": "Related to Amazon Inspector, Amazon Virtual Private Cloud, AWS Network Firewall, AWS Single Sign-On"}, {"techniqueID": "T1021", "score": 3, "comment": "Related to Amazon Inspector, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1021.004", "score": 3, "comment": "Related to Amazon Inspector, Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1222", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1222.002", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1562.003", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1562.004", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070.002", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070.003", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070.004", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070.005", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1070.006", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1599", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1599.001", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1003", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1003.007", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1003.008", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1053.001", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1053.003", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1053.006", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1548", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1548.003", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1037", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1037.004", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1543", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1543.002", "score": 1, "comment": "Related to Amazon Inspector"}, {"techniqueID": "T1590", "score": 3, "comment": "Related to Amazon Virtual Private Cloud, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1590.001", "score": 3, "comment": "Related to Amazon Virtual Private Cloud, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1590.004", "score": 3, "comment": "Related to Amazon Virtual Private Cloud, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1590.005", "score": 3, "comment": "Related to Amazon Virtual Private Cloud, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1590.006", "score": 3, "comment": "Related to Amazon Virtual Private Cloud, AWS Security Hub, AWS Network Firewall"}, {"techniqueID": "T1205", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1205.001", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1018", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1008", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1219", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1557.002", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1557.001", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1199", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1602", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1602.002", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1602.001", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1542", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1542.005", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1021.006", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1021.005", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1021.003", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1021.002", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1021.001", "score": 2, "comment": "Related to Amazon Virtual Private Cloud, AWS Network Firewall"}, {"techniqueID": "T1072", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1482", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1570", "score": 1, "comment": "Related to Amazon Virtual Private Cloud"}, {"techniqueID": "T1059", "score": 1, "comment": "Related to AWS Web Application Firewall"}, {"techniqueID": "T1059.001", "score": 1, "comment": "Related to AWS Web Application Firewall"}, {"techniqueID": "T1059.004", "score": 1, "comment": "Related to AWS Web Application Firewall"}, {"techniqueID": "T1059.007", "score": 1, "comment": "Related to AWS Web Application Firewall"}, {"techniqueID": "T1592", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1592.001", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1592.002", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1592.003", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1592.004", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1589", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1589.001", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1589.002", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1589.003", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1590.002", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1590.003", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1591", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1591.001", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1591.002", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1591.003", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1591.004", "score": 1, "comment": "Related to AWS Security Hub"}, {"techniqueID": "T1550", "score": 1, "comment": "Related to AWS Identity and Access Management"}, {"techniqueID": "T1550.001", "score": 1, "comment": "Related to AWS Identity and Access Management"}, {"techniqueID": "T1528", "score": 2, "comment": "Related to AWS Identity and Access Management, AWS Secrets Manager"}, {"techniqueID": "T1555", "score": 1, "comment": "Related to AWS Secrets Manager"}, {"techniqueID": "T1552.002", "score": 1, "comment": "Related to AWS Secrets Manager"}, {"techniqueID": "T1187", "score": 1, "comment": "Related to AWS Network Firewall"}, {"techniqueID": "T1572", "score": 1, "comment": "Related to AWS Network Firewall"}, {"techniqueID": "T1104", "score": 1, "comment": "Related to AWS Network Firewall"}, {"techniqueID": "T1078.002", "score": 1, "comment": "Related to AWS Single Sign-On"}, {"techniqueID": "T1553", "score": 1, "comment": "Related to AWS CloudHSM"}, {"techniqueID": "T1553.004", "score": 1, "comment": "Related to AWS CloudHSM"}, {"techniqueID": "T1553.002", "score": 1, "comment": "Related to AWS CloudHSM"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 10}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings.yaml b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings.yaml index b4456d9c..d55c18b1 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings.yaml @@ -10,7 +10,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -29,7 +29,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 - related-score: true + related-score: '' score-category: Respond score-value: Partial tags: @@ -37,6 +37,77 @@ attack-objects: - Azure Active Directory - Identity - Microsoft 365 Defender +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure AD Identity Protection + comments: 'This control provides risk detections that can be used to detect suspicious + uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware + linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine + learning and heuristic systems to reduce the false positive rate but there will + be false positives. + + The temporal factor of this control''s detection is low because although there + are some real-time detections most are offline detections (multi-day).' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure AD Identity Protection + comments: 'Response Type: Eradication + + Supports blocking and resetting the user''s credentials based on the detection + of a risky user/sign-in manually and also supports automation via its user and + sign-in risk policies.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1078.002 + attack-object-name: Domain Accounts + capability-id: Azure AD Identity Protection + comments: 'When Azure Active Directory (AAD) Federation is configured for a tenant, + an adversary that compromises a domain credential can use it to access (Azure) + cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous + IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, + etc.) to federated identities thereby providing detection mitigation for this + risk. Because this detection is specific to an adversary utilizing valid domain + credentials to access cloud resources and does not mitigate the usage of valid + domain credentials to access on-premise resources, this detection has been scored + as Partial. + + + The temporal factor of this control''s detection is low because although there + are some real-time detections most are offline detections (multi-day).' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.002 + attack-object-name: Domain Accounts + capability-id: Azure AD Identity Protection + comments: 'Response Type: Containment + + Supports risk detection responses such as blocking a user''s access and enforcing + MFA. These responses contain the impact of this sub-technique but do not eradicate + it (by forcing a password reset).' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Respond + score-value: Partial + tags: [] - attack-object-id: T1606 attack-object-name: Forge Web Credentials capability-id: Azure AD Identity Protection @@ -48,7 +119,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -67,7 +138,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 - related-score: true + related-score: '' score-category: Respond score-value: Partial tags: @@ -75,6 +146,35 @@ attack-objects: - Azure Active Directory - Identity - Microsoft 365 Defender +- attack-object-id: T1606.002 + attack-object-name: SAML Tokens + capability-id: Azure AD Identity Protection + comments: This control supports detecting risky sign-ins and users that involve + federated users and therefore can potentially alert on this activity. Not all + alert types for this control support federated accounts therefore the detection + coverage for this technique is partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1606 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1606.002 + attack-object-name: SAML Tokens + capability-id: Azure AD Identity Protection + comments: 'Response Type: Eradication + + Supports blocking and resetting the user''s credentials based on the detection + of a risky user/sign-in manually and also supports automation via its user and + sign-in risk policies.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1606 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Azure AD Identity Protection @@ -86,7 +186,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -105,7 +205,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 - related-score: true + related-score: '' score-category: Respond score-value: Minimal tags: @@ -113,6 +213,38 @@ attack-objects: - Azure Active Directory - Identity - Microsoft 365 Defender +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure AD Identity Protection + comments: This control specifically provides detection of Password Spray attacks + for Azure Active Directory accounts. Microsoft documentation states that this + detection is based on a machine learning algorithm that has been improved with + the latest improvement yielding a 100 percent increase in recall and 98 percent + precision. The temporal factor for this detection is Partial as its detection + is described as offline (i.e. detections may not show up in reporting for two + to twenty-four hours). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure AD Identity Protection + comments: 'Response Type: Eradication + + Supports blocking and resetting the user''s credentials based on the detection + of a risky user/sign-in (such as Password Spray attack) manually and also supports + automation via its user and sign-in risk policies.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Alerts for Windows Machines @@ -122,13 +254,41 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1078.003 + attack-object-name: Local Accounts + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious activity from existing Windows accounts + and logons from suspicious IP addresses. The following alerts may be generated: + "A logon from a malicious IP has been detected", "A logon from a malicious IP + has been detected. [seen multiple times]".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.001 + attack-object-name: Default Accounts + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious activity from existing Windows accounts + and logons from suspicious IP addresses. The following alerts may be generated: + "A logon from a malicious IP has been detected", "A logon from a malicious IP + has been detected. [seen multiple times]".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter capability-id: Alerts for Windows Machines @@ -138,13 +298,53 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1059.001 + attack-object-name: PowerShell + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious usage of PowerShell and the Windows + command line. These detections include usage of suspicious arguments, dynamic + script construction, and shellcode on the commandline. The following alerts may + be generated: "Detected anomalous mix of upper and lower case characters in command-line", + "Detected encoded executable in command line data", "Detected obfuscated command + line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious + commandline arguments", "Detected suspicious commandline used to start all executables + in a directory", "Detected suspicious credentials in commandline", "Dynamic PS + script construction", "Suspicious PowerShell Activity Detected", "Suspicious + PowerShell cmdlets executed", "Suspicious command execution".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1059.003 + attack-object-name: Windows Command Shell + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious usage of PowerShell and the Windows + command line. These detections include usage of suspicious arguments, dynamic + script construction, and shellcode on the commandline. The following alerts may + be generated: "Detected anomalous mix of upper and lower case characters in command-line", + "Detected encoded executable in command line data", "Detected obfuscated command + line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious + commandline arguments", "Detected suspicious commandline used to start all executables + in a directory", "Detected suspicious credentials in commandline", "Dynamic PS + script construction", "Suspicious PowerShell Activity Detected", "Suspicious + PowerShell cmdlets executed", "Suspicious command execution".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1204 attack-object-name: User Execution capability-id: Alerts for Windows Machines @@ -154,13 +354,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1204.002 + attack-object-name: Malicious File + capability-id: Alerts for Windows Machines + comments: 'This control may detect the usage of a malware dropper and other indicators + of a malicious file being executed by the user. The following alerts may be generated: + "Detected possible execution of keygen executable", "Detected possible execution + of malware dropper", "Detected suspicious file creation".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1204 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1547 attack-object-name: Boot or Logon Autostart Execution capability-id: Alerts for Windows Machines @@ -170,13 +384,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1547.001 + attack-object-name: Registry Run Keys / Startup Folder + capability-id: Alerts for Windows Machines + comments: 'This control may detect when the Registry is leveraged to gain persistence. + The following alerts may be generated: "Windows registry persistence method detected".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1136 attack-object-name: Create Account capability-id: Alerts for Windows Machines @@ -186,13 +412,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1136.001 + attack-object-name: Local Account + capability-id: Alerts for Windows Machines + comments: 'This control may detect when an account is created with an account name + that closely resembles a standard Windows account or group name. This may be an + account created by an attacker to blend into the environment. The following alerts + may be generated: "Suspicious Account Creation Detected".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process capability-id: Alerts for Windows Machines @@ -202,13 +442,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1543.003 + attack-object-name: Windows Service + capability-id: Alerts for Windows Machines + comments: 'This control may detect when the tscon.exe binary is installed as a service + to exploit RDP sessions or when a rare service group is executed under SVCHOST. + The following alerts may be generated: "Suspect service installation".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution capability-id: Alerts for Windows Machines @@ -218,13 +471,40 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1546.002 + attack-object-name: Screensaver + capability-id: Alerts for Windows Machines + comments: 'This control may detect when a suspicious screensaver process is executed, + based on the location of the .scr file. Because this detection is based solely + on the location of the file, it has been scored as Partial. The following alerts + may be generated: "Suspicious Screensaver process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.008 + attack-object-name: Accessibility Features + capability-id: Alerts for Windows Machines + comments: 'This control may detect when the binary for the sticky keys utility has + been replaced, possibly to gain persistence or execution. The following alerts + may be generated: "Sticky keys attack detected".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism capability-id: Alerts for Windows Machines @@ -234,13 +514,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1548.002 + attack-object-name: Bypass User Account Control + capability-id: Alerts for Windows Machines + comments: 'This control may detect when User Account Control is bypassed by manipulating + the Windows registry. There may be other methods to Bypass User Account Control + which limits the score to Minimal. The following alerts may be generated: "Detected + change to a registry key that can be abused to bypass UAC"' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1548 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1055 attack-object-name: Process Injection capability-id: Alerts for Windows Machines @@ -250,13 +544,141 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1055.001 + attack-object-name: Dynamic-link Library Injection + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.002 + attack-object-name: Portable Executable Injection + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.003 + attack-object-name: Thread Execution Hijacking + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.005 + attack-object-name: Thread Local Storage + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.004 + attack-object-name: Asynchronous Procedure Call + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.011 + attack-object-name: Extra Window Memory Injection + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.012 + attack-object-name: Process Hollowing + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.013 + attack-object-name: "Process Doppelg\xE4nging" + capability-id: Alerts for Windows Machines + comments: 'Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. The following alerts + may be generated: "Fileless attack technique detected", "Fileless attack behavior + detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution capability-id: Alerts for Windows Machines @@ -266,7 +688,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -282,7 +704,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -298,7 +720,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -314,7 +736,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -330,7 +752,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -346,7 +768,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -362,7 +784,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -378,7 +800,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -394,13 +816,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1222.001 + attack-object-name: Windows File and Directory Permissions Modification + capability-id: Alerts for Windows Machines + comments: 'This control may detect the usage of cacls.exe to modify file and directory + permissions. The following alerts may be generated: "Detected suspicious use of + Cacls to lower the security state of the system".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1222 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1564 attack-object-name: Hide Artifacts capability-id: Alerts for Windows Machines @@ -410,13 +845,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1564.003 + attack-object-name: Hidden Window + capability-id: Alerts for Windows Machines + comments: 'This control may detect usage of the WindowPosition Registry value to + hide application windows in non-visible sections of the desktop. The following + alerts may be generated: "Suspicious WindowPosition registry value detected".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1564 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses capability-id: Alerts for Windows Machines @@ -426,13 +874,42 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1562.004 + attack-object-name: Disable or Modify System Firewall + capability-id: Alerts for Windows Machines + comments: 'This control may detect modification of the Windows firewall through + use of netsh.exe or using a method that matches a known threat actor. The following + alerts may be generated: "Malicious firewall rule created by ZINC server implant + [seen multiple times]", "Detected suspicious new firewall rule".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: Alerts for Windows Machines + comments: 'This control may detect when critical services have been disabled, such + as Windows Security Center. This control may also detect when IIS logging has + been disabled. The following alerts may be generated: "Detected the disabling + of critical services", "Detected actions indicative of disabling and deleting + IIS log files".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host capability-id: Alerts for Windows Machines @@ -442,13 +919,39 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1070.004 + attack-object-name: File Deletion + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious file cleanup commands and shadow copy + deletion activity. The following alerts may be generated: "Detected suspicious + file cleanup commands", "Suspicious Volume Shadow Copy Activity".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1070 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1070.001 + attack-object-name: Clear Windows Event Logs + capability-id: Alerts for Windows Machines + comments: 'This control may detect when an event log has been cleared or IIS logs + have been deleted. The following alerts may be generated: "Detected actions indicative + of disabling and deleting IIS log files", "An event log was cleared".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1070 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1112 attack-object-name: Modify Registry capability-id: Alerts for Windows Machines @@ -458,7 +961,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -474,7 +977,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -490,13 +993,41 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1218.005 + attack-object-name: Mshta + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious usage of Mshta to execute PowerShell + and suspicious Rundll32 execution. The following alerts may be generated: "Detected + suspicious execution via rundll32.exe", "Detected suspicious combination of HTA + and PowerShell".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1218 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1218.011 + attack-object-name: Rundll32 + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious usage of Mshta to execute PowerShell + and suspicious Rundll32 execution. The following alerts may be generated: "Detected + suspicious execution via rundll32.exe", "Detected suspicious combination of HTA + and PowerShell".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1218 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Alerts for Windows Machines @@ -506,13 +1037,58 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Alerts for Windows Machines + comments: 'This control may detect successful and failed brute force attempts with + logic that factors the IP, time between attempts, and other suspicious activity. + The following alerts may be generated: "A logon from a malicious IP has been detected", + "A logon from a malicious IP has been detected. [seen multiple times]", "Successful + brute force attack", "Suspicious authentication activity".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Alerts for Windows Machines + comments: 'This control may detect successful and failed brute force attempts with + logic that factors the IP, time between attempts, and other suspicious activity. + The following alerts may be generated: "A logon from a malicious IP has been detected", + "A logon from a malicious IP has been detected. [seen multiple times]", "Successful + brute force attack", "Suspicious authentication activity".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Alerts for Windows Machines + comments: 'This control may detect successful and failed brute force attempts with + logic that factors the IP, time between attempts, and other suspicious activity. + The following alerts may be generated: "A logon from a malicious IP has been detected", + "A logon from a malicious IP has been detected. [seen multiple times]", "Successful + brute force attack", "Suspicious authentication activity".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping capability-id: Alerts for Windows Machines @@ -522,13 +1098,28 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1003.004 + attack-object-name: LSA Secrets + capability-id: Alerts for Windows Machines + comments: 'This control may detect when the registry is modified to allow logon + credentials to be stored in clear text in LSA memory. This change allows a threat + actor to gain plain text credentials from the host machine. The following alerts + may be generated: "Detected enabling of the WDigest UseLogonCredential registry + key".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets capability-id: Alerts for Windows Machines @@ -538,13 +1129,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1558.001 + attack-object-name: Golden Ticket + capability-id: Alerts for Windows Machines + comments: 'This control may detect commandline parameters consistent with a Kerberos + Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos + Golden Ticket attack parameters observed".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery capability-id: Alerts for Windows Machines @@ -554,27 +1158,53 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Azure Defender for Servers - Windows -- attack-object-id: T1082 - attack-object-name: System Information Discovery +- attack-object-id: T1087.001 + attack-object-name: Local Account capability-id: Alerts for Windows Machines - comments: '' + comments: 'This control may detect when the local administrators group is enumerated + or when mulitiple domain accounts are queried. The following alerts may be generated: + "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + references: [] + related-score: T1087 score-category: Detect - score-value: Minimal - tags: - - Azure Defender + score-value: Partial + tags: [] +- attack-object-id: T1087.002 + attack-object-name: Domain Account + capability-id: Alerts for Windows Machines + comments: 'This control may detect when the local administrators group is enumerated + or when mulitiple domain accounts are queried. The following alerts may be generated: + "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1082 + attack-object-name: System Information Discovery + capability-id: Alerts for Windows Machines + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction + - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows + related-score: '' + score-category: Detect + score-value: Minimal + tags: + - Azure Defender - Azure Defender for Servers - Windows - attack-object-id: T1563 @@ -586,13 +1216,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1563.002 + attack-object-name: RDP Hijacking + capability-id: Alerts for Windows Machines + comments: 'This control may detect RDP hijacking through use of the tscon.exe binary. + The following alerts may be generated: "Suspect integrity level indicative of + RDP hijacking", "Suspect service installation".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1563 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer capability-id: Alerts for Windows Machines @@ -602,7 +1245,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -618,13 +1261,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Defender for Servers - Windows +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol + capability-id: Alerts for Windows Machines + comments: 'This control may detect suspicious use of the Telegram tool for transferring + malicious binaries across hosts. The following alerts may be generated: "Detected + potentially suspicious use of Telegram tool".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1489 attack-object-name: Service Stop capability-id: Alerts for Windows Machines @@ -634,7 +1290,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -650,7 +1306,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -676,7 +1332,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -701,7 +1357,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -726,12 +1382,51 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure Security Center Recommendations + comments: This control's "Authentication to Linux machines should require SSH keys" + can obviate SSH Brute Force password attacks. Because this is specific to Linux, + the coverage score is Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure Security Center Recommendations + comments: This control's "Authentication to Linux machines should require SSH keys" + can obviate SSH Brute Force password attacks. Because this is specific to Linux, + the coverage score is Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure Security Center Recommendations + comments: This control's "Authentication to Linux machines should require SSH keys" + can obviate SSH Brute Force password attacks. Because this is specific to Linux, + the coverage score is Minimal leading to an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot capability-id: Azure Security Center Recommendations @@ -751,12 +1446,42 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1542.001 + attack-object-name: System Firmware + capability-id: Azure Security Center Recommendations + comments: This control's "Secure Boot should be enabled on your Linux virtual machine" + and "Virtual machines should be attested for boot integrity health" recommendations + can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because + this recommendation is specific to Linux VM and is a recommendation, its score + is capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1542 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1542.003 + attack-object-name: Bootkit + capability-id: Azure Security Center Recommendations + comments: This control's "Secure Boot should be enabled on your Linux virtual machine" + and "Virtual machines should be attested for boot integrity health" recommendations + can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because + this recommendation is specific to Linux VM and is a recommendation, its score + is capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1542 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service capability-id: Azure Security Center Recommendations @@ -776,12 +1501,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: Azure Security Center Recommendations + comments: This control's "Container CPU and memory limits should be enforced" recommendation + can lead to preventing resource exhaustion attacks by recommending enforcing limits + for containers to ensure the runtime prevents the container from using more than + the configured resource limit. Because this is a recommendation, its score is + capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image capability-id: Azure Security Center Recommendations @@ -801,7 +1541,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -826,7 +1566,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -851,12 +1591,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1098.004 + attack-object-name: SSH Authorized Keys + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing modification of a Kubernetes + container's file system which can mitigate this technique. Because this recommendation + is specific to Kubernetes containers, its score is Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary capability-id: Azure Security Center Recommendations @@ -876,7 +1630,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -901,12 +1655,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1136.001 + attack-object-name: Local Account + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing system files from being + modified in Kubernetes containers thereby mitigating this sub-technique since + adding an account (on Linux) requires modifying system files. Because this is + a recommendation, its score is capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process capability-id: Azure Security Center Recommendations @@ -926,12 +1695,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1543.002 + attack-object-name: Systemd Service + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing the addition or modification + of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because + this is a recommendation, and specific to Kubernetes containers, its score is + assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution capability-id: Azure Security Center Recommendations @@ -951,12 +1735,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1546.004 + attack-object-name: .bash_profile and .bashrc + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing the addition or modification + of the file system in Kubernetes containers thereby mitigating this sub-technique. Because + this is a recommendation, and specific to Kubernetes containers, its score is + assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component capability-id: Azure Security Center Recommendations @@ -976,12 +1775,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1505.003 + attack-object-name: Web Shell + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing modifications to the file + system in Kubernetes containers which can mitigate adversaries installing web + shells. Because this is a recommendation, and specific to Kubernetes containers, + its score is assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1505 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification capability-id: Azure Security Center Recommendations @@ -1001,12 +1815,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1222.002 + attack-object-name: Linux and Mac File and Directory Permissions Modification + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing the modification of the + file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because + this is a recommendation, and specific to Kubernetes containers, its score is + assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1222 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1564 attack-object-name: Hide Artifacts capability-id: Azure Security Center Recommendations @@ -1026,12 +1855,57 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1564.001 + attack-object-name: Hidden Files and Directories + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing these sub-techniques which + result in changes to the file system directly or indirectly during their execution. Because + this is a recommendation, and specific to Kubernetes containers, its score is + assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1564 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1564.005 + attack-object-name: Hidden File System + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing these sub-techniques which + result in changes to the file system directly or indirectly during their execution. Because + this is a recommendation, and specific to Kubernetes containers, its score is + assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1564 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1564.006 + attack-object-name: Run Virtual Instance + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing these sub-techniques which + result in changes to the file system directly or indirectly during their execution. Because + this is a recommendation, and specific to Kubernetes containers, its score is + assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1564 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1053 attack-object-name: Scheduled Task/Job capability-id: Azure Security Center Recommendations @@ -1051,12 +1925,42 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1053.003 + attack-object-name: Cron + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing the addition or modification + of config files in Kubernetes containers required to implement the behaviors described + in these sub-techniques. Because this is a recommendation, and specific to Kubernetes + containers, its score is assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1053.006 + attack-object-name: Systemd Timers + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing the addition or modification + of config files in Kubernetes containers required to implement the behaviors described + in these sub-techniques. Because this is a recommendation, and specific to Kubernetes + containers, its score is assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process capability-id: Azure Security Center Recommendations @@ -1076,12 +1980,27 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1556.003 + attack-object-name: Pluggable Authentication Modules + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to preventing this sub-technique which + often modifies Pluggable Authentication Modules (PAM) components in the file + system. Because this is a recommendation, and specific to Kubernetes containers, + its score is assessed as Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1556 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1080 attack-object-name: Taint Shared Content capability-id: Azure Security Center Recommendations @@ -1101,7 +2020,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1126,12 +2045,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1074.001 + attack-object-name: Local Data Staging + capability-id: Azure Security Center Recommendations + comments: This control's "Immutable (read-only) root filesystem should be enforced + for containers" recommendation can lead to mitigating this sub-technique by preventing + modification of the local filesystem. Due to it being a recommendation, its score + is capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1074 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction capability-id: Azure Security Center Recommendations @@ -1151,7 +2084,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1176,7 +2109,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1201,12 +2134,29 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1565.001 + attack-object-name: Stored Data Manipulation + capability-id: Azure Security Center Recommendations + comments: "This control's \"Immutable (read-only) root filesystem should be enforced\ + \ for containers\" recommendation can lead to mitigating this sub-technique by\ + \ preventing modification of the local filesystem. \n\nLikewise this control's\ + \ recommendations related to using customer-managed keys to encrypt data at rest\ + \ and enabling transparent data encryption for SQL databases can mitigate this\ + \ sub-technique by reducing an adversary's ability to perform tailored data modifications.\n\ + \nDue to it being a recommendation, its score is capped at Partial." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Azure Security Center Recommendations @@ -1226,12 +2176,30 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure Security Center Recommendations + comments: "This control's \"Deprecated accounts should be removed from your subscription\"\ + \ and \"Deprecated accounts with owner permissions should be removed from your\ + \ subscription\" recommendation can lead to removing accounts that should not\ + \ be utilized from your subscriptions thereby denying adversaries the usage of\ + \ these accounts to find ways to access your data without being noticed. \nLikewise,\ + \ the recommendations related to External account permissions can also mitigate\ + \ this sub-technique.\nBecause these are recommendations and only limited to deprecated\ + \ and external accounts, this is scored as Minimal." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services capability-id: Azure Security Center Recommendations @@ -1251,7 +2219,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference - https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1266,7 +2234,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -1281,12 +2249,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Azure Security Center Recommendation +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure Defender for Storage + comments: 'This control may generate alerts based on unfamiliar or suspicious IP + addresses, TOR exit node, and anonymous access. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer capability-id: Azure Defender for Storage @@ -1296,7 +2276,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1311,7 +2291,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Respond score-value: Partial tags: @@ -1326,7 +2306,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1341,7 +2321,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Respond score-value: Partial tags: @@ -1356,7 +2336,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1371,7 +2351,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1386,12 +2366,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1059.004 + attack-object-name: Unix Shell + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on suspicious commandline activity. Alerts may + be generated on possible detection of shellcode usage on the commandline, based + on arguments, location, user, etc. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1401,7 +2394,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1416,12 +2409,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1098.004 + attack-object-name: SSH Authorized Keys + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on addition of new SSH keys to the authorized key + file and unusual process access of the authorized key file. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1547 attack-object-name: Boot or Logon Autostart Execution capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1431,12 +2436,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1547.006 + attack-object-name: Kernel Modules and Extensions + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on a suspicious shared object file being loaded + as a kernel module. No documentation is provided on the logic but kernel module + loading is a relatively rare event and can only be done with a small set of commands. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1136 attack-object-name: Create Account capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1446,12 +2464,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1136.001 + attack-object-name: Local Account + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on usage of the useradd command to create new users + and the creation of local user accounts with suspicious similarity to other account + names. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1461,12 +2492,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1505.003 + attack-object-name: Web Shell + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on usage of web shells. No documentation is provided + on logic for this detection. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1505 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1564 attack-object-name: Hide Artifacts capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1476,12 +2519,37 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1564.001 + attack-object-name: Hidden Files and Directories + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on the execution of hidden files. Since this control + is only triggered on execution, it may not fire on a variety of hidden files or + directories that are being utilized for malicious purposes. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1564 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1564.006 + attack-object-name: Run Virtual Instance + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on containers using privileged commands, running + SSH servers, or running mining software. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1564 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1491,12 +2559,38 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1562.004 + attack-object-name: Disable or Modify System Firewall + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on manipulation of the on-host firewall. Firewall + rules should not be changed often in a standard environment and such an event + can provide a high fidelity alert. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.006 + attack-object-name: Indicator Blocking + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on activity which disables auditd logging on Linux + endpoints. The auditd package may not be the only logging system being utilized + and this control may not alert on activity that disables other logging software. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1070 attack-object-name: Indicator Removal on Host capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1506,12 +2600,39 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Linux +- attack-object-id: T1070.002 + attack-object-name: Clear Linux or Mac System Logs + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on possible log tampering activity, including deletion + of logs. No documentation is provided on which log sources are targeted by this + control. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1070 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1070.003 + attack-object-name: Clear Command History + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on clearing of the command history file. Documentation + is not provided on the logic for detecting when the command history is cleared + but on Linux machines the location of the history file tends not to change from + the default. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1070 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1521,12 +2642,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1027.004 + attack-object-name: Compile After Delivery + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on suspicious compilation. No documentation is + provided on the logic for determining a suspicious compilation event. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1027 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1536,12 +2669,48 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Linux +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on multiple successful and failed brute force attempts + against SSH. There are no alerts for other methods of logging into Linux machines. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on multiple successful and failed brute force attempts + against SSH. There are no alerts for other methods of logging into Linux machines. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alert on multiple successful and failed brute force attempts + against SSH. There are no alerts for other methods of logging into Linux machines. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1551,27 +2720,53 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Defender - Linux -- attack-object-id: T1021 - attack-object-name: Remote Services +- attack-object-id: T1003.008 + attack-object-name: /etc/passwd and /etc/shadow capability-id: Linux auditd alerts and Log Analytics agent integration - comments: Detections are periodic at an unknown rate. + comments: This control may alert on suspicious access to encrypted user passwords. + The documentation does not reference "/etc/passwd" and "/etc/shadow" directly + nor does it describe the logic in determining suspicious access. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021 + attack-object-name: Remote Services + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: Detections are periodic at an unknown rate. mapping-description: '' mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender - Linux +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Linux auditd alerts and Log Analytics agent integration + comments: This control may alerts on SSH brute force attempts, addition of new SSH + keys, and usage of a SSH server within a container. Alerts may not be generated + by usage of existing SSH keys by malicious actors for lateral movement. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image capability-id: Linux auditd alerts and Log Analytics agent integration @@ -1581,7 +2776,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1596,7 +2791,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1611,11 +2806,32 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: Azure Defender for Resource Manager + comments: 'The following alerts are available for Windows Defender security features + being disabled but none for third party security tools: "Antimalware broad files + exclusion in your virtual machine", "Antimalware disabled and code execution in + your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware + file exclusion and code execution in your virtual machine", "Antimalware file + exclusion in your virtual machine", "Antimalware real-time protection was disabled + in your virtual machine", "Antimalware real-time protection was disabled temporarily + in your virtual machine", "Antimalware real-time protection was disabled temporarily + while code was executed in your virtual machine", "Antimalware temporarily disabled + in your virtual machine", "Antimalware unusual file exclusion in your virtual + machine".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery capability-id: Azure Defender for Resource Manager @@ -1625,7 +2841,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1639,7 +2855,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1653,7 +2869,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1667,11 +2883,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender +- attack-object-id: T1069.003 + attack-object-name: Cloud Groups + capability-id: Azure Defender for Resource Manager + comments: 'This control may alert on Permission Groups Discovery of Cloud Groups + activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It + may not generate alerts on undocumented discovery techniques or exploitation toolkits. + The following alerts may be generated: "MicroBurst exploitation toolkit used to + enumerate resources in your subscriptions", "Azurite toolkit run detected".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1069 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery capability-id: Azure Defender for Resource Manager @@ -1681,11 +2912,28 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Defender +- attack-object-id: T1087.004 + attack-object-name: Cloud Account + capability-id: Azure Defender for Resource Manager + comments: 'This control may alert on Account Discovery of Cloud Accounts activity + generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not + generate alerts on undocumented discovery techniques or exploitation toolkits. + The following alerts may be generated: "PowerZure exploitation toolkit used to + enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit + used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate + resources in your subscriptions", "Azurite toolkit run detected".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores capability-id: Azure Defender for Resource Manager @@ -1695,7 +2943,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1709,7 +2957,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1728,7 +2976,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1749,7 +2997,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1770,13 +3018,35 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1602.002 + attack-object-name: Network Device Configuration Dump + capability-id: Network Security Groups + comments: Can limit access to client management interfaces or configuration databases + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1602 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1602.001 + attack-object-name: SNMP (MIB Dump) + capability-id: Network Security Groups + comments: Can limit access to client management interfaces or configuration databases + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1602 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot capability-id: Network Security Groups @@ -1791,13 +3061,25 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1542.005 + attack-object-name: TFTP Boot + capability-id: Network Security Groups + comments: This control can be used to restrict clients to connecting (and therefore + booting) from only trusted network resources. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1542 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol capability-id: Network Security Groups @@ -1812,13 +3094,49 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Network Security Groups + comments: This control can reduce the protocols available for data exfiltration. + Temporal immediate, coverage substantial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1048.002 + attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol + capability-id: Network Security Groups + comments: This control can reduce the protocols available for data exfiltration. + Temporal immediate, coverage substantial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol + capability-id: Network Security Groups + comments: This control can reduce the protocols available for data exfiltration. + Temporal immediate, coverage substantial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services capability-id: Network Security Groups @@ -1833,7 +3151,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1854,13 +3172,103 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1021.006 + attack-object-name: Windows Remote Management + capability-id: Network Security Groups + comments: This control can be used to restrict direct access to remote services + to trusted networks. This mitigates even an adversary with a valid account from + accessing resources. This can be circumvented though if an adversary is able + to compromise a trusted host and move laterally to a protected network. This + results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.005 + attack-object-name: VNC + capability-id: Network Security Groups + comments: This control can be used to restrict direct access to remote services + to trusted networks. This mitigates even an adversary with a valid account from + accessing resources. This can be circumvented though if an adversary is able + to compromise a trusted host and move laterally to a protected network. This + results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Network Security Groups + comments: This control can be used to restrict direct access to remote services + to trusted networks. This mitigates even an adversary with a valid account from + accessing resources. This can be circumvented though if an adversary is able + to compromise a trusted host and move laterally to a protected network. This + results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.003 + attack-object-name: Distributed Component Object Model + capability-id: Network Security Groups + comments: This control can be used to restrict direct access to remote services + to trusted networks. This mitigates even an adversary with a valid account from + accessing resources. This can be circumvented though if an adversary is able + to compromise a trusted host and move laterally to a protected network. This + results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.002 + attack-object-name: SMB/Windows Admin Shares + capability-id: Network Security Groups + comments: This control can be used to restrict direct access to remote services + to trusted networks. This mitigates even an adversary with a valid account from + accessing resources. This can be circumvented though if an adversary is able + to compromise a trusted host and move laterally to a protected network. This + results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1021.001 + attack-object-name: Remote Desktop Protocol + capability-id: Network Security Groups + comments: This control can be used to restrict direct access to remote services + to trusted networks. This mitigates even an adversary with a valid account from + accessing resources. This can be circumvented though if an adversary is able + to compromise a trusted host and move laterally to a protected network. This + results in an overall partial (coverage) score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools capability-id: Network Security Groups @@ -1875,7 +3283,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1896,7 +3304,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1917,7 +3325,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1938,7 +3346,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1959,7 +3367,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1980,7 +3388,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2001,13 +3409,49 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: Network Security Groups + comments: This control can be used to restrict access to endpoints and thereby mitigate + low-end DOS attacks. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: Network Security Groups + comments: This control can be used to restrict access to endpoints and thereby mitigate + low-end DOS attacks. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: Network Security Groups + comments: This control can be used to restrict access to endpoints and thereby mitigate + low-end DOS attacks. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1570 attack-object-name: Lateral Tool Transfer capability-id: Network Security Groups @@ -2022,7 +3466,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2043,7 +3487,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2064,13 +3508,49 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: Network Security Groups + comments: This control can restrict access between systems, enclaves, and workloads + thereby mitigating these proxy related sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1090.002 + attack-object-name: External Proxy + capability-id: Network Security Groups + comments: This control can restrict access between systems, enclaves, and workloads + thereby mitigating these proxy related sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1090.001 + attack-object-name: Internal Proxy + capability-id: Network Security Groups + comments: This control can restrict access between systems, enclaves, and workloads + thereby mitigating these proxy related sub-techniques. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1219 attack-object-name: Remote Access Software capability-id: Network Security Groups @@ -2085,7 +3565,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2106,13 +3586,27 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Adaptive Network Hardening - Azure Security Center Recommendation - Network +- attack-object-id: T1205.001 + attack-object-name: Port Knocking + capability-id: Network Security Groups + comments: This control can be used to implement whitelist based network rules that + can mitigate variations of this sub-techniques that result in opening closed ports + for communication. Because this control is able to drop traffic before reaching + a compromised host, it can effectively mitigate this port knocking sub-technique. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1205 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Azure Sentinel @@ -2134,12 +3628,120 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Threat Hunting +- attack-object-id: T1078.001 + attack-object-name: Default Accounts + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Rare processes run by Service accounts" query + can identify potential misuse of default accounts. Because this detection is specific + to rare processes its coverage score is Minimal resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1078.002 + attack-object-name: Domain Accounts + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potential compromise + of domain accounts based on access attempts and/or account usage: "Suspicious + Windows Login outside normal hours", "User account added or removed from security + group by an unauthorized user", "User Account added to Built in Domain Local or + Global Group", "User Login IP Address Teleportation", "User made Owner of multiple + teams", "Tracking Privileged Account Rare Activity", "New Admin account activity + which was not seen historically", "New client running queries", "New users running + queries", "Non-owner mailbox login activity", "Powershell or non-browser mailbox + login activity", "Rare User Agent strings", "Same IP address with multiple csUserAgent" + which may indicate that an account is being used from a new device, "Rare domains + seen in Cloud Logs" when accounts from uncommon domains access or attempt to access + cloud resources, "Same User - Successful logon for a given App and failure on + another App within 1m and low distribution", "Hosts with new logons", "Inactive + or new account signins", "Long lookback User Account Created and Deleted within + 10mins", "Anomalous Geo Location Logon", and "Anomalous Sign-in Activity". + + The following Azure Sentinel Analytics queries can identify potential compromise + of domain accounts based on access attempts and/or account usage: "Anomalous User + Agent connection attempt", "New UserAgent observed in last 24 hours" which may + indicate that an account is being used from a new device, "Anomalous sign-in location + by user account and authenticating application", "Anomalous login followed by + Teams action", "GitHub Signin Burst from Multiple Locations", "Sign-ins from IPs + that attempt sign-ins to disabled accounts", "Failed Host logons but success logon + to AzureAD", and "Anomalous RDP Login Detections".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.003 + attack-object-name: Local Accounts + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potential compromise + of local accounts based on access attempts and/or account usage: "Suspicious Windows + Login outside normal hours", "User Login IP Address Teleportation", "User account + added or removed from a security group by an unauthorized user", "User Account + added to Built in Domain Local or Global Group", "User added to SQL Server SecurityAdmin + Group", "User Role altered on SQL Server", "User made Owner of multiple teams", + "Tracking Privileged Account Rare Activity", and "Anomalous Login to Devices". + + The following Azure Sentinel Analytics queries can identify potential compromise + of local accounts based on access attempts and/or account usage: "User account + enabled and disabled within 10 mins", "Long lookback User Account Created and + Deleted within 10mins", "Explicit MFA Deny", "Hosts with new logons", "Inactive + or new account signins", "Anomalous SSH Login Detection", and "Anomalous RDP Login + Detections".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potential compromise + of cloud accounts: "New Admin account activity which was not seen historically", + "New client running queries", "New users running queries", "User returning more + data than daily average", "User Login IP Address Teleportation", "Non-owner mailbox + login activity", "Powershell or non-browser mailbox login activity", "Rare User + Agent strings" and "Same IP address with multiple csUserAgent" which may indicate + that an account is being used from a new device, "Rare domains seen in Cloud Logs", + "Same User - Successful logon for a given App and failure on another App within + 1m and low distribution", "Anomalous Azure Active Directory Apps based on authentication + location", "Anomalous Geo Location Logon", "Anomalous Sign-in Activity", "Azure + Active Directory sign-in burst from multiple locations", and "Azure Active Directory + signins from new locations". + + + The following Azure Sentinel Analytics queries can identify potential compromise + of cloud accounts: "Anomalous User Agent connection attempt" and "New UserAgent + observed in last 24 hours", which may indicate that an account is being used from + a new device which may belong to an adversary; "Anomalous sign-in location by + user account and authenticating application", "GitHub Signin Burst from Multiple + Locations", "GitHub Activites from a New Country", and "Sign-ins from IPs that + attempt sign-ins to disabled accounts", which may indicate adversary access from + atypical locations; "Azure Active Directory PowerShell accessing non-AAD resources", + "Anomalous login followed by Teams action", "Login to AWS management console without + MFA", and "Azure Active Directory PowerShell accessing non-AAD resources" which + may indicate an adversary attempting to use a valid account to access resources + from other contexts. The "Correlate Unfamiliar sign-in properties" query can further + enhance detection of anomalous activity.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1195 attack-object-name: Supply Chain Compromise capability-id: Azure Sentinel @@ -2161,12 +3763,41 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1195.001 + attack-object-name: Compromise Software Dependencies and Development Tools + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potentially + malicious changes to Azure DevOps project resources: "Azure DevOps - Project Visibility + changed to public" can identify a specific action that may be an indicator of + an attacker modifying the cloud compute infrastructure. "Azure DevOps - Public + project created" and "Azure DevOps - Public project enabled by admin" can identify + specific instances of potential defense evasion. + + The following Azure Sentinel Analytics queries can identify potentially malicious + changes to Azure DevOps project resources: "AzureDevops Service Connection Abuse" + can detect potential malicious behavior associated with use of large number of + service connections, "External Upstream Source added to Azure DevOps" identifies + a specific behavior that could compromise the DevOps build pipeline, "Azure DevOps + Pull Request Policy Bypassing - History" can identify specific potentially malicious + behavior that compromises the build process, "Azure DevOps Pipeline modified by + a New User" identifies potentially malicious activity that could compromise the + DevOps pipeline, "Azure DevOps Administrator Group Monitoring" monitors for specific + activity which could compromise the build/release process, "New Agent Added to + Pool by New User or a New OS" can detect a suspicious behavior that could potentially + compromise DevOps pipeline.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1195 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Azure Sentinel @@ -2188,12 +3819,129 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Threat Hunting +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure Sentinel + comments: 'The "Summary of user logons by logon type" Azure Sentinel Hunting query + compares successful and unsuccessful logon attempts to identify potential lateral + movement. + + The following Azure Sentinel Hunting queries can identify potential attempts at + credential brute force based on unsuccessful attempts: "VIP account more than + 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", + "Permutations on logon attempts by UserPrincipalNames indicating potential brute + force", "Potential IIS brute force", "Failed attempt to access Azure Portal", + "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", + "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service + logon attempt by user account with available AuditData", "Login attempt by Blocked + MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled + accounts by IP address", "Attempts to sign-in to disabled accounts by account + name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" + + The following Azure Sentinel Analytics queries can identify potential attempts + at credential brute force based on unsuccessful attempts: "Brute force attack + against Azure Portal", "Password spray attack against Azure AD application", "Successful + logon from IP and failure from a different IP", "Failed logon attempts in authpriv", + "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", + "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts + within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password + cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic + assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts + to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to + disabled accounts", "High count of failed logins by a user", "Hi count of failed + attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - + Multiple authentication failures followed by success".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure Sentinel + comments: 'The "Summary of user logons by logon type" Azure Sentinel Hunting query + compares successful and unsuccessful logon attempts to identify potential lateral + movement. + + The following Azure Sentinel Hunting queries can identify potential attempts at + credential brute force based on unsuccessful attempts: "VIP account more than + 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", + "Permutations on logon attempts by UserPrincipalNames indicating potential brute + force", "Potential IIS brute force", "Failed attempt to access Azure Portal", + "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", + "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service + logon attempt by user account with available AuditData", "Login attempt by Blocked + MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled + accounts by IP address", "Attempts to sign-in to disabled accounts by account + name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" + + The following Azure Sentinel Analytics queries can identify potential attempts + at credential brute force based on unsuccessful attempts: "Brute force attack + against Azure Portal", "Password spray attack against Azure AD application", "Successful + logon from IP and failure from a different IP", "Failed logon attempts in authpriv", + "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", + "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts + within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password + cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic + assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts + to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to + disabled accounts", "High count of failed logins by a user", "Hi count of failed + attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - + Multiple authentication failures followed by success".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure Sentinel + comments: 'The "Summary of user logons by logon type" Azure Sentinel Hunting query + compares successful and unsuccessful logon attempts to identify potential lateral + movement. + + The following Azure Sentinel Hunting queries can identify potential attempts at + credential brute force based on unsuccessful attempts: "VIP account more than + 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", + "Permutations on logon attempts by UserPrincipalNames indicating potential brute + force", "Potential IIS brute force", "Failed attempt to access Azure Portal", + "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", + "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service + logon attempt by user account with available AuditData", "Login attempt by Blocked + MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled + accounts by IP address", "Attempts to sign-in to disabled accounts by account + name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" + + The following Azure Sentinel Analytics queries can identify potential attempts + at credential brute force based on unsuccessful attempts: "Brute force attack + against Azure Portal", "Password spray attack against Azure AD application", "Successful + logon from IP and failure from a different IP", "Failed logon attempts in authpriv", + "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", + "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts + within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password + cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic + assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts + to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to + disabled accounts", "High count of failed logins by a user", "Hi count of failed + attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - + Multiple authentication failures followed by success".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: Azure Sentinel @@ -2215,12 +3963,29 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "First access credential added to Application + or Service Principal where no credential was present" query can identify potentially + malicious changes to Service Principal credentials. + + The Azure Sentinel Analytics "Credential added after admin consented to Application" + and "New access credential added to Application or Service Principal" queries + can identify potentially malicious manipulation of additional cloud credentials.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol capability-id: Azure Sentinel @@ -2242,12 +4007,46 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Analytics queries can identify potentially + malicious use of web protocols: "Powershell Empire cmdlets seen in command line" + can identify use of Empire, which can perform command and control over protocols + like HTTP and HTTPS. "Request for single resource on domain" can identify patterns + that suggest possible command and control beaconing. The coverage for these queries + is minimal resulting in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potentially + malicious use of DNS: "RareDNSLookupWithDataTransfer" [sic] can identify data + transfer over DNS, though it is contingent on DNS traffic meeting the requirements + to be considered rare. "Abnormally Long DNS URI queries" can identify suspicious + DNS queries that may be indicative of command and control operations. "DNS - domain + anomalous lookup increase", "DNS Full Name anomalous lookup increase", and "DNS + lookups for commonly abused TLDs" can identify increases in domain lookups for + a client IP and indicate malicious traffic or exfiltration of sensitive data.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1567 attack-object-name: Exfiltration Over Web Service capability-id: Azure Sentinel @@ -2269,12 +4068,42 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1567.002 + attack-object-name: Exfiltration to Cloud Storage + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can identify use of Empire, which can use Dropbox and GitHub for data + exfiltration. The Azure Sentinel Analytics "SharePointFileOperation via previously + unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage + for these queries is minimal resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1567.001 + attack-object-name: Exfiltration to Code Repository + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can identify use of Empire, which can use Dropbox and GitHub for data + exfiltration. The Azure Sentinel Analytics "SharePointFileOperation via previously + unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage + for these queries is minimal resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1595 attack-object-name: Active Scanning capability-id: Azure Sentinel @@ -2296,12 +4125,28 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "High count of connections by client IP on + many ports" query can identify client IP addresses with 30 or more active ports + used within a ten minute window, checked at a default frequency of once per hour, + which may indicate scanning. Note that false positives are probable based on changes + in usage patterns and/or misconfiguration, and this detection only works if scanning + is not spread out over a longer timespan. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer capability-id: Azure Sentinel @@ -2323,7 +4168,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -2350,12 +4195,30 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potential exfiltration: + "Abnormally long DNS URI queries" can identify potential exfiltration via DNS. + "Multiple users email forwarded to same destination" and "Office Mail Forwarding + - Hunting Version" can detect potential exfiltration via email. + + The Azure Sentinel Analytics "Multiple users email forwarded to same destination" + query can detect potential exfiltration via email. The coverage for these queries + is minimal resulting in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1496 attack-object-name: Resource Hijacking capability-id: Azure Sentinel @@ -2377,7 +4240,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -2404,12 +4267,41 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1070.001 + attack-object-name: Clear Windows Event Logs + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Security Event Log Cleared" query can detect + clearing of the security event logs, though not necessarily clearing of any arbitrary + Windows event logs. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1070 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1070.006 + attack-object-name: Timestomp + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Windows System Time changed on hosts" query + can detect potential timestomping activities. + + The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" + query can identify use of Empire, which can timestomp files and/or payloads on + a target machine to help them blend in.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1070 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter capability-id: Azure Sentinel @@ -2431,39 +4323,145 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting -- attack-object-id: T1213 - attack-object-name: Data from Information Repositories +- attack-object-id: T1059.001 + attack-object-name: PowerShell capability-id: Azure Sentinel - comments: 'The following capabilities of Azure Sentinel were mapped: Default list - of Azure Sentinel Analytics (from the rule template list) Default list of Azure - Sentinel Hunting queries - - Queries based on 3rd party analytics and/or specific IOC information were omitted - from this mapping. Query names are identified in quotes throughout this mapping. - - Azure Sentinel Analytics queries are generally periodic, typically on a period - of one or more hours. - - Azure Sentinel Hunting queries are performed on demand. Note also that a number - of the Hunting queries are examples that can be modified for additional use, but - scoring was performed on the queries as-written.' + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can identify use of Empire, which leverages PowerShell for the majority + of its client-side agent tasks and can conduct PowerShell remoting. The coverage + for these queries is minimal (specific to Empire) resulting in an overall Minimal + score. mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/azure/sentinel/overview + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1059.003 + attack-object-name: Windows Command Shell + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Cscript script daily summary breakdown" can + detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running + a rare process with commandline" query can identify uncommon command shell usage + that may be malicious. + + The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" + query can identify use of Empire, which has modules for executing Windows Command + Shell scripts. The Azure Sentinel Analytics "Base64 encoded Windows process command-lines" + query can identify Base64 encoded PE files being launched via the command line.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1059.004 + attack-object-name: Unix Shell + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Rare process running on a Linux host" query + can identify uncommon shell usage that may be malicious. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1059.007 + attack-object-name: JavaScript/JScript + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Cscript script daily summary breakdown" can + detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running + a rare process with commandline" query can identify uncommon command shell usage + that may be malicious. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1059.005 + attack-object-name: Visual Basic + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Cscript script daily summary breakdown" can + detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running + a rare process with commandline" query can identify uncommon command shell usage + that may be malicious. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1059.006 + attack-object-name: Python + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Cscript script daily summary breakdown" can + detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running + a rare process with commandline" query can identify uncommon command shell usage + that may be malicious. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1213 + attack-object-name: Data from Information Repositories + capability-id: Azure Sentinel + comments: 'The following capabilities of Azure Sentinel were mapped: Default list + of Azure Sentinel Analytics (from the rule template list) Default list of Azure + Sentinel Hunting queries + + Queries based on 3rd party analytics and/or specific IOC information were omitted + from this mapping. Query names are identified in quotes throughout this mapping. + + Azure Sentinel Analytics queries are generally periodic, typically on a period + of one or more hours. + + Azure Sentinel Hunting queries are performed on demand. Note also that a number + of the Hunting queries are examples that can be modified for additional use, but + scoring was performed on the queries as-written.' + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1213.002 + attack-object-name: Sharepoint + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potentially + malicious access to SharePoint: "SharePointFileOperation via clientIP with previously + unseen user agents", "SharePointFileOperation via devices with previously unseen + user agents", and "SharePointFileOperation via previously unseen IPs". + + The Azure Sentinel Analytics "SharePointFileOperation via devices with previously + unseen user agents" query can identify a high number of upload or download actions + by an unknown and possible malicious actor.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1213 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1531 attack-object-name: Account Access Removal capability-id: Azure Sentinel @@ -2485,7 +4483,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2512,7 +4510,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2539,12 +4537,72 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Threat Hunting +- attack-object-id: T1136.001 + attack-object-name: Local Account + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "New User created on SQL Server" query can + detect a specific type of potentially malicious local account creation. + + The following Azure Sentinel Analytics queries can identify potentially malicious + local account creation: "Summary of users created using uncommon/undocumented + commandline switches" which can identify use of the net command to create user + accounts, "User created by unauthorized user", "User Granted Access and associated + audit activity" and "User Granted Access and Grants others Access" which may identify + account creation followed by suspicious behavior, "User account created and deleted + within 10 mins" which suggests an account may have existed only long enough to + fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" + which can identify use of Empire, including for account creation.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1136.002 + attack-object-name: Domain Account + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Analytics queries can identify potentially + malicious domain account creation: "Summary of users created using uncommon/undocumented + commandline switches" which can identify use of the net command to create user + accounts, "User created by unauthorized user", "User Granted Access and associated + audit activity" and "User Granted Access and Grants others Access" which may identify + account creation followed by suspicious behavior, "User account created and deleted + within 10 mins" which suggests an account may have existed only long enough to + fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" + which can identify use of Empire, including for account creation.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1136.003 + attack-object-name: Cloud Account + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting queries can identify potentially malicious + cloud account creation: "External user added and removed in short timeframe" and + "External user from a new organisation added" can identify the addition of new + external Teams user accounts. + + The following Azure Sentinel Analytics queries can identify potentially malicious + cloud account creation: "User Granted Access and created resources" which identifies + a newly created user account gaining access and creating resources in Azure, and + "New Cloud Shell User".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1114 attack-object-name: Email Collection capability-id: Azure Sentinel @@ -2566,12 +4624,54 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1114.001 + attack-object-name: Local Email Collection + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can identify use of Empire, which has the ability to collect emails + on a target system. The coverage for these queries is minimal (specific to Empire) + resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1114 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1114.002 + attack-object-name: Remote Email Collection + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Suspect Mailbox Export on IIS/OWA" query can + identify potential malicious exfiltration hosting via IIS. The Azure Sentinel + Hunting "Host Exporting Mailbox and Removing Export" query can identify potential + exfiltration of data from Exchange servers. The coverage for these queries is + minimal resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1114 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1114.003 + attack-object-name: Email Forwarding Rule + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Mail redirect via ExO transport rule" query + can detect potentially malicious email redirection, but is limited to Exchange + servers only. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1114 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component capability-id: Azure Sentinel @@ -2593,12 +4693,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1505.003 + attack-object-name: Web Shell + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Web shell command alert enrichment", "Web + shell Detection", and "Web shell file alert enrichment" queries can identify potentially + malicious activity via web shell. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1505 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1573 attack-object-name: Encrypted Channel capability-id: Azure Sentinel @@ -2620,12 +4733,29 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1573.002 + attack-object-name: Asymmetric Cryptography + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Analytics queries can detect potentially + malicious usage of asymmetric cryptography channels: "DNS events related to ToR + proxies" can identify potential use of Tor, though it provides only minimal coverage + because it only covers a set of common domains and is easily bypassed via hardcoded + IP addresses, redirection, etc. "Powershell Empire cmdlets seen in command line" + can identify use of Empire, which can use TLS to encrypt a command and control + channel.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1573 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1090 attack-object-name: Proxy capability-id: Azure Sentinel @@ -2647,12 +4777,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "DNS events related to ToR proxies" query + can identify potential use of Tor, though it provides only minimal coverage because + it only covers a set of common domains and is easily bypassed via hardcoded IP + addresses, redirection, etc. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses capability-id: Azure Sentinel @@ -2674,12 +4818,99 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potentially + malicious modifications to Sentinel resources: "Azure Sentinel Analytics Rules + Administrative Operations", "Azure Sentinel Connectors Administrative Operations", + and "Azure Sentinel Workbooks Administrative Operations". + + The Azure Sentinel Analytics "Starting or Stopping HealthService to Avoid Detection" + query can detect potentially malicious disabling of telemetry collection/detection. + + The coverage for these queries is minimal resulting in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1562.002 + attack-object-name: Disable Windows Event Logging + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Audit policy manipulation using auditpol + utility" query can detect potentially malicious to modification and/or disabling + of logging via the auditpol utility. The coverage for these queries is minimal + (specific to Audit policy) resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1562.006 + attack-object-name: Indicator Blocking + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Azure Sentinel Analytics Rules Administrative + Operations" query can identify potential attempts to impair defenses by changing + or deleting detection analytics. + + The Azure Sentinel Analytics "Azure DevOps - Retention Reduced to Zero" query + can identify that an adversary is looking to reduce their malicious activity''s + footprint by preventing retention of artifacts. Control is specific to indicators + produced by Azure DevOps. The coverage for these queries is minimal resulting + in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1562.007 + attack-object-name: Disable or Modify Cloud Firewall + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Hunting queries can identify potentially + malicious modifications to cloud firewall resources: "Azure Network Security Group + NSG Administrative Operations" query can identify potential defensive evasion + involving changing or disabling network access rules. "Port opened for an Azure + Resource" may indicate an adversary increasing the accessibility of a resource + for easier collection/exfiltration. + + The Azure Sentinel Analytics "Security Service Registry ACL Modification" query + can detect attempts to modify registry ACLs, potentially done to evade security + solutions.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1562.008 + attack-object-name: Disable Cloud Logs + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Exchange AuditLog disabled" query can detect + potentially malicious disabling of Exchange logs. The Azure Sentinel Analytics + "Azure DevOps Audit Stream Disabled" query can identify disabling of Azure DevOps + log streaming. The coverage for these queries is minimal (specific to these technologies) + resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection capability-id: Azure Sentinel @@ -2701,7 +4932,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2728,7 +4959,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2755,12 +4986,29 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1568.002 + attack-object-name: Domain Generation Algorithms + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Potential DGA detected" query can detect + clients with a high NXDomain count, which might indicate an adversary cycling + through possible C2 domains where most C2s are not live. + + The following Azure Sentinel Analytics queries can identify potential use of domain + generation algorithms: "Possible contact with a domain generated by a DGA" and + "Potential DGA detected" within DNS.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1568 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: Azure Sentinel @@ -2782,7 +5030,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2809,12 +5057,41 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1137.005 + attack-object-name: Outlook Rules + capability-id: Azure Sentinel + comments: 'The following Azure Sentinel Analytics queries can identify potentially + malicious use of Outlook rules: "Office policy tampering", "Malicious Inbox Rule" + which can detect rules intended to delete emails that contain certain keywords + (generally meant to warn compromised users about adversary behaviors), and "Mail + redirect via ExO transport rule" (potentially to an adversary mailbox configured + to collect mail).' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1137 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1137.006 + attack-object-name: Add-ins + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Previously unseen bot or applicaiton added + to Teams" [sic] query can detect the addition of a potentially malicious add-in, + but is specific to Microsoft Teams. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1137 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1140 attack-object-name: Deobfuscate/Decode Files or Information capability-id: Azure Sentinel @@ -2836,7 +5113,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2863,12 +5140,51 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1558.003 + attack-object-name: Kerberoasting + capability-id: Azure Sentinel + comments: Azure Sentinel Analytics includes a "Potential Kerberoasting" query. Kerberoasting + via Empire can also be detected using the Azure Sentinel Analytics "Powershell + Empire cmdlets seen in command line" query. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1558.001 + attack-object-name: Golden Ticket + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect execution of these sub-techniques via Empire, but does + not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1558.002 + attack-object-name: Silver Ticket + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect execution of these sub-techniques via Empire, but does + not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation capability-id: Azure Sentinel @@ -2890,7 +5206,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2917,7 +5233,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -2944,12 +5260,79 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1021.001 + attack-object-name: Remote Desktop Protocol + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "anomalous RDP Activity" query can detect + potential lateral + + movement employing RDP. + + + The following Azure Sentinel Analytics queries can identify potentially malicious + use + + of RDP: + + "Anomalous RDP Login Detections", "Multiple RDP connections from Single Systems", + + "Rare RDP Connections", and "RDP Nesting".' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021.002 + attack-object-name: SMB/Windows Admin Shares + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Anomalous Resource Access" query can identify + potential lateral movement via use of valid accounts to access network shares + (Windows Event 4624:3). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1021.003 + attack-object-name: Distributed Component Object Model + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage + remote COM execution for lateral movement, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which contains modules for executing + commands over SSH as well as in-memory VNC agent injection, but does not address + other procedures. Azure Sentinel Analytics also provides a "New internet-exposed + SSH endpoints" query. + + The coverage for these queries is minimal resulting in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials capability-id: Azure Sentinel @@ -2971,7 +5354,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -2998,12 +5381,64 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Analytics "Azure DevOps - Variable Secret Not Secured" + query can identify credentials stored in the build process and protect against + future credential access by suggesting that they be moved to a secret or stored + in KeyVault before they can be accessed by an adversary. + + The coverage for these queries is minimal resulting in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Query looking for secrets" query can identify + potentially malicious database requests for secrets like passwords or other credentials. + + The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" + query can detect the use of Empire, which can use various modules to search for + files containing passwords, but does not address other procedures. + + The coverage for these queries is minimal resulting in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1552.004 + attack-object-name: Private Keys + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Analytics "ADFS DKM Master Key Export" and "ADFS Key + Export (Sysmon)" queries can detect potentially malicious access intended to decrypt + access tokens. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in + command line" query can detect the use of Empire, which can use modules to extract + private key and session information, but does not address other procedures. + + The coverage for these queries is minimal (specific to Empire, ADFS) resulting + in an overall Minimal score.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1590 attack-object-name: Gather Victim Network Information capability-id: Azure Sentinel @@ -3025,12 +5460,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1590.002 + attack-object-name: DNS + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Rare client observed with high reverse DNS + lookup count" query can detect if a particular IP is observed performing an unusually + high number of reverse DNS lookups and has not been observed doing so previously. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism capability-id: Azure Sentinel @@ -3052,12 +5500,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1548.002 + attack-object-name: Bypass User Account Control + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which includes various modules to attempt + to bypass UAC for privilege escalation, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1548 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation capability-id: Azure Sentinel @@ -3079,16 +5540,44 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting -- attack-object-id: T1087 - attack-object-name: Account Discovery +- attack-object-id: T1134.002 + attack-object-name: Create Process with Token capability-id: Azure Sentinel - comments: 'The following capabilities of Azure Sentinel were mapped: Default list + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can be used to make tokens via + Invoke-RunAs and add a SID-History to a user if on a domain controller, but does + not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1134 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1134.005 + attack-object-name: SID-History Injection + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can be used to make tokens via + Invoke-RunAs and add a SID-History to a user if on a domain controller, but does + not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1134 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1087 + attack-object-name: Account Discovery + capability-id: Azure Sentinel + comments: 'The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries @@ -3106,12 +5595,56 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1087.002 + attack-object-name: Domain Account + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Enumeration of users and groups" query can + identify potentially malicious account discovery through the use of the net tool. + + The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" + query can detect the use of Empire, which can acquire local and domain user account + information, but does not address other procedures.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1087.001 + attack-object-name: Local Account + capability-id: Azure Sentinel + comments: 'The Azure Sentinel Hunting "Enumeration of users and groups" query can + identify potentially malicious account discovery through the use of the net tool. + + The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" + query can detect the use of Empire, which can acquire local and domain user account + information, but does not address other procedures.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1087.003 + attack-object-name: Email Account + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Mail.Read Permissions Granted to Application" + query can identify applications that may have been abused to gain access to mailboxes. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1560 attack-object-name: Archive Collected Data capability-id: Azure Sentinel @@ -3133,7 +5666,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3160,12 +5693,54 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1547.005 + attack-object-name: Security Support Provider + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can enumerate SSPs, install malicious + SSPs, persist by modifying .lnk files to include backdoors, and modify the registry + run keys, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1547.009 + attack-object-name: Shortcut Modification + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can enumerate SSPs, install malicious + SSPs, persist by modifying .lnk files to include backdoors, and modify the registry + run keys, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1547.001 + attack-object-name: Registry Run Keys / Startup Folder + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can enumerate SSPs, install malicious + SSPs, persist by modifying .lnk files to include backdoors, and modify the registry + run keys, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1217 attack-object-name: Browser Bookmark Discovery capability-id: Azure Sentinel @@ -3187,7 +5762,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3214,7 +5789,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3241,12 +5816,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1543.003 + attack-object-name: Windows Service + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can modify service binaries and + restore them to their original states, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores capability-id: Azure Sentinel @@ -3268,12 +5856,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1555.003 + attack-object-name: Credentials from Web Browsers + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can extract passwords from common + web browsers including Firefox and Chrome, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1555 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1484 attack-object-name: Domain Policy Modification capability-id: Azure Sentinel @@ -3295,12 +5896,37 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Threat Hunting +- attack-object-id: T1484.001 + attack-object-name: Group Policy Modification + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can modify group policy objects + to install and execute malicious scheduled tasks, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1484 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1484.002 + attack-object-name: Domain Trust Modification + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Modified Domain Federation Trust Settings" + query can detect potentially malicious changes to domain trust settings. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1484 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery capability-id: Azure Sentinel @@ -3322,7 +5948,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3349,12 +5975,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1546.008 + attack-object-name: Accessibility Features + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can leverage WMI debugging to + remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, + but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel capability-id: Azure Sentinel @@ -3376,7 +6016,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3403,7 +6043,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3430,7 +6070,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3457,7 +6097,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3484,12 +6124,72 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1574.001 + attack-object-name: DLL Search Order Hijacking + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can discover and exploit DLL hijacking + opportunities, path interception opportunities in the PATH environment variable, + search order hijacking vulnerabilities, and unquoted path vulnerabilities, but + does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1574.007 + attack-object-name: Path Interception by PATH Environment Variable + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can discover and exploit DLL hijacking + opportunities, path interception opportunities in the PATH environment variable, + search order hijacking vulnerabilities, and unquoted path vulnerabilities, but + does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1574.008 + attack-object-name: Path Interception by Search Order Hijacking + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can discover and exploit DLL hijacking + opportunities, path interception opportunities in the PATH environment variable, + search order hijacking vulnerabilities, and unquoted path vulnerabilities, but + does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1574.009 + attack-object-name: Path Interception by Unquoted Path + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can discover and exploit DLL hijacking + opportunities, path interception opportunities in the PATH environment variable, + search order hijacking vulnerabilities, and unquoted path vulnerabilities, but + does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1056 attack-object-name: Input Capture capability-id: Azure Sentinel @@ -3511,12 +6211,40 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1056.001 + attack-object-name: Keylogging + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which includes keylogging capabilities + for both Windows and Linux and contains modules that leverage API hooking to carry + out tasks, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1056 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1056.004 + attack-object-name: Credential API Hooking + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which includes keylogging capabilities + for both Windows and Linux and contains modules that leverage API hooking to carry + out tasks, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1056 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle capability-id: Azure Sentinel @@ -3538,12 +6266,26 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1557.001 + attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can use Inveigh to conduct name + service poisoning for credential theft and associated relay attacks, but does + not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1106 attack-object-name: Native API capability-id: Azure Sentinel @@ -3565,7 +6307,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3592,7 +6334,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3619,7 +6361,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3646,7 +6388,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3673,12 +6415,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1003.001 + attack-object-name: LSASS Memory + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which contains an implementation of + Mimikatz to gather credentials from memory, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1057 attack-object-name: Process Discovery capability-id: Azure Sentinel @@ -3700,7 +6455,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3727,7 +6482,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3754,12 +6509,37 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1053.003 + attack-object-name: Cron + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Editing Linux scheduled tasks through Crontab" + query can detect potentially malicious modification of cron jobs. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1053.005 + attack-object-name: Scheduled Task + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can interact with the Windows + task scheduler, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1113 attack-object-name: Screen Capture capability-id: Azure Sentinel @@ -3781,7 +6561,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3808,12 +6588,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1518.001 + attack-object-name: Security Software Discovery + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can enumerate antivirus software + on the target, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1518 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1082 attack-object-name: System Information Discovery capability-id: Azure Sentinel @@ -3835,7 +6628,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3862,7 +6655,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3889,7 +6682,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3916,12 +6709,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1569.002 + attack-object-name: Service Execution + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can use PsExec to execute a payload + on a remote host, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1569 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1127 attack-object-name: Trusted Developer Utilities Proxy Execution capability-id: Azure Sentinel @@ -3943,12 +6749,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1127.001 + attack-object-name: MSBuild + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can use abuse trusted utilities + including MSBuild.exe, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1127 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1550 attack-object-name: Use Alternate Authentication Material capability-id: Azure Sentinel @@ -3970,12 +6789,38 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1550.001 + attack-object-name: Application Access Token + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Azure DevOps - PAT used with Browser." query + can identify potentially malicious usage of Personal Access Tokens intended for + code or applications to be used through the web browser. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1550 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1550.002 + attack-object-name: Pass the Hash + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can perform pass the hash attacks, + but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1550 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1125 attack-object-name: Video Capture capability-id: Azure Sentinel @@ -3997,7 +6842,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4024,12 +6869,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1102.002 + attack-object-name: Bidirectional Communication + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command + line" query can detect the use of Empire, which can use Dropbox and GitHub for + command and control, but does not address other procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1102 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process capability-id: Azure Sentinel @@ -4051,7 +6909,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4078,7 +6936,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4105,12 +6963,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1074.001 + attack-object-name: Local Data Staging + capability-id: Azure Sentinel + comments: The Azure Sentinel Analytics "Malware in the recycle bin" query can detect + local hidden malware. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1074 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1490 attack-object-name: Inhibit System Recovery capability-id: Azure Sentinel @@ -4132,7 +7002,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4159,7 +7029,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4186,7 +7056,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4213,7 +7083,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4240,12 +7110,40 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1036.004 + attack-object-name: Masquerade Task or Service + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Exes with double file extension and access + summary" can identify malicious executable files that have been hidden as other + file types. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1036 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1036.005 + attack-object-name: Match Legitimate Name or Location + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Masquerading Files" and "Rare Process Path" + queries can detect an adversary attempting to make malicious activity blend in + with legitimate commands and files. The Azure Sentinel Hunting "Azure DevOps Display + Name Changes" query can detect potentially maliicous changes to the DevOps user + display name. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1036 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure capability-id: Azure Sentinel @@ -4267,7 +7165,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4294,7 +7192,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4321,7 +7219,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4348,12 +7246,36 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/sentinel/overview - https://docs.microsoft.com/en-us/azure/sentinel/hunting - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Threat Hunting +- attack-object-id: T1069.002 + attack-object-name: Domain Groups + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Enumeration of users and groups" query can + identify potentially malicious group discovery through the use of the net tool. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1069 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1069.001 + attack-object-name: Local Groups + capability-id: Azure Sentinel + comments: The Azure Sentinel Hunting "Enumeration of users and groups" query can + identify potentially malicious group discovery through the use of the net tool. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1069 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Azure AD Password Policy @@ -4365,7 +7287,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -4373,6 +7295,61 @@ attack-objects: - Credentials - Identity - Passwords +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure AD Password Policy + comments: The password restrictions provided by the default Password policy along + with the lockout threshold and duration settings is an effective protection against + this Password Guessing sub-technique. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: Azure AD Password Policy + comments: 'The password restrictions provided by the default Password policy can + provide partial protection against password cracking but a determined adversary + with sufficient resources can still be successful with this attack vector. + + In regards to Credential Stuffing, the password policy''s lockout threshold can + be partially effective in mitigating this sub-technique as it may lock the account + before the correct credential is attempted. Although with credential stuffing, + the number of passwords attempted for an account is often (much) fewer than with + Password Guessing reducing the effectiveness of a lockout threshold. This led + to its score being assessed as Partial rather than Significant (as was assessed + for Password Guessing).' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure AD Password Policy + comments: 'The password restrictions provided by the default Password policy can + provide partial protection against password cracking but a determined adversary + with sufficient resources can still be successful with this attack vector. + + In regards to Credential Stuffing, the password policy''s lockout threshold can + be partially effective in mitigating this sub-technique as it may lock the account + before the correct credential is attempted. Although with credential stuffing, + the number of passwords attempted for an account is often (much) fewer than with + Password Guessing reducing the effectiveness of a lockout threshold. This led + to its score being assessed as Partial rather than Significant (as was assessed + for Password Guessing).' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery capability-id: Microsoft Defender for Identity @@ -4383,7 +7360,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4392,6 +7369,26 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1087.002 + attack-object-name: Domain Account + capability-id: Microsoft Defender for Identity + comments: 'The following alert of this control is able to detect domain account + discovery: "Account enumeration reconnaissance (external ID 2003)". This shouldn''t + occur frequently and therefore the false positive rate should be minimal. + + The "Security principal reconnaissance (LDAP) (external ID 2038)" alert is also + relevant and its machine learning capabilities should reduce the false positive + rate. + + The "User and IP address reconnaissance (SMB) (external ID 2012)" alert can also + provide a detection on a variation of this sub-technique.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1482 attack-object-name: Domain Trust Discovery capability-id: Microsoft Defender for Identity @@ -4402,7 +7399,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4421,7 +7418,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4440,7 +7437,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4449,6 +7446,25 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1069.002 + attack-object-name: Domain Groups + capability-id: Microsoft Defender for Identity + comments: 'This control''s "Security principal reconnaissance (LDAP) (external ID + 2038)" alert can be used to detect when an adversary "perform suspicious LDAP + enumeration queries or queries targeted to sensitive groups that use methods not + previously observed." This alert employs machine learning which should reduce + the number of false positives. + + Additionally, this control''s "User and Group membership reconnaissance (SAMR) + (external ID 2021)" alert can detect this sub-technique and also employs machine + learning which should reduce the false-positive rate.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1069 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1210 attack-object-name: Exploitation of Remote Services capability-id: Microsoft Defender for Identity @@ -4459,7 +7475,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4478,7 +7494,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -4487,25 +7503,77 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows -- attack-object-id: T1557 - attack-object-name: Man-in-the-Middle +- attack-object-id: T1550.002 + attack-object-name: Pass the Hash capability-id: Microsoft Defender for Identity - comments: Understandably (to avoid enabling adversaries to circumvent the detection), - many of the detections provided by this control do not provide a detailed description - of the detection logic making it often times difficult to map to ATT&CK Techniques. + comments: 'This control''s "Suspected identity theft (pass-the-hash) (external ID + 2017)" alert specifically looks for pass-the-hash attacks but there is not enough + information to determine its effectiveness and therefore a conservative assessment + of a Partial score is assigned. + + This control''s "Suspected identity theft (pass-the-ticket) (external ID 2018)" + alert specifically looks for pass-the-ticket attacks but there is not enough information + to determine its effectiveness and therefore a conservative assessment of a Partial + score is assigned.' mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + references: [] + related-score: T1550 score-category: Detect - score-value: Minimal - tags: - - Credentials - - DNS + score-value: Partial + tags: [] +- attack-object-id: T1550.003 + attack-object-name: Pass the Ticket + capability-id: Microsoft Defender for Identity + comments: 'This control''s "Suspected identity theft (pass-the-hash) (external ID + 2017)" alert specifically looks for pass-the-hash attacks but there is not enough + information to determine its effectiveness and therefore a conservative assessment + of a Partial score is assigned. + + This control''s "Suspected identity theft (pass-the-ticket) (external ID 2018)" + alert specifically looks for pass-the-ticket attacks but there is not enough information + to determine its effectiveness and therefore a conservative assessment of a Partial + score is assigned.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1550 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1557 + attack-object-name: Man-in-the-Middle + capability-id: Microsoft Defender for Identity + comments: Understandably (to avoid enabling adversaries to circumvent the detection), + many of the detections provided by this control do not provide a detailed description + of the detection logic making it often times difficult to map to ATT&CK Techniques. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.microsoft.com/en-us/defender-for-identity/what-is + related-score: '' + score-category: Detect + score-value: Minimal + tags: + - Credentials + - DNS - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1557.001 + attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay + capability-id: Microsoft Defender for Identity + comments: This control's "Suspected NTLM relay attack (Exchange account) (external + ID 2037)" alert can detect NTLM relay attack specific to the Exchange service. Because + this detection is limited to this variation of the sub-technique, its coverage + score is Minimal resulting in an overall Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Microsoft Defender for Identity @@ -4516,7 +7584,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -4525,6 +7593,44 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Microsoft Defender for Identity + comments: 'This control''s "Suspected Brute Force attack (Kerberos, NTLM) (external + ID 2023)" alert can detect these brute force sub-techniques. It incorporates + a machine learning feature that should reduce the number of false positives. + + Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert + can detect brute force attacks using LDAP simple binds. + + The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant + but the details are sparse.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Microsoft Defender for Identity + comments: 'This control''s "Suspected Brute Force attack (Kerberos, NTLM) (external + ID 2023)" alert can detect these brute force sub-techniques. It incorporates + a machine learning feature that should reduce the number of false positives. + + Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert + can detect brute force attacks using LDAP simple binds. + + The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant + but the details are sparse.' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets capability-id: Microsoft Defender for Identity @@ -4535,7 +7641,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -4544,6 +7650,55 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1558.003 + attack-object-name: Kerberoasting + capability-id: Microsoft Defender for Identity + comments: "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\"\ + \ alert is able to detect when an attacker use tools to enumerate service accounts\ + \ and their respective SPNs (Service principal names), request a Kerberos service\ + \ ticket for the services, capture the Ticket Granting Service (TGS) tickets from\ + \ memory and extract their hashes, and save them for later use in an offline brute\ + \ force attack. \nSimilarly its \"Suspected AS-REP Roasting attack (external\ + \ ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy\ + \ of these alerts is unknown and therefore its score has been assessed as Partial." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1558.004 + attack-object-name: AS-REP Roasting + capability-id: Microsoft Defender for Identity + comments: "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\"\ + \ alert is able to detect when an attacker use tools to enumerate service accounts\ + \ and their respective SPNs (Service principal names), request a Kerberos service\ + \ ticket for the services, capture the Ticket Granting Service (TGS) tickets from\ + \ memory and extract their hashes, and save them for later use in an offline brute\ + \ force attack. \nSimilarly its \"Suspected AS-REP Roasting attack (external\ + \ ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy\ + \ of these alerts is unknown and therefore its score has been assessed as Partial." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1558.001 + attack-object-name: Golden Ticket + capability-id: Microsoft Defender for Identity + comments: This control has numerous alerts that can detect Golden Ticket attacks + from multiple perspectives. The accuracy of these alerts is unknown resulting + in a partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services capability-id: Microsoft Defender for Identity @@ -4554,7 +7709,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4573,7 +7728,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4582,6 +7737,23 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1555.003 + attack-object-name: Credentials from Web Browsers + capability-id: Microsoft Defender for Identity + comments: This control's "Malicious request of Data Protection API master key (external + ID 2020)" alert can be used to detect when an attacker attempts to utilize the + Data Protection API (DPAPI) to decrypt sensitive data using the backup of the + master key stored on domain controllers. DPAPI is used by Windows to securely + protect passwords saved by browsers, encrypted files, and other sensitive data. This + alert is specific to using DPAPI to retrieve the master backup key and therefore + provides minimal coverage resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1555 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation capability-id: Microsoft Defender for Identity @@ -4592,7 +7764,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4611,7 +7783,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4620,6 +7792,22 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1059.001 + attack-object-name: PowerShell + capability-id: Microsoft Defender for Identity + comments: This control's "Remote code execution attempt (external ID 2019)" alert + can detect Remote code execution via Powershell. This may lead to false positives + as administrative workstations, IT team members, and service accounts can all + perform legitimate administrative tasks against domain controllers. Additionally, + this alert seems to be specific to detecting execution on domain controllers and + AD FS servers, limiting its coverage. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1021 attack-object-name: Remote Services capability-id: Microsoft Defender for Identity @@ -4630,7 +7818,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4639,6 +7827,27 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1021.002 + attack-object-name: SMB/Windows Admin Shares + capability-id: Microsoft Defender for Identity + comments: 'This control''s "Remote code execution attempt (external ID 2019)" alert + can detect Remote code execution via Psexec. This may lead to false positives + as administrative workstations, IT team members, and service accounts can all + perform legitimate administrative tasks against domain controllers. Additionally, + this alert seems to be specific to detecting execution on domain controllers and + AD FS servers, limiting its coverage. + + This control''s "Data exfiltration over SMB (external ID 2030)" alert may also + be able to detect exfiltration of sensitive data on domain controllers using SMB. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1569 attack-object-name: System Services capability-id: Microsoft Defender for Identity @@ -4649,7 +7858,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4658,6 +7867,22 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1569.002 + attack-object-name: Service Execution + capability-id: Microsoft Defender for Identity + comments: This control's "Remote code execution attempt (external ID 2019)" alert + can detect Remote code execution via Psexec. This may lead to false positives + as administrative workstations, IT team members, and service accounts can all + perform legitimate administrative tasks against domain controllers. Additionally, + this alert seems to be specific to detecting execution on domain controllers and + AD FS servers, limiting its coverage. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1569 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1207 attack-object-name: Rogue Domain Controller capability-id: Microsoft Defender for Identity @@ -4668,7 +7893,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -4687,7 +7912,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4696,6 +7921,35 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1003.006 + attack-object-name: DCSync + capability-id: Microsoft Defender for Identity + comments: This control's "Suspected DCSync attack (replication of directory services) + (external ID 2006)" alert can detect DCSync attacks. The false positive rate + should be low due to the identity of domain controllers on the network changing + infrequently and therefore replication requests received from non-domain controllers + should be a red flag. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1003.003 + attack-object-name: NTDS + capability-id: Microsoft Defender for Identity + comments: The documentation for this control's "Data exfiltration over SMB (external + ID 2030)" alert implies that it may be able to detect the transfer of sensitive + data such as the Ntds.dit on monitored domain controllers. This is specific to + domain controllers and therefore results in a reduced coverage score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process capability-id: Microsoft Defender for Identity @@ -4706,7 +7960,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4715,6 +7969,23 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1556.001 + attack-object-name: Domain Controller Authentication + capability-id: Microsoft Defender for Identity + comments: This control's "Suspected skeleton key attack (encryption downgrade) (external + ID 2010)" alert can detect skeleton attacks. This alert provides partial protection + as it detects on a specific type of malware, Skeleton malware, and its usage of + weaker encryption algorithms to hash the user's passwords on the domain controller. The + description of the alert implies it utilizes machine learning to look for anomalous + usage of weak encryption algorithms which should result in a reduced false positive + rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1556 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: Microsoft Defender for Identity @@ -4725,7 +7996,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -4744,7 +8015,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4753,6 +8024,20 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1543.003 + attack-object-name: Windows Service + capability-id: Microsoft Defender for Identity + comments: This control's "Suspicious service creation (external ID 2026)" alert + is able to detect suspicious service creation on a domain controller or AD FS + server in your organization. As a result of this detecting being specific to + these hosts, the coverage score is Minimal resulting in Minimal detection. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol capability-id: Microsoft Defender for Identity @@ -4763,7 +8048,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4772,6 +8057,20 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Microsoft Defender for Identity + comments: This control's "Suspicious communication over DNS (external ID 2031)" + alert can detect malicious communication over DNS used for data exfiltration, + command, and control, and/or evading corporate network restrictions. The accuracy + of this control is unknown and therefore its score has been assessed as Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol capability-id: Microsoft Defender for Identity @@ -4782,7 +8081,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/defender-for-identity/what-is - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4791,6 +8090,20 @@ attack-objects: - Identity - Microsoft 365 Defender - Windows +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Microsoft Defender for Identity + comments: This control's "Suspicious communication over DNS (external ID 2031)" + alert can detect malicious communication over DNS used for data exfiltration, + command, and control, and/or evading corporate network restrictions. The accuracy + of this control is unknown and therefore its score has been assessed as Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery capability-id: Azure Defender for Key Vault @@ -4802,7 +8115,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4820,7 +8133,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -4836,7 +8149,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -4852,7 +8165,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -4868,7 +8181,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -4884,7 +8197,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -4899,13 +8212,27 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Security Center - Azure Security Center Recommendation - Azure Defender for Servers +- attack-object-id: T1204.002 + attack-object-name: Malicious File + capability-id: Adaptive Application Controls + comments: Once this control is activated, it generates alerts for any executable + that has been run and is not included in an allow list. There is a significant + potential for false positives from new non-malicious executables, and events are + calculated once every twelve hours, so its temporal score is Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1204 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1036 attack-object-name: Masquerading capability-id: Adaptive Application Controls @@ -4914,13 +8241,57 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Azure Security Center - Azure Security Center Recommendation - Azure Defender for Servers +- attack-object-id: T1036.005 + attack-object-name: Match Legitimate Name or Location + capability-id: Adaptive Application Controls + comments: Once this control is activated, it generates alerts for any executable + that is run and is not included in an allow list. Path-based masquerading may + subvert path-based rules within this control, resulting in false negatives, but + hash and publisher-based rules will still detect untrusted executables. Events + are calculated once every twelve hours, so its temporal score is Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1036 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1036.006 + attack-object-name: Space after Filename + capability-id: Adaptive Application Controls + comments: Once this control is activated, it generates alerts for any executable + that is run and is not included in an allow list. Malicious files of this type + would be unlikely to evade detection from any form of allow list. Events are calculated + once every twelve hours, so its temporal score is Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1036 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1036.001 + attack-object-name: Invalid Code Signature + capability-id: Adaptive Application Controls + comments: Once this control is activated, it generates alerts for any executable + that is run and is not included in an allow list. Because signatures generated + via this technique are not valid, these malicious executables would be detected + via any form of allow list, including publisher-based. Events are calculated once + every twelve hours, so its temporal score is Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1036 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls capability-id: Adaptive Application Controls @@ -4929,13 +8300,28 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Security Center - Azure Security Center Recommendation - Azure Defender for Servers +- attack-object-id: T1553.002 + attack-object-name: Code Signing + capability-id: Adaptive Application Controls + comments: Once this control is activated, it generates alerts for any executable + that is run and is not included in an allow list. While publisher-based allow + lists may fail to detect malicious executables with valid signatures, hash and + path-based rules will still detect untrusted executables. Events are calculated + once every twelve hours, so its temporal score is Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary capability-id: Adaptive Application Controls @@ -4944,7 +8330,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -4963,7 +8349,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: @@ -4973,6 +8359,45 @@ attack-objects: - Identity - Passwords - MFA +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure AD Multi-Factor Authentication + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure AD Multi-Factor Authentication + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure AD Multi-Factor Authentication + comments: MFA can significantly reduce the impact of a password compromise, requiring + the adversary to complete an additional authentication method before their access + is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Azure AD Multi-Factor Authentication @@ -4985,7 +8410,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -4995,6 +8420,21 @@ attack-objects: - Identity - Passwords - MFA +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure AD Multi-Factor Authentication + comments: 'MFA can provide protection against an adversary that obtains valid credentials + by requiring the adversary to complete an additional authentication process before + access is permitted. This is an incomplete protection measure though as the adversary + may also have obtained credentials enabling bypassing the additional authentication + method. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1557 attack-object-name: Man-in-the-Middle capability-id: Azure Private Link @@ -5006,12 +8446,38 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/azure/private-link/private-link-overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1557.002 + attack-object-name: ARP Cache Poisoning + capability-id: Azure Private Link + comments: This control reduces the likelihood of MiTM for traffic between remote + users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone + rather than over the Internet. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1557.001 + attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay + capability-id: Azure Private Link + comments: This control reduces the likelihood of MiTM for traffic between remote + users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone + rather than over the Internet. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation capability-id: Azure Private Link @@ -5023,12 +8489,25 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/azure/private-link/private-link-overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1565.002 + attack-object-name: Transmitted Data Manipulation + capability-id: Azure Private Link + comments: This control reduces the likelihood of data manipulation for traffic between + remote users, cloud, and 3rd parties by routing the traffic via the Microsoft + backbone rather than over the Internet. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service capability-id: Azure Private Link @@ -5040,12 +8519,56 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/azure/private-link/private-link-overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1499.004 + attack-object-name: Application or System Exploitation + capability-id: Azure Private Link + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: Azure Private Link + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: Azure Private Link + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: Azure Private Link + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1498 attack-object-name: Network Denial of Service capability-id: Azure Private Link @@ -5057,12 +8580,34 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/azure/private-link/private-link-overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1498.002 + attack-object-name: Reflection Amplification + capability-id: Azure Private Link + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1498.001 + attack-object-name: Direct Network Flood + capability-id: Azure Private Link + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing capability-id: Azure Private Link @@ -5074,7 +8619,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/azure/private-link/private-link-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5089,11 +8634,22 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview - https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/ - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Credentials +- attack-object-id: T1552.004 + attack-object-name: Private Keys + capability-id: Azure Dedicated HSM + comments: Provides significant protection of private keys. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1588 attack-object-name: Obtain Capabilities capability-id: Azure Dedicated HSM @@ -5103,26 +8659,74 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview - https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/ - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Credentials -- attack-object-id: T1553 - attack-object-name: Subvert Trust Controls +- attack-object-id: T1588.004 + attack-object-name: Digital Certificates capability-id: Azure Dedicated HSM - comments: Note there is also a Managed HSM service. + comments: Certificate credentials can be vaulted in an HSM thereby reducing its + attack surface. mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview - - https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/ - related-score: true + references: [] + related-score: T1588 score-category: Protect score-value: Partial - tags: - - Credentials -- attack-object-id: T1195 + tags: [] +- attack-object-id: T1588.003 + attack-object-name: Code Signing Certificates + capability-id: Azure Dedicated HSM + comments: Certificate credentials can be vaulted in an HSM thereby reducing its + attack surface. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1588 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1553 + attack-object-name: Subvert Trust Controls + capability-id: Azure Dedicated HSM + comments: Note there is also a Managed HSM service. + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview + - https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/ + related-score: '' + score-category: Protect + score-value: Partial + tags: + - Credentials +- attack-object-id: T1553.004 + attack-object-name: Install Root Certificate + capability-id: Azure Dedicated HSM + comments: Certificate credentials can be vaulted in an HSM thereby reducing its + attack surface. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1553.002 + attack-object-name: Code Signing + capability-id: Azure Dedicated HSM + comments: Certificate credentials can be vaulted in an HSM thereby reducing its + attack surface. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1195 attack-object-name: Supply Chain Compromise capability-id: Azure Automation Update Management comments: 'This control generally applies to techniques that leverage vulnerabilities @@ -5131,12 +8735,38 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Linux - Windows +- attack-object-id: T1195.002 + attack-object-name: Compromise Software Supply Chain + capability-id: Azure Automation Update Management + comments: This control provides coverage of some aspects of software supply chain + compromise since it enables automated updates of software and rapid configuration + change management. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1195 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1195.001 + attack-object-name: Compromise Software Dependencies and Development Tools + capability-id: Azure Automation Update Management + comments: This control provides coverage of some aspects of software supply chain + compromise since it enables automated updates of software and rapid configuration + change management. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1195 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools capability-id: Azure Automation Update Management @@ -5146,7 +8776,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5161,7 +8791,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5176,7 +8806,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5191,7 +8821,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5206,7 +8836,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5221,7 +8851,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5236,7 +8866,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5251,12 +8881,26 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Linux - Windows +- attack-object-id: T1499.004 + attack-object-name: Application or System Exploitation + capability-id: Azure Automation Update Management + comments: This control provides significant protection against Denial of Service + (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric + attacks since it enables automated updates of software and rapid configuration + change management. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1554 attack-object-name: Compromise Client Software Binary capability-id: Azure Automation Update Management @@ -5266,7 +8910,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5281,7 +8925,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/automation/update-management/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5295,12 +8939,30 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/dns/dns-alias#prevent-dangling-dns-records - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - DNS - Network +- attack-object-id: T1584.001 + attack-object-name: Domains + capability-id: Azure DNS Alias Records + comments: Alias records prevent dangling references by tightly coupling the life + cycle of a DNS record with an Azure resource. For example, consider a DNS record + that's qualified as an alias record to point to a public IP address or a Traffic + Manager profile. If you delete those underlying resources, the DNS alias record + becomes an empty record set. It no longer references the deleted resource. This + control is effective for protecting DNS records that resolve to Azure resources + but does not offer protection for records pointing to non-Azure resources, resulting + in a Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1584 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1087 attack-object-name: Account Discovery capability-id: Role Based Access Control @@ -5313,13 +8975,26 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Azure Security Center Recommendation - Identity +- attack-object-id: T1087.004 + attack-object-name: Cloud Account + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the accounts that can be used for account + discovery. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Role Based Access Control @@ -5332,13 +9007,25 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Azure Security Center Recommendation - Identity +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit what an adversary can do with a valid account. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1136 attack-object-name: Create Account capability-id: Role Based Access Control @@ -5351,13 +9038,25 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Azure Security Center Recommendation - Identity +- attack-object-id: T1136.003 + attack-object-name: Cloud Account + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can create accounts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: Role Based Access Control @@ -5370,13 +9069,37 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Active Directory - Azure Security Center Recommendation - Identity +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can modify accounts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1098.003 + attack-object-name: Add Office 365 Global Administrator Role + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can modify accounts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1578 attack-object-name: Modify Cloud Compute Infrastructure capability-id: Role Based Access Control @@ -5389,13 +9112,65 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Active Directory - Azure Security Center Recommendation - Identity +- attack-object-id: T1578.001 + attack-object-name: Create Snapshot + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can perform + these privileged operations. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1578.002 + attack-object-name: Create Cloud Instance + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can perform + these privileged operations. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1578.003 + attack-object-name: Delete Cloud Instance + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can perform + these privileged operations. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1578.004 + attack-object-name: Revert Cloud Instance + capability-id: Role Based Access Control + comments: This control can be used to implement the least-privilege principle for + account management and thereby limit the number of accounts that can perform + these privileged operations. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1580 attack-object-name: Cloud Infrastructure Discovery capability-id: Role Based Access Control @@ -5408,7 +9183,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5427,7 +9202,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5446,7 +9221,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5465,7 +9240,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5483,12 +9258,27 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference - https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections - https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Security Center - Database +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Alerts for Azure Cosmos DB + comments: This control triggers an alert when there is a change in the access pattern + to an Azure Cosmos account based on access from an unusual geographical location. + False positives are fairly likely and misuse from a typical location is not covered, + so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos + DB account" + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories capability-id: Alerts for Azure Cosmos DB @@ -5500,7 +9290,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference - https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections - https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5525,7 +9315,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Significant tags: @@ -5535,6 +9325,96 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1053.001 + attack-object-name: At (Linux) + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of scheduled tasks. This control may also detect changes to files + used by cron or systemd to create/modify scheduled tasks. The specificity of + registry keys and files used in creation or modification of these scheduled tasks + may reduce the false positive rate. This control at worst scans for changes on + an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1053.002 + attack-object-name: At (Windows) + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of scheduled tasks. This control may also detect changes to files + used by cron or systemd to create/modify scheduled tasks. The specificity of + registry keys and files used in creation or modification of these scheduled tasks + may reduce the false positive rate. This control at worst scans for changes on + an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1053.003 + attack-object-name: Cron + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of scheduled tasks. This control may also detect changes to files + used by cron or systemd to create/modify scheduled tasks. The specificity of + registry keys and files used in creation or modification of these scheduled tasks + may reduce the false positive rate. This control at worst scans for changes on + an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1053.005 + attack-object-name: Scheduled Task + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of scheduled tasks. This control may also detect changes to files + used by cron or systemd to create/modify scheduled tasks. The specificity of + registry keys and files used in creation or modification of these scheduled tasks + may reduce the false positive rate. This control at worst scans for changes on + an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1053.006 + attack-object-name: Systemd Timers + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of scheduled tasks. This control may also detect changes to files + used by cron or systemd to create/modify scheduled tasks. The specificity of + registry keys and files used in creation or modification of these scheduled tasks + may reduce the false positive rate. This control at worst scans for changes on + an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: File Integrity Monitoring @@ -5554,7 +9434,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5564,6 +9444,21 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1098.004 + attack-object-name: SSH Authorized Keys + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the SSH authorized keys file which + may indicate establishment of persistence. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1547 attack-object-name: Boot or Logon Autostart Execution capability-id: File Integrity Monitoring @@ -5583,7 +9478,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5593,6 +9488,156 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1547.001 + attack-object-name: Registry Run Keys / Startup Folder + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.002 + attack-object-name: Authentication Package + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.003 + attack-object-name: Time Providers + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.004 + attack-object-name: Winlogon Helper DLL + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.005 + attack-object-name: Security Support Provider + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.006 + attack-object-name: Kernel Modules and Extensions + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.008 + attack-object-name: LSASS Driver + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.009 + attack-object-name: Shortcut Modification + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.010 + attack-object-name: Port Monitors + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1547.012 + attack-object-name: Print Processors + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + enable Boot or Logon Autostart Execution. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1037 attack-object-name: Boot or Logon Initialization Scripts capability-id: File Integrity Monitoring @@ -5612,7 +9657,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5622,6 +9667,36 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1037.001 + attack-object-name: Logon Script (Windows) + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of logon scripts. This control at worst scans for changes on an + hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1037 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1037.003 + attack-object-name: Network Logon Script + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of logon scripts. This control at worst scans for changes on an + hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1037 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process capability-id: File Integrity Monitoring @@ -5641,7 +9716,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5651,6 +9726,42 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1543.002 + attack-object-name: Systemd Service + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of Windows services. This control may also detect changes to files + used by systemd to create/modify systemd services. The specificity of registry + keys and files used in creation or modification of these scheduled tasks may reduce + the false positive rate. This control at worst scans for changes on an hourly + basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1543.003 + attack-object-name: Windows Service + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry upon creation + or modification of Windows services. This control may also detect changes to files + used by systemd to create/modify systemd services. The specificity of registry + keys and files used in creation or modification of these scheduled tasks may reduce + the false positive rate. This control at worst scans for changes on an hourly + basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1546 attack-object-name: Event Triggered Execution capability-id: File Integrity Monitoring @@ -5670,7 +9781,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5680,6 +9791,182 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1546.001 + attack-object-name: Change Default File Association + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.002 + attack-object-name: Screensaver + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.004 + attack-object-name: .bash_profile and .bashrc + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.007 + attack-object-name: Netsh Helper DLL + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.008 + attack-object-name: Accessibility Features + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.009 + attack-object-name: AppCert DLLs + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.011 + attack-object-name: Application Shimming + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.012 + attack-object-name: Image File Execution Options Injection + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.013 + attack-object-name: PowerShell Profile + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry or files that + indicate event triggered execution. The specificity of registry keys and files + used in creation or modification of these scheduled tasks may reduce the false + positive rate. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1546.010 + attack-object-name: AppInit DLLs + capability-id: File Integrity Monitoring + comments: 'The detection score for this group of sub-techniques is assessed as Minimal + due to the accuracy component of the score. The registry keys which are modified + as a result of these sub-techniques can change frequently or are too numerous + to monitor and therefore can result in significant amount of false positives. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1546.015 + attack-object-name: Component Object Model Hijacking + capability-id: File Integrity Monitoring + comments: 'The detection score for this group of sub-techniques is assessed as Minimal + due to the accuracy component of the score. The registry keys which are modified + as a result of these sub-techniques can change frequently or are too numerous + to monitor and therefore can result in significant amount of false positives. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1546 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1574 attack-object-name: Hijack Execution Flow capability-id: File Integrity Monitoring @@ -5699,7 +9986,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5709,6 +9996,22 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1574.006 + attack-object-name: LD_PRELOAD + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the ld.so.preload file which may indicate + an attempt to hijack execution flow. This sub-technique may also be utilized through + an environment variable which this control may not detect. This control at worst + scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1137 attack-object-name: Office Application Startup capability-id: File Integrity Monitoring @@ -5728,7 +10031,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5738,6 +10041,22 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1137.002 + attack-object-name: Office Test + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the Windows registry to establish + persistence with the Office Test sub-technique. The specificity of registry keys + involved may reduce the false positive rate. This control at worst scans for changes + on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1137 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1548 attack-object-name: Abuse Elevation Control Mechanism capability-id: File Integrity Monitoring @@ -5757,7 +10076,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5767,6 +10086,34 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1548.002 + attack-object-name: Bypass User Account Control + capability-id: File Integrity Monitoring + comments: Some UAC bypass methods rely on modifying specific, user-accessible Registry + settings that can be monitored using this control. Overall, there are numerous + other bypass methods that do not result in Registry modification that this control + will not be effective in detection resulting in a low detection coverage factor. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1548 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1548.003 + attack-object-name: Sudo and Sudo Caching + capability-id: File Integrity Monitoring + comments: 'This control may detect changes to the sudoers file which may indicate + privilege escalation. This control at worst scans for changes on an hourly basis. + + ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1548 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1556 attack-object-name: Modify Authentication Process capability-id: File Integrity Monitoring @@ -5786,7 +10133,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5796,6 +10143,34 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1556.002 + attack-object-name: Password Filter DLL + capability-id: File Integrity Monitoring + comments: The Registry key used to register a Password Filter DLL can be monitored + for changes using this control providing substantial coverage of this sub-technique. This + key should not change often and therefore false positives should be minimal. This + control at worst scans for changes on an hourly basis. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1556 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1556.003 + attack-object-name: Pluggable Authentication Modules + capability-id: File Integrity Monitoring + comments: The PAM configuration and module paths (/etc/pam.d/) can be monitored + for changes using this control. The files in this path should not change often + and therefore false positives should be minimal. This control at worst scans for + changes on an hourly basis. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1556 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping capability-id: File Integrity Monitoring @@ -5815,7 +10190,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5825,6 +10200,20 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1003.001 + attack-object-name: LSASS Memory + capability-id: File Integrity Monitoring + comments: 'This control can be used to detect the Windows Security Support Provider + (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used + to register these DLLs. These keys should change infrequently and therefore false + positives should be minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1222 attack-object-name: File and Directory Permissions Modification capability-id: File Integrity Monitoring @@ -5844,7 +10233,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5854,6 +10243,34 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1222.001 + attack-object-name: Windows File and Directory Permissions Modification + capability-id: File Integrity Monitoring + comments: This control can detect changes to the permissions of Windows and Linux + files and can be used to detect modifications to sensitive directories and files + that shouldn't change frequently. This control at worst scans for changes on + an hourly basis. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1222 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1222.002 + attack-object-name: Linux and Mac File and Directory Permissions Modification + capability-id: File Integrity Monitoring + comments: This control can detect changes to the permissions of Windows and Linux + files and can be used to detect modifications to sensitive directories and files + that shouldn't change frequently. This control at worst scans for changes on + an hourly basis. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1222 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1562 attack-object-name: Impair Defenses capability-id: File Integrity Monitoring @@ -5873,7 +10290,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5883,6 +10300,50 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1562.001 + attack-object-name: Disable or Modify Tools + capability-id: File Integrity Monitoring + comments: This control can be used to monitor Registry keys related to security + software or event logging processes that can detect when an adversary attempts + to disable these tools via modifying or deleting Registry keys. A majority of + the cited procedure examples for this sub-technique are related to killing security + processes rather than modifying the Registry, and therefore the detection coverage + for this control is low. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1562.004 + attack-object-name: Disable or Modify System Firewall + capability-id: File Integrity Monitoring + comments: There are numerous ways depending on the operating system that these sub-techniques + can be accomplished. Monitoring the Windows Registry is one way depending on + the procedure chosen to implement the sub-technique and therefore the overall + coverage is low. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1562.006 + attack-object-name: Indicator Blocking + capability-id: File Integrity Monitoring + comments: There are numerous ways depending on the operating system that these sub-techniques + can be accomplished. Monitoring the Windows Registry is one way depending on + the procedure chosen to implement the sub-technique and therefore the overall + coverage is low. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1562 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1553 attack-object-name: Subvert Trust Controls capability-id: File Integrity Monitoring @@ -5902,7 +10363,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -5912,6 +10373,37 @@ attack-objects: - Azure Defender for Servers - Windows - Linux +- attack-object-id: T1553.003 + attack-object-name: SIP and Trust Provider Hijacking + capability-id: File Integrity Monitoring + comments: This control can detect modifications made to the Registry keys used to + register Windows Subject Interface Packages (SIPs). Because this sub-technique + can be accomplished without modifying the Registry via DLL Search Order Hijacking, + it has been scored as Partial. The related Registry keys should not change often + and therefore the false positive rate should be minimal. This control at worst + scans for changes on an hourly basis. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1553.004 + attack-object-name: Install Root Certificate + capability-id: File Integrity Monitoring + comments: This control can be used to detect when the system root certificates has + changed by detecting the corresponding Registry or File system modifications that + occur as a result. These root certificates should not change often and therefore + the false positive rate is minimal. This control at worst scans for changes on + an hourly basis. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1553 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1485 attack-object-name: Data Destruction capability-id: Azure Backup @@ -5922,7 +10414,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/backup/backup-overview - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -5937,7 +10429,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/backup/backup-overview - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -5952,11 +10444,35 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/backup/backup-overview - related-score: true + related-score: '' score-category: Respond score-value: Significant tags: - Azure Security Center Recommendation +- attack-object-id: T1491.002 + attack-object-name: External Defacement + capability-id: Azure Backup + comments: Data backups provide a significant response to external or internal data + defacement attacks by enabling the restoration of data from backup. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1491.001 + attack-object-name: Internal Defacement + capability-id: Azure Backup + comments: Data backups provide a significant response to external or internal data + defacement attacks by enabling the restoration of data from backup. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1491 + score-category: Respond + score-value: Significant + tags: [] - attack-object-id: T1561 attack-object-name: Disk Wipe capability-id: Azure Backup @@ -5967,11 +10483,35 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/backup/backup-overview - related-score: true + related-score: '' score-category: Respond score-value: Significant tags: - Azure Security Center Recommendation +- attack-object-id: T1561.001 + attack-object-name: Disk Content Wipe + capability-id: Azure Backup + comments: Data backups provide a significant response to disk content wipe attacks + by enabling the restoration of data from backup. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1561 + score-category: Respond + score-value: Significant + tags: [] +- attack-object-id: T1561.002 + attack-object-name: Disk Structure Wipe + capability-id: Azure Backup + comments: Allows for recovery of disk content, though Disk structure wipes require + additional procedures for recovery. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1561 + score-category: Respond + score-value: Partial + tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials capability-id: Managed identities for Azure resources @@ -5980,13 +10520,27 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Azure Security Center Recommendation - Identity +- attack-object-id: T1552.001 + attack-object-name: Credentials In Files + capability-id: Managed identities for Azure resources + comments: This control provides an alternative to hard-coding credentials for accessing + Azure services in application code. This control only protects credentials for + accessing Azure services and not other credential types, resulting in a Partial + coverage score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: Azure Policy @@ -5998,7 +10552,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6014,7 +10568,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6030,11 +10584,55 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation +- attack-object-id: T1590.002 + attack-object-name: DNS + capability-id: Azure Policy + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.004 + attack-object-name: Network Topology + capability-id: Azure Policy + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.005 + attack-object-name: IP Addresses + capability-id: Azure Policy + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.006 + attack-object-name: Network Security Appliances + capability-id: Azure Policy + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Azure Policy @@ -6046,11 +10644,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center Recommendation +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure Policy + comments: This control may provide recommendations to audit and restrict privileges + on Azure cloud accounts. This control may provide information to reduce surface + area for privileged access to Azure. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: Azure Policy @@ -6062,11 +10673,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center Recommendation +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: Azure Policy + comments: This control may recommend removing deprecated accounts, reducing privileges, + and enabling multi-factor authentication. This can reduce the amount of accounts + available to be exploited and what could be done with those accounts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image capability-id: Azure Policy @@ -6078,7 +10702,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6094,7 +10718,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6110,11 +10734,25 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center Recommendation +- attack-object-id: T1505.001 + attack-object-name: SQL Stored Procedures + capability-id: Azure Policy + comments: 'This control may provide recommendations to enable other Azure controls + that provide information on potentially exploitable SQL stored procedures. Recommendations + to reduce unnecessary privileges from accounts and stored procedures can mitigate + exploitable of this technique. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1505 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation capability-id: Azure Policy @@ -6126,7 +10764,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6142,7 +10780,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6158,7 +10796,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6174,7 +10812,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6190,11 +10828,53 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure Policy + comments: This control may provide recommendations to implement multi-factor authentication, + implement password security policies, and replacing password authentication with + more secure authentication methods. This control can affect Azure, Azure cloud + application, and endpoint credentials. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure Policy + comments: This control may provide recommendations to implement multi-factor authentication, + implement password security policies, and replacing password authentication with + more secure authentication methods. This control can affect Azure, Azure cloud + application, and endpoint credentials. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure Policy + comments: This control may provide recommendations to implement multi-factor authentication, + implement password security policies, and replacing password authentication with + more secure authentication methods. This control can affect Azure, Azure cloud + application, and endpoint credentials. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores capability-id: Azure Policy @@ -6206,7 +10886,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6222,7 +10902,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6238,7 +10918,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6254,7 +10934,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6270,7 +10950,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6286,7 +10966,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6302,11 +10982,35 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center Recommendation +- attack-object-id: T1021.001 + attack-object-name: Remote Desktop Protocol + capability-id: Azure Policy + comments: This control may provide recommendations to restrict public access to + Remote Desktop Protocol. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Azure Policy + comments: 'This control may provide recommendations to restrict public SSH access + and enable usage of SSH keys. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object capability-id: Azure Policy @@ -6318,7 +11022,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6334,11 +11038,23 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center Recommendation +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Azure Policy + comments: This control may provide recommendations to enable Azure Defender for + DNS which can monitor DNS queries between Azure applications for malicious traffic. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1537 attack-object-name: Transfer Data to Cloud Account capability-id: Azure Policy @@ -6350,7 +11066,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6366,7 +11082,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/governance/policy/overview - https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6384,13 +11100,52 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer - related-score: true + related-score: '' score-category: Detect score-value: Significant tags: - Analytics - Azure Security Center - Network +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure Alerts for Network Layer + comments: This control can identify multiple connection attempts by external IPs, + which may be indicative of Brute Force attempts, though not T1110.002, which is + performed offline. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure Alerts for Network Layer + comments: This control can identify multiple connection attempts by external IPs, + which may be indicative of Brute Force attempts, though not T1110.002, which is + performed offline. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure Alerts for Network Layer + comments: This control can identify multiple connection attempts by external IPs, + which may be indicative of Brute Force attempts, though not T1110.002, which is + performed offline. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol capability-id: Azure Alerts for Network Layer @@ -6404,13 +11159,61 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Azure Security Center - Network +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Azure Alerts for Network Layer + comments: 'This control can identify connections to known malicious sites. Scored + minimal since the malicious sites must be on a block list. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1071.003 + attack-object-name: Mail Protocols + capability-id: Azure Alerts for Network Layer + comments: 'This control can identify connections to known malicious sites. Scored + minimal since the malicious sites must be on a block list. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1071.002 + attack-object-name: File Transfer Protocols + capability-id: Azure Alerts for Network Layer + comments: 'This control can identify connections to known malicious sites. Scored + minimal since the malicious sites must be on a block list. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: Azure Alerts for Network Layer + comments: 'This control can identify connections to known malicious sites. Scored + minimal since the malicious sites must be on a block list. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services capability-id: Azure Alerts for Network Layer @@ -6424,7 +11227,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6439,13 +11242,30 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure AD Privileged Identity Management + comments: This control's Access Review feature supports scheduling a routine review + of cloud account permission levels to look for those that could allow an adversary + to gain wide access. This information can then be used to validate if such access + is required and identify which (privileged) accounts should be monitored closely. This + reduces the availability of valid accounts to adversaries. This review would + normally be scheduled periodically, at most weekly, and therefore its temporal + score is Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1098 attack-object-name: Account Manipulation capability-id: Azure AD Privileged Identity Management @@ -6454,7 +11274,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -6469,13 +11289,54 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1098.003 + attack-object-name: Add Office 365 Global Administrator Role + capability-id: Azure AD Privileged Identity Management + comments: This control can require MFA to be triggered when the Global Administrator + role is assigned to an account or when the role is activated by a user. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1098.003 + attack-object-name: Add Office 365 Global Administrator Role + capability-id: Azure AD Privileged Identity Management + comments: This control can notify administrators whenever the Global Administrator + role is assigned to an account and can therefore be used to detect the execution + of this sub-technique. Assigning the Global Administrator role to an account + is an infrequent operation and as a result, the false positive rate should be + minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Significant + tags: [] +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: Azure AD Privileged Identity Management + comments: Privileged roles such as the Application Administrator role can be configured + to require MFA on activation to provide additional protection against the execution + of this technique. In addition these privileged roles can be assigned as eligible + rather than permanently active roles to further reduce the attack surface. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1136 attack-object-name: Create Account capability-id: Azure AD Privileged Identity Management @@ -6484,13 +11345,27 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1136.003 + attack-object-name: Cloud Account + capability-id: Azure AD Privileged Identity Management + comments: Privileged roles such as the User Administrator role can be configured + to require MFA on activation to provide additional protection against the execution + of this technique. In addition, these privileged roles can be assigned as eligible + rather than permanently active roles to further reduce the attack surface. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1136 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing capability-id: Azure VPN Gateway @@ -6499,7 +11374,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6512,11 +11387,33 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Network +- attack-object-id: T1557.002 + attack-object-name: ARP Cache Poisoning + capability-id: Azure VPN Gateway + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1557.001 + attack-object-name: LLMNR/NBT-NS Poisoning and SMB Relay + capability-id: Azure VPN Gateway + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1557 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1565 attack-object-name: Data Manipulation capability-id: Azure VPN Gateway @@ -6525,11 +11422,22 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Network +- attack-object-id: T1565.002 + attack-object-name: Transmitted Data Manipulation + capability-id: Azure VPN Gateway + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Advanced Threat Protection for Azure SQL Database @@ -6539,7 +11447,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6548,6 +11456,20 @@ attack-objects: - Azure Security Center - Azure Security Center Recommendation - Database +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Advanced Threat Protection for Azure SQL Database + comments: 'This control may alert on logon events that are suspicious. This includes + logins from unusual locations, logins from suspicious IP addresses, and users + that do not commonly access the resource. These alerts may limit the ability of + an attacker to utilize a valid cloud account to access and manipulate Azure databases. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1213 attack-object-name: Data from Information Repositories capability-id: Advanced Threat Protection for Azure SQL Database @@ -6557,7 +11479,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6575,7 +11497,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6584,6 +11506,48 @@ attack-objects: - Azure Security Center - Azure Security Center Recommendation - Database +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Advanced Threat Protection for Azure SQL Database + comments: This control may alert on repeated sign in attempts to the resource and + successful logins from a suspicious location, IP address, or a user that does + not commonly log in to the resource. Because this control is specific to Azure + database offerings, the detection coverage is Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Advanced Threat Protection for Azure SQL Database + comments: This control may alert on repeated sign in attempts to the resource and + successful logins from a suspicious location, IP address, or a user that does + not commonly log in to the resource. Because this control is specific to Azure + database offerings, the detection coverage is Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Advanced Threat Protection for Azure SQL Database + comments: This control may alert on repeated sign in attempts to the resource and + successful logins from a suspicious location, IP address, or a user that does + not commonly log in to the resource. Because this control is specific to Azure + database offerings, the detection coverage is Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: Advanced Threat Protection for Azure SQL Database @@ -6593,7 +11557,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6610,12 +11574,34 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1498.002 + attack-object-name: Reflection Amplification + capability-id: Azure DDOS Protection Standard + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1498.001 + attack-object-name: Direct Network Flood + capability-id: Azure DDOS Protection Standard + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1498 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service capability-id: Azure DDOS Protection Standard @@ -6624,12 +11610,45 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: Azure DDOS Protection Standard + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: Azure DDOS Protection Standard + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: Azure DDOS Protection Standard + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1584 attack-object-name: Compromise Infrastructure capability-id: Azure Defender for App Service @@ -6644,7 +11663,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6653,6 +11672,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1584.001 + attack-object-name: Domains + capability-id: Azure Defender for App Service + comments: Subdomain hijacking is a focus of this control, and its Dangling DNS detection + alert feature is activated when an App Service website is decommissioned and its + corresponding DNS entry is not deleted, allowing users to remove those entries + before they can be leveraged by an adversary. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1584 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1496 attack-object-name: Resource Hijacking capability-id: Azure Defender for App Service @@ -6667,7 +11700,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6690,7 +11723,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6699,6 +11732,22 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1204.001 + attack-object-name: Malicious Link + capability-id: Azure Defender for App Service + comments: This control monitors for references to suspicious domain names and file + downloads from known malware sources, and monitors processes for downloads from + raw-data websites like Pastebin, all of which are relevant for detecting users' + interactions with malicious download links, but malicious links which exploit + browser vulnerabilities for execution are unlikely to be detected, and temporal + factor is unknown, resulting in a score of Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1204 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1140 attack-object-name: Deobfuscate/Decode Files or Information capability-id: Azure Defender for App Service @@ -6713,7 +11762,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6736,7 +11785,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6745,6 +11794,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1566.002 + attack-object-name: Spearphishing Link + capability-id: Azure Defender for App Service + comments: This control monitors for known phishing links on the Azure App Services + website and generates alerts if they are detected, potentially preventing their + access by users. This is a very specific avenue, only covers known links, and + temporal factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1059 attack-object-name: Command and Scripting Interpreter capability-id: Azure Defender for App Service @@ -6759,7 +11822,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6768,6 +11831,30 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1059.004 + attack-object-name: Unix Shell + capability-id: Azure Defender for App Service + comments: This control monitors host data for potential reverse shells used for + command and control. Temporal factor is unknown. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1059.001 + attack-object-name: PowerShell + capability-id: Azure Defender for App Service + comments: This control monitors for execution of known malicious PowerShell PowerSploit + cmdlets. Temporal factor is uknown. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1059 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer capability-id: Azure Defender for App Service @@ -6782,7 +11869,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6805,7 +11892,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -6814,6 +11901,19 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Azure Defender for App Service + comments: This control monitors for web fingerprinting tools including nmap and + Blind Elephant, as well as scanners looking for vulnerability in applications + like Drupal, Joomla, and WordPress. Temporal factor is unknown. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1594 attack-object-name: Search Victim-Owned Websites capability-id: Azure Defender for App Service @@ -6828,7 +11928,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6851,7 +11951,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -6860,6 +11960,160 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1055.001 + attack-object-name: Dynamic-link Library Injection + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.002 + attack-object-name: Portable Executable Injection + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.003 + attack-object-name: Thread Execution Hijacking + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.004 + attack-object-name: Asynchronous Procedure Call + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.005 + attack-object-name: Thread Local Storage + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.011 + attack-object-name: Extra Window Memory Injection + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.012 + attack-object-name: Process Hollowing + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.013 + attack-object-name: "Process Doppelg\xE4nging" + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.008 + attack-object-name: Ptrace System Calls + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.009 + attack-object-name: Proc Memory + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1055.014 + attack-object-name: VDSO Hijacking + capability-id: Azure Defender for App Service + comments: Injection attacks are specifically cited as a detection focus for Fileless + Attack Detection, which is part of this control, with even more specific references + to Process Hollowing, executable image injection, and threads started in a dynamically + allocated code segment. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1055 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1203 attack-object-name: Exploitation for Client Execution capability-id: Azure Defender for App Service @@ -6874,7 +12128,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6897,7 +12151,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6920,7 +12174,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6943,7 +12197,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6966,7 +12220,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6989,7 +12243,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -7012,7 +12266,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -7035,7 +12289,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -7044,6 +12298,30 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1559.001 + attack-object-name: Component Object Model + capability-id: Azure Defender for App Service + comments: This control's Fileless Attack Detection identifies suspicious command + execution within process memory. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1559 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1559.002 + attack-object-name: Dynamic Data Exchange + capability-id: Azure Defender for App Service + comments: This control's Fileless Attack Detection identifies suspicious command + execution within process memory. Detection is periodic at an unknown rate. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1559 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1036 attack-object-name: Masquerading capability-id: Azure Defender for App Service @@ -7058,7 +12336,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7067,6 +12345,19 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1036.005 + attack-object-name: Match Legitimate Name or Location + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect processes with suspicious names, + including those named in a way that is suggestive of attacker tools that try to + hide in plain sight. False positives are probable, and temporal factor is unknown. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1036 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1134 attack-object-name: Access Token Manipulation capability-id: Azure Defender for App Service @@ -7081,7 +12372,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7104,7 +12395,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7113,6 +12404,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1087.001 + attack-object-name: Local Account + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Get-ProcessTokenGroup module on Windows, but does not address other procedures + or platforms, and temporal factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1087 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1123 attack-object-name: Audio Capture capability-id: Azure Defender for App Service @@ -7127,7 +12432,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7150,7 +12455,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7159,6 +12464,34 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1547.005 + attack-object-name: Security Support Provider + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Install-SSP module on Windows, but does not address other procedures or platforms, + and temporal factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1547.001 + attack-object-name: Registry Run Keys / Startup Folder + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + New-UserPersistenceOption on Windows, but does not address other procedures or + platforms, and temporal factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1547 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1543 attack-object-name: Create or Modify System Process capability-id: Azure Defender for App Service @@ -7173,7 +12506,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7182,6 +12515,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1543.003 + attack-object-name: Windows Service + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Privesc-PowerUp modules on Windows, but does not address other procedures, + and temporal factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1543 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1555 attack-object-name: Credentials from Password Stores capability-id: Azure Defender for App Service @@ -7196,7 +12543,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7219,7 +12566,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7242,7 +12589,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7265,7 +12612,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7274,6 +12621,62 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1574.001 + attack-object-name: DLL Search Order Hijacking + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques + via the Privesc-PowerUp modules, but does not address other procedures, and temporal + factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1574.007 + attack-object-name: Path Interception by PATH Environment Variable + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques + via the Privesc-PowerUp modules, but does not address other procedures, and temporal + factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1574.008 + attack-object-name: Path Interception by Search Order Hijacking + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques + via the Privesc-PowerUp modules, but does not address other procedures, and temporal + factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1574.009 + attack-object-name: Path Interception by Unquoted Path + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques + via the Privesc-PowerUp modules, but does not address other procedures, and temporal + factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1574 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1056 attack-object-name: Input Capture capability-id: Azure Defender for App Service @@ -7288,7 +12691,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7297,6 +12700,21 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1056.001 + attack-object-name: Keylogging + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Get-Keystrokes Exfiltration module on Windows, but does not address other + procedures or platforms, and temporal factor is unknown, resulting in a Minimal + score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1056 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1027 attack-object-name: Obfuscated Files or Information capability-id: Azure Defender for App Service @@ -7311,7 +12729,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7320,6 +12738,21 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1027.005 + attack-object-name: Indicator Removal from Tools + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Find-AVSignature AntivirusBypass module on Windows, but does not address other + procedures or platforms, and temporal factor is unknown, resulting in a Minimal + score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1027 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1003 attack-object-name: OS Credential Dumping capability-id: Azure Defender for App Service @@ -7334,7 +12767,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7343,6 +12776,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1003.001 + attack-object-name: LSASS Memory + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Exfiltration modules, but does not address other procedures, and temporal + factor is unknown, so score is Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1003 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1057 attack-object-name: Process Discovery capability-id: Azure Defender for App Service @@ -7357,7 +12804,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7380,7 +12827,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7403,7 +12850,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7412,6 +12859,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1053.005 + attack-object-name: Scheduled Task + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the New-UserPersistenceOption Persistence module on Windows, but does not address + other procedures, and temporal factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1053 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1113 attack-object-name: Screen Capture capability-id: Azure Defender for App Service @@ -7426,7 +12887,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7449,7 +12910,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7458,6 +12919,20 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1558.003 + attack-object-name: Kerberoasting + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Invoke-Kerberoast module, but does not address other procedures, and temporal + factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials capability-id: Azure Defender for App Service @@ -7472,7 +12947,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7481,6 +12956,35 @@ attack-objects: - Azure Security Center Recommendation - Linux - Windows +- attack-object-id: T1552.002 + attack-object-name: Credentials in Registry + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, + Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other + procedures, and temporal factor is unknown, resulting in a Minimal. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1552.006 + attack-object-name: Group Policy Preferences + capability-id: Azure Defender for App Service + comments: This control analyzes host data to detect execution of known malicious + PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via + the Exfiltration modules, but does not address other procedures, and temporal + factor is unknown, resulting in a Minimal score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1552 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1047 attack-object-name: Windows Management Instrumentation capability-id: Azure Defender for App Service @@ -7495,7 +12999,7 @@ attack-objects: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction - https://azure.microsoft.com/en-us/services/app-service/ - https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7514,13 +13018,65 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Conditional Access + comments: Conditional Access can be used to enforce MFA for users which can significantly + reduce the impact of a password compromise, requiring an adversary to complete + an additional authentication method before their access is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: Conditional Access + comments: Conditional Access can be used to enforce MFA for users which can significantly + reduce the impact of a password compromise, requiring an adversary to complete + an additional authentication method before their access is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Conditional Access + comments: Conditional Access can be used to enforce MFA for users which can significantly + reduce the impact of a password compromise, requiring an adversary to complete + an additional authentication method before their access is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Conditional Access + comments: Conditional Access can be used to enforce MFA for users which can significantly + reduce the impact of a password compromise, requiring an adversary to complete + an additional authentication method before their access is permitted. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Conditional Access @@ -7531,13 +13087,29 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Conditional Access + comments: This control can protect against the abuse of valid cloud accounts by + requiring MFA or blocking access altogether based on signals such as the user's + IP location information, device compliance state, risky sign-in/user state (through + integration with Azure AD Identity Protection). Additionally, session controls + that can limit what a valid user can do within an app can also be triggered based + on the aforementioned triggers. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1074 attack-object-name: Data Staged capability-id: Conditional Access @@ -7548,13 +13120,49 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1074.002 + attack-object-name: Remote Data Staging + capability-id: Conditional Access + comments: Conditional Access (CA), when granting (risky) users access to Office + applications like SharePoint and OneDrive, can restrict what they can do in these + applications using its app-enforced restrictions. For example, it can enforce + that users on unmanaged devices will have browser-only access to SharePoint/OneDrive + with no ability to download, print, or sync files. This can impede an adversary's + ability to collect and stage files. This offers minimal coverage as it requires + the target application to support such a feature that can be triggered by this + control and to date only a few (Office) applications support this. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1074 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1074.001 + attack-object-name: Local Data Staging + capability-id: Conditional Access + comments: Conditional Access (CA), when granting (risky) users access to Office + applications like SharePoint and OneDrive, can restrict what they can do in these + applications using its app-enforced restrictions. For example, it can enforce + that users on unmanaged devices will have browser-only access to SharePoint/OneDrive + with no ability to download, print, or sync files. This can impede an adversary's + ability to collect and stage files. This offers minimal coverage as it requires + the target application to support such a feature that can be triggered by this + control and to date only a few (Office) applications support this. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1074 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1530 attack-object-name: Data from Cloud Storage Object capability-id: Conditional Access @@ -7565,7 +13173,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -7582,13 +13190,33 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Active Directory - Identity - MFA +- attack-object-id: T1213.002 + attack-object-name: Sharepoint + capability-id: Conditional Access + comments: Conditional Access (CA), when granting (risky) users access to Office + applications like SharePoint can restrict what they can do in these applications + using its app-enforced restrictions. For example, it can enforce that users + on unmanaged devices will have browser-only access to SharePoint with no ability + to download, print, or sync files. Furthermore, with its integration with Microsoft + Cloud App Security, it can even restrict cut, copy and paste operations. This + can impede an adversary's ability to collect valuable information and/or files + from the application. This protection is partial as it doesn't prohibit an adversary + from potentially viewing sensitive information and manually collecting it, for + example simply writing down information by hand. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1213 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Cloud App Security Policies @@ -7601,7 +13229,52 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Cloud App Security Policies + comments: "This control can identify anomalous behavior such as geographically impossible\ + \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ + \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ + \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ + \ terminated user\"." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.002 + attack-object-name: Domain Accounts + capability-id: Cloud App Security Policies + comments: "This control can identify anomalous behavior such as geographically impossible\ + \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ + \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ + \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ + \ terminated user\"." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.001 + attack-object-name: Default Accounts + capability-id: Cloud App Security Policies + comments: "This control can identify anomalous behavior such as geographically impossible\ + \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ + \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ + \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ + \ terminated user\"." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 score-category: Detect score-value: Partial tags: [] @@ -7617,7 +13290,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -7633,7 +13306,55 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1567.002 + attack-object-name: Exfiltration to Cloud Storage + capability-id: Cloud App Security Policies + comments: This control can identify large volume potential exfiltration activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1567.002 + attack-object-name: Exfiltration to Cloud Storage + capability-id: Cloud App Security Policies + comments: This control can identify large volume potential exfiltration activity, + and log user activity potentially related to exfiltration via web services. A + relevant alert is "Unusual file download (by user)". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1567.001 + attack-object-name: Exfiltration to Code Repository + capability-id: Cloud App Security Policies + comments: This control can identify large volume potential exfiltration activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1567.001 + attack-object-name: Exfiltration to Code Repository + capability-id: Cloud App Security Policies + comments: This control can identify large volume potential exfiltration activity, + and log user activity potentially related to exfiltration via web services. A + relevant alert is "Unusual file download (by user)". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1567 score-category: Detect score-value: Partial tags: [] @@ -7649,7 +13370,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7665,7 +13386,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7681,7 +13402,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: [] @@ -7697,7 +13418,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: [] @@ -7713,7 +13434,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7729,7 +13450,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -7745,7 +13466,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7761,7 +13482,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7777,7 +13498,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: [] @@ -7793,10 +13514,58 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: [] +- attack-object-id: T1213.002 + attack-object-name: Sharepoint + capability-id: Cloud App Security Policies + comments: This control may detect anomalous user behavior wrt information repositories + such as Sharepoint or Confluence. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1213 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1213.002 + attack-object-name: Sharepoint + capability-id: Cloud App Security Policies + comments: This control may detect anomalous user behavior wrt information repositories + such as Sharepoint or Confluence. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1213 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1213.001 + attack-object-name: Confluence + capability-id: Cloud App Security Policies + comments: This control may detect anomalous user behavior wrt information repositories + such as Sharepoint or Confluence. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1213 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1213.001 + attack-object-name: Confluence + capability-id: Cloud App Security Policies + comments: This control may detect anomalous user behavior wrt information repositories + such as Sharepoint or Confluence. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1213 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1119 attack-object-name: Automated Collection capability-id: Cloud App Security Policies @@ -7809,7 +13578,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -7825,7 +13594,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7841,7 +13610,19 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1565.001 + attack-object-name: Stored Data Manipulation + capability-id: Cloud App Security Policies + comments: This control can detect and encrypt sensitive information at rest on supported + platforms. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1565 score-category: Protect score-value: Partial tags: [] @@ -7857,7 +13638,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: [] @@ -7873,7 +13654,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7889,7 +13670,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: [] @@ -7905,7 +13686,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -7921,7 +13702,29 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1484.002 + attack-object-name: Domain Trust Modification + capability-id: Cloud App Security Policies + comments: This control can detect admin activity from risky IP addresses. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1484 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1484.001 + attack-object-name: Group Policy Modification + capability-id: Cloud App Security Policies + comments: This control can detect admin activity from risky IP addresses. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1484 score-category: Detect score-value: Minimal tags: [] @@ -7937,7 +13740,46 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1098.003 + attack-object-name: Add Office 365 Global Administrator Role + capability-id: Cloud App Security Policies + comments: This control can detect anomalous admin activity that may be indicative + of account manipulation. Relevant alerts include "Unusual administrative activity + (by user)" and "Unusual addition of credentials to an OAuth app". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1098.001 + attack-object-name: Additional Cloud Credentials + capability-id: Cloud App Security Policies + comments: This control can detect anomalous admin activity that may be indicative + of account manipulation. Relevant alerts include "Unusual administrative activity + (by user)" and "Unusual addition of credentials to an OAuth app". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1098.002 + attack-object-name: Exchange Email Delegate Permissions + capability-id: Cloud App Security Policies + comments: This control can detect anomalous admin activity that may be indicative + of account manipulation. Relevant alerts include "Unusual administrative activity + (by user)" and "Unusual addition of credentials to an OAuth app". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1098 score-category: Detect score-value: Minimal tags: [] @@ -7953,7 +13795,51 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1578.004 + attack-object-name: Revert Cloud Instance + capability-id: Cloud App Security Policies + comments: This control can identify anomalous admin activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1578.003 + attack-object-name: Delete Cloud Instance + capability-id: Cloud App Security Policies + comments: This control can identify anomalous admin activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1578.001 + attack-object-name: Create Snapshot + capability-id: Cloud App Security Policies + comments: This control can identify anomalous admin activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1578.002 + attack-object-name: Create Cloud Instance + capability-id: Cloud App Security Policies + comments: This control can identify anomalous admin activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1578 score-category: Detect score-value: Minimal tags: [] @@ -7969,7 +13855,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -7985,7 +13871,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -8001,7 +13887,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -8017,7 +13903,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: [] @@ -8033,10 +13919,23 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: [] +- attack-object-id: T1071.003 + attack-object-name: Mail Protocols + capability-id: Cloud App Security Policies + comments: This control can identify some evidence of potential C2 via a specific + application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" + and "Suspicious inbox manipulation rule". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Cloud App Security Policies @@ -8049,7 +13948,43 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: true + related-score: '' + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Cloud App Security Policies + comments: This control can detect some activity indicative of brute force attempts + to login. Relevant alert is "Multiple failed login attempts". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Cloud App Security Policies + comments: This control can detect some activity indicative of brute force attempts + to login. Relevant alert is "Multiple failed login attempts". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Cloud App Security Policies + comments: This control can detect some activity indicative of brute force attempts + to login. Relevant alert is "Multiple failed login attempts". + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 score-category: Detect score-value: Partial tags: [] @@ -8065,7 +14000,7 @@ attack-objects: - https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery - https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection - https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: [] @@ -8081,7 +14016,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8100,7 +14035,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8119,7 +14054,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -8138,7 +14073,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -8179,7 +14114,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -8187,6 +14122,118 @@ attack-objects: - Azure Active Directory - Identity - MFA +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure AD Identity Secure Score + comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ + \ all users can complete multi-factor authentication for secure access\" recommendations\ + \ for enabling MFA can significantly lead to reducing the impact of a password\ + \ compromise of accounts, requiring the adversary to complete an additional authentication\ + \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ + \ recommendation also can lead to mitigating the Password Guessing or Cracking\ + \ sub-techniques by disabling password reset which tends to lead to users selecting\ + \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ + \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ + \ against these brute force attacks as Microsoft research has shown organizations\ + \ that have disabled legacy authentication experience 67 percent fewer compromises\ + \ than those where legacy authentication is enabled. Additionally, the same research\ + \ shows that more than 99 percent of password spray and more than 97 percent of\ + \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ + \ unsecure account attributes\" recommendation can lead to detecting accounts\ + \ with disabled (Kerberos) Preauthentication which can enable offline Password\ + \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ + \ the assessed score is capped at Partial. " + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: Azure AD Identity Secure Score + comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ + \ all users can complete multi-factor authentication for secure access\" recommendations\ + \ for enabling MFA can significantly lead to reducing the impact of a password\ + \ compromise of accounts, requiring the adversary to complete an additional authentication\ + \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ + \ recommendation also can lead to mitigating the Password Guessing or Cracking\ + \ sub-techniques by disabling password reset which tends to lead to users selecting\ + \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ + \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ + \ against these brute force attacks as Microsoft research has shown organizations\ + \ that have disabled legacy authentication experience 67 percent fewer compromises\ + \ than those where legacy authentication is enabled. Additionally, the same research\ + \ shows that more than 99 percent of password spray and more than 97 percent of\ + \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ + \ unsecure account attributes\" recommendation can lead to detecting accounts\ + \ with disabled (Kerberos) Preauthentication which can enable offline Password\ + \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ + \ the assessed score is capped at Partial. " + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure AD Identity Secure Score + comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ + \ all users can complete multi-factor authentication for secure access\" recommendations\ + \ for enabling MFA can significantly lead to reducing the impact of a password\ + \ compromise of accounts, requiring the adversary to complete an additional authentication\ + \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ + \ recommendation also can lead to mitigating the Password Guessing or Cracking\ + \ sub-techniques by disabling password reset which tends to lead to users selecting\ + \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ + \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ + \ against these brute force attacks as Microsoft research has shown organizations\ + \ that have disabled legacy authentication experience 67 percent fewer compromises\ + \ than those where legacy authentication is enabled. Additionally, the same research\ + \ shows that more than 99 percent of password spray and more than 97 percent of\ + \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ + \ unsecure account attributes\" recommendation can lead to detecting accounts\ + \ with disabled (Kerberos) Preauthentication which can enable offline Password\ + \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ + \ the assessed score is capped at Partial. " + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure AD Identity Secure Score + comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ + \ all users can complete multi-factor authentication for secure access\" recommendations\ + \ for enabling MFA can significantly lead to reducing the impact of a password\ + \ compromise of accounts, requiring the adversary to complete an additional authentication\ + \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ + \ recommendation also can lead to mitigating the Password Guessing or Cracking\ + \ sub-techniques by disabling password reset which tends to lead to users selecting\ + \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ + \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ + \ against these brute force attacks as Microsoft research has shown organizations\ + \ that have disabled legacy authentication experience 67 percent fewer compromises\ + \ than those where legacy authentication is enabled. Additionally, the same research\ + \ shows that more than 99 percent of password spray and more than 97 percent of\ + \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ + \ unsecure account attributes\" recommendation can lead to detecting accounts\ + \ with disabled (Kerberos) Preauthentication which can enable offline Password\ + \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ + \ the assessed score is capped at Partial. " + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1078 attack-object-name: Valid Accounts capability-id: Azure AD Identity Secure Score @@ -8221,7 +14268,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8258,19 +14305,103 @@ attack-objects: \ rather than applying/enforcing the recommended actions." mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score - - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true - score-category: Detect + references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score + - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# + - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes + - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 + related-score: '' + score-category: Detect + score-value: Minimal + tags: + - Credentials + - Azure Active Directory + - Identity + - MFA +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure AD Identity Secure Score + comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ + \ all users can complete multi-factor authentication for secure access\" recommendations\ + \ of MFA can provide protection against an adversary that obtains valid credentials\ + \ by requiring the adversary to complete an additional authentication process\ + \ before access is permitted. See the mapping for MFA for more details. \nThis\ + \ control's \"Use limited administrative roles\" recommendation recommends reviewing\ + \ and limiting the number of accounts with global admin privilege, reducing what\ + \ an adversary can do with a compromised valid account.\nBecause these are recommendations\ + \ and do not actually enforce the protections, the assessed score is capped at\ + \ Partial. " + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Azure AD Identity Secure Score + comments: This control's "Turn on sign-in risk policy" and "Turn on user risk policy" + recommendations recommend enabling Azure AD Identity Protection which can lead + to detecting adversary usage of valid accounts. See the mapping for Azure AD + Identity Protection. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1078.002 + attack-object-name: Domain Accounts + capability-id: Azure AD Identity Secure Score + comments: 'This control''s "Remove dormant accounts from sensitive groups" recommendation + recommends reviewing dormant (domain) accounts from sensitive groups via an assessment + report that can identify sensitive accounts that are dormant. + + Because these are recommendations and do not actually enforce the protections + coupled with being limited to sensitive accounts, the assessed score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect score-value: Minimal - tags: - - Credentials - - Azure Active Directory - - Identity - - MFA + tags: [] +- attack-object-id: T1078.003 + attack-object-name: Local Accounts + capability-id: Azure AD Identity Secure Score + comments: 'This control''s "Protect and manage local admin passwords with Microsoft + LAPS" recommendation recommends periodically running and reviewing the Microsoft + LAPS usage report that identifies all Windows based devices not protected by Microsoft + LAPS. This can help reduce the compromise of local administrator accounts. + + Because this is a recommendations and not actually enforced coupled with being + limited to sensitive accounts, the assessed score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1078.001 + attack-object-name: Default Accounts + capability-id: Azure AD Identity Secure Score + comments: 'This control''s "Protect and manage local admin passwords with Microsoft + LAPS" recommendation recommends periodically running and reviewing the Microsoft + LAPS usage report that identifies all Windows based devices not protected by Microsoft + LAPS. This can help reduce the compromise of local administrator accounts. + + Because this is a recommendations and not actually enforced coupled with being + limited to sensitive accounts, the assessed score is Minimal. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1531 attack-object-name: Account Access Removal capability-id: Azure AD Identity Secure Score @@ -8305,7 +14436,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -8347,7 +14478,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -8389,7 +14520,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: @@ -8397,6 +14528,20 @@ attack-objects: - Azure Active Directory - Identity - MFA +- attack-object-id: T1606.002 + attack-object-name: SAML Tokens + capability-id: Azure AD Identity Secure Score + comments: This control's "Turn on sign-in risk policy" and "Turn on user risk policy" + recommendations recommend enabling Azure AD Identity Protection which can detect + the malicious usage of SAML Tokens. This is a recommendation and therefore the + score is capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1606 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1558 attack-object-name: Steal or Forge Kerberos Tickets capability-id: Azure AD Identity Secure Score @@ -8431,7 +14576,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -8439,6 +14584,54 @@ attack-objects: - Azure Active Directory - Identity - MFA +- attack-object-id: T1558.004 + attack-object-name: AS-REP Roasting + capability-id: Azure AD Identity Secure Score + comments: "This control's \"Resolve unsecure account attributes\" recommendation\ + \ can lead to detecting Active Directory accounts which do not require Kerberos\ + \ preauthentication. Preauthentication offers protection against offline (Kerberos)\ + \ Password Cracking. \nBecause this is a recommendation its score is capped as\ + \ Partial." + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1558.001 + attack-object-name: Golden Ticket + capability-id: Azure AD Identity Secure Score + comments: This control's "Reduce lateral movement path risk to sensitive entities" + recommendation can lead to protecting sensitive accounts against Pass-the-Hash + and Pass-the-Ticket attacks that may result in an adversary acquiring a golden + ticket. It recommends running the Lateral-Movement-Paths report to understand + and identify exactly how attackers can move laterally through the monitored network + to gain access to privileged identities such as the KRBTGT on the domain controller. Because + this is a recommendation, its score has been capped as Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1558.003 + attack-object-name: Kerberoasting + capability-id: Azure AD Identity Secure Score + comments: This control's "Modify unsecure Kerberos delegations to prevent impersonation" + recommendation promotes running the "Unsecure Kerberos delegation" report that + can identify accounts that have unsecure Kerberos delegation configured. Unsecured + Kerberos delegation can lead to exposing account TGTs to more hosts resulting + in an increased attack surface for Kerberoasting. Due to this control providing + a recommendation its score is capped at Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1558 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1552 attack-object-name: Unsecured Credentials capability-id: Azure AD Identity Secure Score @@ -8473,7 +14666,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8515,7 +14708,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -8523,6 +14716,38 @@ attack-objects: - Azure Active Directory - Identity - MFA +- attack-object-id: T1550.003 + attack-object-name: Pass the Ticket + capability-id: Azure AD Identity Secure Score + comments: This control's "Reduce lateral movement path risk to sensitive entities" + recommendation can lead to protecting sensitive accounts against Pass-the-Hash + and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths + report to understand and identify exactly how attackers can move laterally through + the monitored network to gain access to privileged identities. Because this is + a recommendation, its score has been capped as Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1550 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1550.002 + attack-object-name: Pass the Hash + capability-id: Azure AD Identity Secure Score + comments: This control's "Reduce lateral movement path risk to sensitive entities" + recommendation can lead to protecting sensitive accounts against Pass-the-Hash + and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths + report to understand and identify exactly how attackers can move laterally through + the monitored network to gain access to privileged identities. Because this is + a recommendation, its score has been capped as Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1550 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1040 attack-object-name: Network Sniffing capability-id: Azure AD Identity Secure Score @@ -8557,7 +14782,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8599,7 +14824,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -8641,7 +14866,7 @@ attack-objects: - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: @@ -8649,6 +14874,22 @@ attack-objects: - Azure Active Directory - Identity - MFA +- attack-object-id: T1134.005 + attack-object-name: SID-History Injection + capability-id: Azure AD Identity Secure Score + comments: 'This control''s "Remove unsecure SID history attributes from entities" + recommendation promotes running the "Unsecure SID history attributes" report periodically + which can lead to identifying accounts with SID History attributes which Microsoft + Defender for Identity profiles to be risky. Because this is a recommendation + and not actually enforced, coupled with the detection its assessed score is capped + at Partial. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1134 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1110 attack-object-name: Brute Force capability-id: Azure Active Directory Password Protection @@ -8665,7 +14906,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: @@ -8673,6 +14914,50 @@ attack-objects: - Credentials - Identity - Passwords +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Azure Active Directory Password Protection + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking + capability-id: Azure Active Directory Password Protection + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Azure Active Directory Password Protection + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Azure Active Directory Password Protection + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1566 attack-object-name: Phishing capability-id: Microsoft Antimalware for Azure @@ -8685,7 +14970,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8702,11 +14987,37 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Security Center +- attack-object-id: T1566.001 + attack-object-name: Spearphishing Attachment + capability-id: Microsoft Antimalware for Azure + comments: This control may quarantine and/or delete any spearphishing attachment + that has been downloaded and matches a malware signature. Customized malware without + a matching signature may not generate an alert. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1566.001 + attack-object-name: Spearphishing Attachment + capability-id: Microsoft Antimalware for Azure + comments: This control may detect any spearphishing attachment that has been downloaded + and matches a malware signature. Customized malware without a matching signature + may not generate an alert. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1204 attack-object-name: User Execution capability-id: Microsoft Antimalware for Azure @@ -8719,11 +15030,35 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center +- attack-object-id: T1204.002 + attack-object-name: Malicious File + capability-id: Microsoft Antimalware for Azure + comments: 'This control monitors activity in cloud services and on virtual machines + to block malware execution. This is dependent on a signature being available. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1204 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1204.002 + attack-object-name: Malicious File + capability-id: Microsoft Antimalware for Azure + comments: 'This control monitors activity in cloud services and on virtual machines + to detect malware execution. This is dependent on a signature being available. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1204 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1105 attack-object-name: Ingress Tool Transfer capability-id: Microsoft Antimalware for Azure @@ -8736,7 +15071,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8753,7 +15088,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -8770,7 +15105,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8787,11 +15122,37 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware - https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Security Center +- attack-object-id: T1027.002 + attack-object-name: Software Packing + capability-id: Microsoft Antimalware for Azure + comments: This control may quarantine and/or delete malware that has been packed + by well known software packing utilities. These utilities can provide signatures + that apply to a variety of malware. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1027 + score-category: Protect + score-value: Minimal + tags: [] +- attack-object-id: T1027.002 + attack-object-name: Software Packing + capability-id: Microsoft Antimalware for Azure + comments: This control may detect malware that has been packed by well known software + packing utilities. These utilities can provide signatures that apply to a variety + of malware. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1027 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1595 attack-object-name: Active Scanning capability-id: Azure Web Application Firewall @@ -8800,11 +15161,33 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Azure Web Application Firewall + comments: Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Azure Web Application Firewall + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: Azure Web Application Firewall @@ -8813,7 +15196,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -8826,7 +15209,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -8839,7 +15222,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -8852,7 +15235,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -8865,7 +15248,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: @@ -8878,11 +15261,35 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/web-application-firewall/overview - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Azure Security Center Recommendation +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: Azure Web Application Firewall + comments: This control can protect web applications from protocol attacks that may + be indicative of adversary activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1071.001 + attack-object-name: Web Protocols + capability-id: Azure Web Application Firewall + comments: This control can detect protocol attacks targeting web applications that + may be indicative of adversary activity. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol capability-id: Azure DNS Analytics @@ -8896,12 +15303,24 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - DNS - Network +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Azure DNS Analytics + comments: This control can be used forensically to identify clients that communicated + with identified C2 hosts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution capability-id: Azure DNS Analytics @@ -8915,12 +15334,36 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - DNS - Network +- attack-object-id: T1568.001 + attack-object-name: Fast Flux DNS + capability-id: Azure DNS Analytics + comments: This control can be used for after-the-fact analysis of potential fast-flux + DNS C2 + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1568 + score-category: Detect + score-value: Minimal + tags: [] +- attack-object-id: T1568.002 + attack-object-name: Domain Generation Algorithms + capability-id: Azure DNS Analytics + comments: This control can be used for after-the-fact analysis of potential fast-flux + DNS C2 + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1568 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol capability-id: Azure DNS Analytics @@ -8934,12 +15377,24 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - DNS - Network +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Azure DNS Analytics + comments: This control can potentially be used to forensically identify exfiltration + via DNS protocol. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1041 attack-object-name: Exfiltration Over C2 Channel capability-id: Azure DNS Analytics @@ -8953,7 +15408,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -8972,12 +15427,24 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - DNS - Network +- attack-object-id: T1566.002 + attack-object-name: Spearphishing Link + capability-id: Azure DNS Analytics + comments: This control can be used forensically to identify DNS queries to known + malicious sites, which may be evidence of phishing. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1566 + score-category: Detect + score-value: Minimal + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: Just-in-Time VM Access @@ -8987,7 +15454,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api - https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -9003,7 +15470,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api - https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -9019,13 +15486,61 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api - https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained - related-score: true + related-score: '' score-category: Protect score-value: Significant tags: - Azure Security Center - Azure Security Center Recommendation - Azure Defender for Servers +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Just-in-Time VM Access + comments: This control can be configured to completely block inbound access to selected + ports until access is requested. This prevents any attempt at brute forcing a + protocol, such as RDP or SSH, unless the attacker has the credentials and permissions + to request such access. Even if permission has been granted to an authorized user + to access the virtual machine, a list of authorized IP addresses for that access + can be configured. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Just-in-Time VM Access + comments: This control can be configured to completely block inbound access to selected + ports until access is requested. This prevents any attempt at brute forcing a + protocol, such as RDP or SSH, unless the attacker has the credentials and permissions + to request such access. Even if permission has been granted to an authorized user + to access the virtual machine, a list of authorized IP addresses for that access + can be configured. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Just-in-Time VM Access + comments: This control can be configured to completely block inbound access to selected + ports until access is requested. This prevents any attempt at brute forcing a + protocol, such as RDP or SSH, unless the attacker has the credentials and permissions + to request such access. Even if permission has been granted to an authorized user + to access the virtual machine, a list of authorized IP addresses for that access + can be configured. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: SQL Vulnerability Assessment @@ -9036,7 +15551,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -9052,12 +15567,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Defender for SQL - Database +- attack-object-id: T1078.001 + attack-object-name: Default Accounts + capability-id: SQL Vulnerability Assessment + comments: This control may provide recommendations to disable default accounts and + restrict permissions for existing accounts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1505 attack-object-name: Server Software Component capability-id: SQL Vulnerability Assessment @@ -9068,12 +15595,24 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Defender for SQL - Database +- attack-object-id: T1505.001 + attack-object-name: SQL Stored Procedures + capability-id: SQL Vulnerability Assessment + comments: This control may scan for users with unnecessary access to SQL stored + procedures. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1505 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation capability-id: SQL Vulnerability Assessment @@ -9084,7 +15623,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9097,31 +15636,83 @@ attack-objects: rather than applying/enforcing the recommended actions. mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment - - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules - related-score: false + references: + - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment + - https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules + related-score: '' + score-category: Protect + score-value: Minimal + tags: + - Azure Defender for SQL + - Database +- attack-object-id: T1110 + attack-object-name: Brute Force + capability-id: Passwordless Authentication + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: + - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless + related-score: '' + score-category: Protect + score-value: Significant + tags: + - Azure Active Directory + - Credentials + - Identity + - Passwords +- attack-object-id: T1110.004 + attack-object-name: Credential Stuffing + capability-id: Passwordless Authentication + comments: This control provides significant protection against password based attacks + by completing obviating the need for passwords by replacing it with passwordless + credentials. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.001 + attack-object-name: Password Guessing + capability-id: Passwordless Authentication + comments: This control provides significant protection against password based attacks + by completing obviating the need for passwords by replacing it with passwordless + credentials. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 + score-category: Protect + score-value: Significant + tags: [] +- attack-object-id: T1110.003 + attack-object-name: Password Spraying + capability-id: Passwordless Authentication + comments: This control provides significant protection against password based attacks + by completing obviating the need for passwords by replacing it with passwordless + credentials. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1110 score-category: Protect - score-value: Minimal - tags: - - Azure Defender for SQL - - Database -- attack-object-id: T1110 - attack-object-name: Brute Force + score-value: Significant + tags: [] +- attack-object-id: T1110.002 + attack-object-name: Password Cracking capability-id: Passwordless Authentication - comments: '' + comments: This control provides significant protection against password based attacks + by completing obviating the need for passwords by replacing it with passwordless + credentials. mapping-description: '' mapping-type: technique-scores - references: - - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless - related-score: true + references: [] + related-score: T1110 score-category: Protect score-value: Significant - tags: - - Azure Active Directory - - Credentials - - Identity - - Passwords + tags: [] - attack-object-id: T1590 attack-object-name: Gather Victim Network Information capability-id: Azure Firewall @@ -9130,12 +15721,51 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1590.004 + attack-object-name: Network Topology + capability-id: Azure Firewall + comments: This control can prevent attempts by an adversary to gather this information + using active scanning methods but is not effective of gathering this information + using phishing related methods. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.005 + attack-object-name: IP Addresses + capability-id: Azure Firewall + comments: This control can prevent attempts by an adversary to gather this information + using active scanning methods but is not effective of gathering this information + using phishing related methods. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1590.006 + attack-object-name: Network Security Appliances + capability-id: Azure Firewall + comments: This control can prevent attempts by an adversary to gather this information + using active scanning methods but is not effective of gathering this information + using phishing related methods. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1590 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1595 attack-object-name: Active Scanning capability-id: Azure Firewall @@ -9144,12 +15774,44 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1595.001 + attack-object-name: Scanning IP Blocks + capability-id: Azure Firewall + comments: This control's threat intelligence-based filtering feature can be enabled + to alert and deny traffic from/to known malicious IP addresses and domains. The + IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because + this protection is limited to known malicious IP addresses and domains and does + not provide protection from such attacks from unknown domains and IP addresses, + this is scored as partial coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1595.002 + attack-object-name: Vulnerability Scanning + capability-id: Azure Firewall + comments: This control's threat intelligence-based filtering feature can be enabled + to alert and deny traffic from/to known malicious IP addresses and domains. The + IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because + this protection is limited to known malicious IP addresses and domains and does + not provide protection from such attacks from unknown domains and IP addresses, + this is scored as partial coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1595 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1133 attack-object-name: External Remote Services capability-id: Azure Firewall @@ -9158,7 +15820,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9172,12 +15834,29 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1205.001 + attack-object-name: Port Knocking + capability-id: Azure Firewall + comments: This control can protect against this sub-technique by enforcing limited + access to only required ports. Consequently, even if the adversary is able to + utilize port knocking to open additional ports at the host level, it is still + blocked at the firewall service level. This service typically applies to external + traffic and not internal traffic and therefore lateral movement using this technique + within a network is still possible. Due to this partial coverage, it has been + scored as Partial. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1205 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1046 attack-object-name: Network Service Scanning capability-id: Azure Firewall @@ -9186,7 +15865,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9200,7 +15879,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9214,7 +15893,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9228,7 +15907,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9242,7 +15921,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -9256,7 +15935,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9270,12 +15949,60 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/firewall/overview - related-score: true + related-score: '' score-category: Protect score-value: Partial tags: - Azure Security Center Recommendation - Network +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol + capability-id: Azure Firewall + comments: This control's threat intelligence-based filtering feature can be enabled + to alert and deny traffic from/to known malicious IP addresses and domains. The + IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because + this protection is limited to known malicious IP addresses and domains and does + not provide protection from such attacks from unknown domains and IP addresses, + this is scored as partial coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1048.002 + attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol + capability-id: Azure Firewall + comments: This control's threat intelligence-based filtering feature can be enabled + to alert and deny traffic from/to known malicious IP addresses and domains. The + IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because + this protection is limited to known malicious IP addresses and domains and does + not provide protection from such attacks from unknown domains and IP addresses, + this is scored as partial coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Azure Firewall + comments: This control's threat intelligence-based filtering feature can be enabled + to alert and deny traffic from/to known malicious IP addresses and domains. The + IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because + this protection is limited to known malicious IP addresses and domains and does + not provide protection from such attacks from unknown domains and IP addresses, + this is scored as partial coverage resulting in an overall Partial score. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Protect + score-value: Partial + tags: [] - attack-object-id: T1568 attack-object-name: Dynamic Resolution capability-id: Alerts for DNS @@ -9285,12 +16012,36 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Network - DNS +- attack-object-id: T1568.001 + attack-object-name: Fast Flux DNS + capability-id: Alerts for DNS + comments: Detects "random" DNS name occurences, potentially indicative of Fast Flux + or DGA. Potential false positives from benign "random" DNS names. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1568 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1568.002 + attack-object-name: Domain Generation Algorithms + capability-id: Alerts for DNS + comments: Detects "random" DNS name occurences, potentially indicative of Fast Flux + or DGA. Potential false positives from benign "random" DNS names. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1568 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1071 attack-object-name: Application Layer Protocol capability-id: Alerts for DNS @@ -9300,12 +16051,23 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Network - DNS +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Alerts for DNS + comments: Can alert on anomalies and misuse of the DNS protocol. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Significant + tags: [] - attack-object-id: T1572 attack-object-name: Protocol Tunneling capability-id: Alerts for DNS @@ -9315,7 +16077,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -9330,7 +16092,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -9345,7 +16107,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction - https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -9359,12 +16121,30 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation - related-score: true + related-score: '' score-category: Respond score-value: Minimal tags: - Azure Active Directory - Identity +- attack-object-id: T1078.004 + attack-object-name: Cloud Accounts + capability-id: Continuous Access Evaluation + comments: 'Security controls like Azure AD Identity Protection can raise a user''s + risk level asynchronously after they have used a valid account to access organizational + data. This CAE control can respond to this change in the users risky state to + terminate the user''s access within minutes or enforce an additional authentication + method such as MFA. This mitigates the impact of an adversary using a valid + account. This is control only forces the user to re-authenticate and doesn''t + resolve the usage of a valid account (i.e. password change) and is therefore a + containment type of response. ' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1078 + score-category: Respond + score-value: Partial + tags: [] - attack-object-id: T1189 attack-object-name: Drive-by Compromise capability-id: Integrated Vulnerability Scanner Powered by Qualys @@ -9380,7 +16160,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9401,7 +16181,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9422,7 +16202,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9443,7 +16223,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9464,7 +16244,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9485,7 +16265,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9506,7 +16286,7 @@ attack-objects: references: - https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm - https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9520,7 +16300,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/key-vault/general/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9535,7 +16315,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/key-vault/general/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9550,7 +16330,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/key-vault/general/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -9565,7 +16345,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/key-vault/general/overview - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -9580,7 +16360,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -9594,12 +16374,34 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1602.001 + attack-object-name: SNMP (MIB Dump) + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1602 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1602.002 + attack-object-name: Network Device Configuration Dump + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1602 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1542 attack-object-name: Pre-OS Boot capability-id: Azure Network Traffic Analytics @@ -9608,12 +16410,23 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Minimal tags: - Analytics - Network +- attack-object-id: T1542.005 + attack-object-name: TFTP Boot + capability-id: Azure Network Traffic Analytics + comments: This control can be used to identify anomalous TFTP boot traffic. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1542 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1563 attack-object-name: Remote Service Session Hijacking capability-id: Azure Network Traffic Analytics @@ -9622,12 +16435,34 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1563.002 + attack-object-name: RDP Hijacking + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1563 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1563.001 + attack-object-name: SSH Hijacking + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1563 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1048 attack-object-name: Exfiltration Over Alternative Protocol capability-id: Azure Network Traffic Analytics @@ -9636,12 +16471,48 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1048.003 + attack-object-name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + capability-id: Azure Network Traffic Analytics + comments: This control can identify anomalous traffic with respect specific ports + (though it can't identify presence or lack of encryption). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1048.002 + attack-object-name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol + capability-id: Azure Network Traffic Analytics + comments: This control can identify anomalous traffic with respect specific ports + (though it can't identify presence or lack of encryption). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1048.001 + attack-object-name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol + capability-id: Azure Network Traffic Analytics + comments: This control can identify anomalous traffic with respect specific ports + (though it can't identify presence or lack of encryption). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1048 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1190 attack-object-name: Exploit Public-Facing Application capability-id: Azure Network Traffic Analytics @@ -9650,7 +16521,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -9664,12 +16535,84 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1021.006 + attack-object-name: Windows Remote Management + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous traffic with respect to remote access + protocols and groups. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021.005 + attack-object-name: VNC + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous traffic with respect to remote access + protocols and groups. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous traffic with respect to remote access + protocols and groups. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021.002 + attack-object-name: SMB/Windows Admin Shares + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous traffic with respect to remote access + protocols and groups. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021.001 + attack-object-name: Remote Desktop Protocol + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous traffic with respect to remote access + protocols and groups. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1021.003 + attack-object-name: Distributed Component Object Model + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous traffic with respect to remote access + protocols and groups. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1072 attack-object-name: Software Deployment Tools capability-id: Azure Network Traffic Analytics @@ -9678,7 +16621,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -9692,7 +16635,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -9706,7 +16649,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -9720,7 +16663,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -9734,12 +16677,51 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1071.004 + attack-object-name: DNS + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous application protocol traffic with respect + to network security group (NSG) (though web traffic would be typically too commonplace + for this control to be useful). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071.003 + attack-object-name: Mail Protocols + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous application protocol traffic with respect + to network security group (NSG) (though web traffic would be typically too commonplace + for this control to be useful). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1071.002 + attack-object-name: File Transfer Protocols + capability-id: Azure Network Traffic Analytics + comments: This control can detect anomalous application protocol traffic with respect + to network security group (NSG) (though web traffic would be typically too commonplace + for this control to be useful). + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1071 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1499 attack-object-name: Endpoint Denial of Service capability-id: Azure Network Traffic Analytics @@ -9748,12 +16730,45 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1499.003 + attack-object-name: Application Exhaustion Flood + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1499.002 + attack-object-name: Service Exhaustion Flood + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1499.001 + attack-object-name: OS Exhaustion Flood + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1499 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1090 attack-object-name: Proxy capability-id: Azure Network Traffic Analytics @@ -9762,12 +16777,45 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics - related-score: true + related-score: '' score-category: Detect score-value: Partial tags: - Analytics - Network +- attack-object-id: T1090.003 + attack-object-name: Multi-hop Proxy + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1090.002 + attack-object-name: External Proxy + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Detect + score-value: Partial + tags: [] +- attack-object-id: T1090.001 + attack-object-name: Internal Proxy + capability-id: Azure Network Traffic Analytics + comments: '' + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1090 + score-category: Detect + score-value: Partial + tags: [] - attack-object-id: T1525 attack-object-name: Implant Container Image capability-id: Docker Host Hardening @@ -9777,7 +16825,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -9793,13 +16841,26 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Containers - Linux +- attack-object-id: T1548.001 + attack-object-name: Setuid and Setgid + capability-id: Docker Host Hardening + comments: This control may provide recommendations to remove setuid and setguid + permissions from container images. It may not be feasible to audit and remediate + all binaries that have and require setuid and setguid permissions. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1548 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1068 attack-object-name: Exploitation for Privilege Escalation capability-id: Docker Host Hardening @@ -9809,7 +16870,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -9825,7 +16886,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -9841,7 +16902,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -9857,13 +16918,27 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: true + related-score: '' score-category: Protect score-value: Minimal tags: - Azure Security Center - Containers - Linux +- attack-object-id: T1021.004 + attack-object-name: SSH + capability-id: Docker Host Hardening + comments: This control may provide recommendations to ensure sshd is not running + within Docker containers. This can prevent attackers from utilizing unmonitored + SSH servers within containers. This may not prevent attackers from installing + a SSH server in containers or hosts. + mapping-description: '' + mapping-type: technique-scores + references: [] + related-score: T1021 + score-category: Protect + score-value: Minimal + tags: [] - attack-object-id: T1005 attack-object-name: Data from Local System capability-id: Docker Host Hardening @@ -9873,7 +16948,7 @@ attack-objects: mapping-type: technique-scores references: - https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack-objects.csv b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack-objects.csv index dd4234d6..7ac515ca 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack-objects.csv +++ b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack-objects.csv @@ -1,862 +1,1476 @@ ,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata_key -0,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Partial,True,0 -1,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Partial,True,0 -2,,T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Partial,True,0 -3,,T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Partial,True,0 -4,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Minimal,True,0 -5,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Minimal,True,0 -6,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,True,0 -7,,T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -8,,T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,True,0 -9,,T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -10,,T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -11,,T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -12,,T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -13,,T1548,Abuse Elevation Control Mechanism,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -14,,T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,True,0 -15,,T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -16,,T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -17,,T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -18,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -19,,T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -20,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -21,,T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -22,,T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -23,,T1222,File and Directory Permissions Modification,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -24,,T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -25,,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -26,,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -27,,T1112,Modify Registry,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -28,,T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,False,0 -29,,T1218,Signed Binary Proxy Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -30,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,True,0 -31,,T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -32,,T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -33,,T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,True,0 -34,,T1082,System Information Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,False,0 -35,,T1563,Remote Service Session Hijacking,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,True,0 -36,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,False,0 -37,,T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,True,0 -38,,T1489,Service Stop,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,False,0 -39,,T1202,Indirect Command Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,False,0 -40,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +0,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Partial,,0 +1,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Partial,,0 +2,"This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives. +The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1078,0 +3,"Response Type: Eradication +Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Protection,technique-scores,Respond,Significant,T1078,0 +4,"When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial. + +The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).",T1078.002,Domain Accounts,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1078,0 +5,"Response Type: Containment +Supports risk detection responses such as blocking a user's access and enforcing MFA. These responses contain the impact of this sub-technique but do not eradicate it (by forcing a password reset).",T1078.002,Domain Accounts,[],[],,Azure AD Identity Protection,technique-scores,Respond,Partial,T1078,0 +6,,T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Partial,,0 +7,,T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Partial,,0 +8,This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial.,T1606.002,SAML Tokens,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1606,0 +9,"Response Type: Eradication +Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.",T1606.002,SAML Tokens,[],[],,Azure AD Identity Protection,technique-scores,Respond,Significant,T1606,0 +10,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Minimal,,0 +11,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Minimal,,0 +12,This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours).,T1110.003,Password Spraying,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1110,0 +13,"Response Type: Eradication +Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.",T1110.003,Password Spraying,[],[],,Azure AD Identity Protection,technique-scores,Respond,Significant,T1110,0 +14,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +15,"This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"".",T1078.003,Local Accounts,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1078,0 +16,"This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"".",T1078.001,Default Accounts,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1078,0 +17,,T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +18,"This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: ""Detected anomalous mix of upper and lower case characters in command-line"", ""Detected encoded executable in command line data"", ""Detected obfuscated command line"", ""Detected suspicious combination of HTA and PowerShell"", ""Detected suspicious commandline arguments"", ""Detected suspicious commandline used to start all executables in a directory"", ""Detected suspicious credentials in commandline"", ""Dynamic PS script construction"", ""Suspicious PowerShell Activity Detected"", ""Suspicious PowerShell cmdlets executed"", ""Suspicious command execution"".",T1059.001,PowerShell,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1059,0 +19,"This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: ""Detected anomalous mix of upper and lower case characters in command-line"", ""Detected encoded executable in command line data"", ""Detected obfuscated command line"", ""Detected suspicious combination of HTA and PowerShell"", ""Detected suspicious commandline arguments"", ""Detected suspicious commandline used to start all executables in a directory"", ""Detected suspicious credentials in commandline"", ""Dynamic PS script construction"", ""Suspicious PowerShell Activity Detected"", ""Suspicious PowerShell cmdlets executed"", ""Suspicious command execution"".",T1059.003,Windows Command Shell,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1059,0 +20,,T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +21,"This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: ""Detected possible execution of keygen executable"", ""Detected possible execution of malware dropper"", ""Detected suspicious file creation"".",T1204.002,Malicious File,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1204,0 +22,,T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +23,"This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: ""Windows registry persistence method detected"".",T1547.001,Registry Run Keys / Startup Folder,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1547,0 +24,,T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +25,"This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: ""Suspicious Account Creation Detected"".",T1136.001,Local Account,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1136,0 +26,,T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +27,"This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: ""Suspect service installation"".",T1543.003,Windows Service,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1543,0 +28,,T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +29,"This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: ""Suspicious Screensaver process executed"".",T1546.002,Screensaver,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1546,0 +30,"This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: ""Sticky keys attack detected"".",T1546.008,Accessibility Features,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1546,0 +31,,T1548,Abuse Elevation Control Mechanism,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +32,"This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: ""Detected change to a registry key that can be abused to bypass UAC""",T1548.002,Bypass User Account Control,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1548,0 +33,,T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +34,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.001,Dynamic-link Library Injection,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +35,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.002,Portable Executable Injection,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +36,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.003,Thread Execution Hijacking,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +37,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.005,Thread Local Storage,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +38,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.004,Asynchronous Procedure Call,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +39,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.011,Extra Window Memory Injection,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +40,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.012,Process Hollowing,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +41,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.013,Process Doppelgänging,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +42,,T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +43,,T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +44,,T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +45,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +46,,T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +47,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +48,,T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +49,,T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +50,,T1222,File and Directory Permissions Modification,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +51,"This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: ""Detected suspicious use of Cacls to lower the security state of the system"".",T1222.001,Windows File and Directory Permissions Modification,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1222,0 +52,,T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +53,"This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: ""Suspicious WindowPosition registry value detected"".",T1564.003,Hidden Window,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1564,0 +54,,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +55,"This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: ""Malicious firewall rule created by ZINC server implant [seen multiple times]"", ""Detected suspicious new firewall rule"".",T1562.004,Disable or Modify System Firewall,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1562,0 +56,"This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: ""Detected the disabling of critical services"", ""Detected actions indicative of disabling and deleting IIS log files"".",T1562.001,Disable or Modify Tools,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1562,0 +57,,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +58,"This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: ""Detected suspicious file cleanup commands"", ""Suspicious Volume Shadow Copy Activity"".",T1070.004,File Deletion,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1070,0 +59,"This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: ""Detected actions indicative of disabling and deleting IIS log files"", ""An event log was cleared"".",T1070.001,Clear Windows Event Logs,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1070,0 +60,,T1112,Modify Registry,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +61,,T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +62,,T1218,Signed Binary Proxy Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +63,"This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: ""Detected suspicious execution via rundll32.exe"", ""Detected suspicious combination of HTA and PowerShell"".",T1218.005,Mshta,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1218,0 +64,"This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: ""Detected suspicious execution via rundll32.exe"", ""Detected suspicious combination of HTA and PowerShell"".",T1218.011,Rundll32,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1218,0 +65,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +66,"This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"", ""Successful brute force attack"", ""Suspicious authentication activity"".",T1110.003,Password Spraying,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1110,0 +67,"This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"", ""Successful brute force attack"", ""Suspicious authentication activity"".",T1110.001,Password Guessing,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1110,0 +68,"This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"", ""Successful brute force attack"", ""Suspicious authentication activity"".",T1110.004,Credential Stuffing,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1110,0 +69,,T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +70,"This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: ""Detected enabling of the WDigest UseLogonCredential registry key"".",T1003.004,LSA Secrets,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1003,0 +71,,T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +72,"This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: ""Suspected Kerberos Golden Ticket attack parameters observed"".",T1558.001,Golden Ticket,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1558,0 +73,,T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +74,"This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: ""Multiple Domain Accounts Queried"", ""Local Administrators group members were enumerated"".",T1087.001,Local Account,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1087,0 +75,"This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: ""Multiple Domain Accounts Queried"", ""Local Administrators group members were enumerated"".",T1087.002,Domain Account,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1087,0 +76,,T1082,System Information Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +77,,T1563,Remote Service Session Hijacking,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +78,"This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: ""Suspect integrity level indicative of RDP hijacking"", ""Suspect service installation"".",T1563.002,RDP Hijacking,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1563,0 +79,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +80,,T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +81,"This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: ""Detected potentially suspicious use of Telegram tool"".",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1048,0 +82,,T1489,Service Stop,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +83,,T1202,Indirect Command Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +84,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,False,0 -41,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +85,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,False,0 -42,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +86,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -43,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +87,"This control's ""Authentication to Linux machines should require SSH keys"" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.",T1110.001,Password Guessing,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1110,0 +88,"This control's ""Authentication to Linux machines should require SSH keys"" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.",T1110.003,Password Spraying,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1110,0 +89,"This control's ""Authentication to Linux machines should require SSH keys"" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.",T1110.004,Credential Stuffing,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1110,0 +90,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1542,Pre-OS Boot,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,True,0 -44,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1542,Pre-OS Boot,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +91,"This control's ""Secure Boot should be enabled on your Linux virtual machine"" and ""Virtual machines should be attested for boot integrity health"" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.",T1542.001,System Firmware,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1542,0 +92,"This control's ""Secure Boot should be enabled on your Linux virtual machine"" and ""Virtual machines should be attested for boot integrity health"" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.",T1542.003,Bootkit,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1542,0 +93,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1499,Endpoint Denial of Service,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -45,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1499,Endpoint Denial of Service,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +94,"This control's ""Container CPU and memory limits should be enforced"" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.",T1499.001,OS Exhaustion Flood,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1499,0 +95,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -46,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +96,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -47,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +97,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -48,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +98,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.",T1098.004,SSH Authorized Keys,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1098,0 +99,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1554,Compromise Client Software Binary,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -49,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1554,Compromise Client Software Binary,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +100,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -50,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +101,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.",T1136.001,Local Account,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1136,0 +102,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -51,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +103,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1543.002,Systemd Service,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1543,0 +104,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -52,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +105,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1546.004,.bash_profile and .bashrc,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1546,0 +106,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -53,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +107,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1505.003,Web Shell,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1505,0 +108,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1222,File and Directory Permissions Modification,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -54,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1222,File and Directory Permissions Modification,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +109,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1222,0 +110,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -55,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +111,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1564.001,Hidden Files and Directories,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1564,0 +112,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1564.005,Hidden File System,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1564,0 +113,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1564.006,Run Virtual Instance,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1564,0 +114,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -56,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +115,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1053.003,Cron,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1053,0 +116,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1053.006,Systemd Timers,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1053,0 +117,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1556,Modify Authentication Process,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -57,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1556,Modify Authentication Process,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +118,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1556.003,Pluggable Authentication Modules,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1556,0 +119,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -58,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +120,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1074,Data Staged,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,True,0 -59,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1074,Data Staged,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +121,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.",T1074.001,Local Data Staging,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1074,0 +122,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -60,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +123,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -61,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +124,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1565,Data Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -62,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1565,Data Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +125,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. + +Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications. + +Due to it being a recommendation, its score is capped at Partial.",T1565.001,Stored Data Manipulation,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1565,0 +126,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,True,0 -63,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +IoT related recommendations were not included in this mapping.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +127,"This control's ""Deprecated accounts should be removed from your subscription"" and ""Deprecated accounts with owner permissions should be removed from your subscription"" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. +Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. +Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.",T1078.004,Cloud Accounts,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1078,0 +128,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. -IoT related recommendations were not included in this mapping.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,False,0 -64,,T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Significant,False,0 -65,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Minimal,True,0 -66,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,False,0 -67,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Respond,Partial,False,0 -68,,T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,False,0 -69,,T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Respond,Partial,False,0 -70,,T1537,Transfer Data to Cloud Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,False,0 -71,,T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Minimal,False,0 -72,Detections are periodic at an unknown rate.,T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -73,Detections are periodic at an unknown rate.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,False,0 -74,Detections are periodic at an unknown rate.,T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -75,Detections are periodic at an unknown rate.,T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -76,Detections are periodic at an unknown rate.,T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -77,Detections are periodic at an unknown rate.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -78,Detections are periodic at an unknown rate.,T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -79,Detections are periodic at an unknown rate.,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -80,Detections are periodic at an unknown rate.,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,True,0 -81,Detections are periodic at an unknown rate.,T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -82,Detections are periodic at an unknown rate.,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,True,0 -83,Detections are periodic at an unknown rate.,T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,True,0 -84,Detections are periodic at an unknown rate.,T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,True,0 -85,Detections are periodic at an unknown rate.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,False,0 -86,Detections are periodic at an unknown rate.,T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,False,0 -87,,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,True,0 -88,,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,False,0 -89,,T1538,Cloud Service Dashboard,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,False,0 -90,,T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,False,0 -91,,T1069,Permission Groups Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,True,0 -92,,T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,True,0 -93,,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,False,0 -94,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,False,0 -95,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1199,Trusted Relationship,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -96,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1557,Man-in-the-Middle,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -97,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1602,Data from Configuration Repository,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,True,0 -98,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1542,Pre-OS Boot,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Minimal,True,0 -99,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Significant,True,0 -100,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -101,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,True,0 -102,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1072,Software Deployment Tools,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -103,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -104,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -105,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1046,Network Service Scanning,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -106,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1095,Non-Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -107,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1571,Non-Standard Port,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Significant,False,0 -108,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1499,Endpoint Denial of Service,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,True,0 -109,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1570,Lateral Tool Transfer,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -110,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1498,Network Denial of Service,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -111,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,True,0 -112,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,False,0 -113,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1205,Traffic Signaling,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,True,0 -114,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,True,0 -115,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1195,Supply Chain Compromise,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -116,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,True,0 -117,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -118,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -119,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -120,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1595,Active Scanning,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -121,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,False,0 -122,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -123,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. -Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,False,0 -124,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries -Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +IoT related recommendations were not included in this mapping.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +129,,T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Significant,,0 +130,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Minimal,,0 +131,"This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access. ",T1078.004,Cloud Accounts,[],[],,Azure Defender for Storage,technique-scores,Detect,Significant,T1078,0 +132,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,,0 +133,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Respond,Partial,,0 +134,,T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,,0 +135,,T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Respond,Partial,,0 +136,,T1537,Transfer Data to Cloud Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,,0 +137,,T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Minimal,,0 +138,Detections are periodic at an unknown rate.,T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +139,"This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.",T1059.004,Unix Shell,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1059,0 +140,Detections are periodic at an unknown rate.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +141,Detections are periodic at an unknown rate.,T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +142,This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.,T1098.004,SSH Authorized Keys,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1098,0 +143,Detections are periodic at an unknown rate.,T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +144,This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.,T1547.006,Kernel Modules and Extensions,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1547,0 +145,Detections are periodic at an unknown rate.,T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +146,This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.,T1136.001,Local Account,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1136,0 +147,Detections are periodic at an unknown rate.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +148,This control may alert on usage of web shells. No documentation is provided on logic for this detection.,T1505.003,Web Shell,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1505,0 +149,Detections are periodic at an unknown rate.,T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +150,"This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.",T1564.001,Hidden Files and Directories,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1564,0 +151,"This control may alert on containers using privileged commands, running SSH servers, or running mining software.",T1564.006,Run Virtual Instance,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1564,0 +152,Detections are periodic at an unknown rate.,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +153,This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.,T1562.004,Disable or Modify System Firewall,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1562,0 +154,This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.,T1562.006,Indicator Blocking,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1562,0 +155,Detections are periodic at an unknown rate.,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +156,"This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.",T1070.002,Clear Linux or Mac System Logs,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1070,0 +157,This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.,T1070.003,Clear Command History,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1070,0 +158,Detections are periodic at an unknown rate.,T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +159,This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.,T1027.004,Compile After Delivery,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1027,0 +160,Detections are periodic at an unknown rate.,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +161,This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.,T1110.001,Password Guessing,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1110,0 +162,This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.,T1110.003,Password Spraying,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1110,0 +163,This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.,T1110.004,Credential Stuffing,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1110,0 +164,Detections are periodic at an unknown rate.,T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +165,"This control may alert on suspicious access to encrypted user passwords. The documentation does not reference ""/etc/passwd"" and ""/etc/shadow"" directly nor does it describe the logic in determining suspicious access.",T1003.008,/etc/passwd and /etc/shadow,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1003,0 +166,Detections are periodic at an unknown rate.,T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +167,"This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.",T1021.004,SSH,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1021,0 +168,Detections are periodic at an unknown rate.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +169,Detections are periodic at an unknown rate.,T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +170,,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +171,"The following alerts are available for Windows Defender security features being disabled but none for third party security tools: ""Antimalware broad files exclusion in your virtual machine"", ""Antimalware disabled and code execution in your virtual machine"", ""Antimalware disabled in your virtual machine"", ""Antimalware file exclusion and code execution in your virtual machine"", ""Antimalware file exclusion in your virtual machine"", ""Antimalware real-time protection was disabled in your virtual machine"", ""Antimalware real-time protection was disabled temporarily in your virtual machine"", ""Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine"", ""Antimalware temporarily disabled in your virtual machine"", ""Antimalware unusual file exclusion in your virtual machine"".",T1562.001,Disable or Modify Tools,[],[],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,T1562,0 +172,,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,,0 +173,,T1538,Cloud Service Dashboard,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,,0 +174,,T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,,0 +175,,T1069,Permission Groups Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +176,"This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: ""MicroBurst exploitation toolkit used to enumerate resources in your subscriptions"", ""Azurite toolkit run detected"".",T1069.003,Cloud Groups,[],[],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,T1069,0 +177,,T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +178,"This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: ""PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables"", ""PowerZure exploitation toolkit used to enumerate resources"", ""MicroBurst exploitation toolkit used to enumerate resources in your subscriptions"", ""Azurite toolkit run detected"".",T1087.004,Cloud Account,[],[],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,T1087,0 +179,,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +180,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +181,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1199,Trusted Relationship,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +182,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1557,Man-in-the-Middle,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +183,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1602,Data from Configuration Repository,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +184,Can limit access to client management interfaces or configuration databases,T1602.002,Network Device Configuration Dump,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1602,0 +185,Can limit access to client management interfaces or configuration databases,T1602.001,SNMP (MIB Dump),[],[],,Network Security Groups,technique-scores,Protect,Partial,T1602,0 +186,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1542,Pre-OS Boot,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Minimal,,0 +187,This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.,T1542.005,TFTP Boot,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1542,0 +188,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Significant,,0 +189,"This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1048,0 +190,"This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1048,0 +191,"This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1048,0 +192,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +193,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +194,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.006,Windows Remote Management,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +195,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.005,VNC,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +196,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.004,SSH,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +197,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.003,Distributed Component Object Model,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +198,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.002,SMB/Windows Admin Shares,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +199,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.001,Remote Desktop Protocol,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +200,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1072,Software Deployment Tools,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +201,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +202,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +203,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1046,Network Service Scanning,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +204,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1095,Non-Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +205,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1571,Non-Standard Port,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Significant,,0 +206,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1499,Endpoint Denial of Service,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +207,This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.,T1499.003,Application Exhaustion Flood,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1499,0 +208,This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.,T1499.002,Service Exhaustion Flood,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1499,0 +209,This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.,T1499.001,OS Exhaustion Flood,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1499,0 +210,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1570,Lateral Tool Transfer,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +211,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1498,Network Denial of Service,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +212,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +213,"This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.003,Multi-hop Proxy,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1090,0 +214,"This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.002,External Proxy,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1090,0 +215,"This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.001,Internal Proxy,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1090,0 +216,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +217,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1205,Traffic Signaling,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +218,"This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.",T1205.001,Port Knocking,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1205,0 +219,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +220,"The Azure Sentinel Hunting ""Rare processes run by Service accounts"" query can identify potential misuse of default accounts. Because this detection is specific to rare processes its coverage score is Minimal resulting in a Minimal score.",T1078.001,Default Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1078,0 +221,"The following Azure Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: ""Suspicious Windows Login outside normal hours"", ""User account added or removed from security group by an unauthorized user"", ""User Account added to Built in Domain Local or Global Group"", ""User Login IP Address Teleportation"", ""User made Owner of multiple teams"", ""Tracking Privileged Account Rare Activity"", ""New Admin account activity which was not seen historically"", ""New client running queries"", ""New users running queries"", ""Non-owner mailbox login activity"", ""Powershell or non-browser mailbox login activity"", ""Rare User Agent strings"", ""Same IP address with multiple csUserAgent"" which may indicate that an account is being used from a new device, ""Rare domains seen in Cloud Logs"" when accounts from uncommon domains access or attempt to access cloud resources, ""Same User - Successful logon for a given App and failure on another App within 1m and low distribution"", ""Hosts with new logons"", ""Inactive or new account signins"", ""Long lookback User Account Created and Deleted within 10mins"", ""Anomalous Geo Location Logon"", and ""Anomalous Sign-in Activity"". +The following Azure Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: ""Anomalous User Agent connection attempt"", ""New UserAgent observed in last 24 hours"" which may indicate that an account is being used from a new device, ""Anomalous sign-in location by user account and authenticating application"", ""Anomalous login followed by Teams action"", ""GitHub Signin Burst from Multiple Locations"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""Failed Host logons but success logon to AzureAD"", and ""Anomalous RDP Login Detections"".",T1078.002,Domain Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1078,0 +222,"The following Azure Sentinel Hunting queries can identify potential compromise of local accounts based on access attempts and/or account usage: ""Suspicious Windows Login outside normal hours"", ""User Login IP Address Teleportation"", ""User account added or removed from a security group by an unauthorized user"", ""User Account added to Built in Domain Local or Global Group"", ""User added to SQL Server SecurityAdmin Group"", ""User Role altered on SQL Server"", ""User made Owner of multiple teams"", ""Tracking Privileged Account Rare Activity"", and ""Anomalous Login to Devices"". +The following Azure Sentinel Analytics queries can identify potential compromise of local accounts based on access attempts and/or account usage: ""User account enabled and disabled within 10 mins"", ""Long lookback User Account Created and Deleted within 10mins"", ""Explicit MFA Deny"", ""Hosts with new logons"", ""Inactive or new account signins"", ""Anomalous SSH Login Detection"", and ""Anomalous RDP Login Detections"".",T1078.003,Local Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1078,0 +223,"The following Azure Sentinel Hunting queries can identify potential compromise of cloud accounts: ""New Admin account activity which was not seen historically"", ""New client running queries"", ""New users running queries"", ""User returning more data than daily average"", ""User Login IP Address Teleportation"", ""Non-owner mailbox login activity"", ""Powershell or non-browser mailbox login activity"", ""Rare User Agent strings"" and ""Same IP address with multiple csUserAgent"" which may indicate that an account is being used from a new device, ""Rare domains seen in Cloud Logs"", ""Same User - Successful logon for a given App and failure on another App within 1m and low distribution"", ""Anomalous Azure Active Directory Apps based on authentication location"", ""Anomalous Geo Location Logon"", ""Anomalous Sign-in Activity"", ""Azure Active Directory sign-in burst from multiple locations"", and ""Azure Active Directory signins from new locations"". + +The following Azure Sentinel Analytics queries can identify potential compromise of cloud accounts: ""Anomalous User Agent connection attempt"" and ""New UserAgent observed in last 24 hours"", which may indicate that an account is being used from a new device which may belong to an adversary; ""Anomalous sign-in location by user account and authenticating application"", ""GitHub Signin Burst from Multiple Locations"", ""GitHub Activites from a New Country"", and ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", which may indicate adversary access from atypical locations; ""Azure Active Directory PowerShell accessing non-AAD resources"", ""Anomalous login followed by Teams action"", ""Login to AWS management console without MFA"", and ""Azure Active Directory PowerShell accessing non-AAD resources"" which may indicate an adversary attempting to use a valid account to access resources from other contexts. The ""Correlate Unfamiliar sign-in properties"" query can further enhance detection of anomalous activity.",T1078.004,Cloud Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1078,0 +224,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1195,Supply Chain Compromise,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +225,"The following Azure Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: ""Azure DevOps - Project Visibility changed to public"" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. ""Azure DevOps - Public project created"" and ""Azure DevOps - Public project enabled by admin"" can identify specific instances of potential defense evasion. +The following Azure Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: ""AzureDevops Service Connection Abuse"" can detect potential malicious behavior associated with use of large number of service connections, ""External Upstream Source added to Azure DevOps"" identifies a specific behavior that could compromise the DevOps build pipeline, ""Azure DevOps Pull Request Policy Bypassing - History"" can identify specific potentially malicious behavior that compromises the build process, ""Azure DevOps Pipeline modified by a New User"" identifies potentially malicious activity that could compromise the DevOps pipeline, ""Azure DevOps Administrator Group Monitoring"" monitors for specific activity which could compromise the build/release process, ""New Agent Added to Pool by New User or a New OS"" can detect a suspicious behavior that could potentially compromise DevOps pipeline.",T1195.001,Compromise Software Dependencies and Development Tools,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1195,0 +226,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +227,"The ""Summary of user logons by logon type"" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. +The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""VIP account more than 6 failed logons in 10"", ""Multiple Failed Logon on SQL Server in Short time Span"", ""Permutations on logon attempts by UserPrincipalNames indicating potential brute force"", ""Potential IIS brute force"", ""Failed attempt to access Azure Portal"", ""Failed Login Attempt by Expired account"", ""Failed Logon Attempts on SQL Server"", ""Failed Logon on SQL Server from Same IPAddress in Short time Span"", ""Failed service logon attempt by user account with available AuditData"", ""Login attempt by Blocked MFA user"", ""Login spike with increase failure rate"", ""Attempts to sign-in to disabled accounts by IP address"", ""Attempts to sign-in to disabled accounts by account name"", ""Brute Force attack against Azure Portal"", and ""Anomalous Failed Logon"" +The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""Brute force attack against Azure Portal"", ""Password spray attack against Azure AD application"", ""Successful logon from IP and failure from a different IP"", ""Failed logon attempts in authpriv"", ""Failed AzureAD logons but success logon to host"", ""Excessive Windows logon failures"", ""Failed login attempts to Azure Portal"", ""Failed logon attempts by valid accounts within 10 mins"", ""Brute Force Attack against GitHub Account"", ""Distributed Password cracking attempts in AzureAD"", ""Potential Password Spray Attack"" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, ""Attempts to sign in to disabled accounts"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""High count of failed logins by a user"", ""Hi count of failed attempts same client IP"", ""SSH - Potential Brute Force"", and ""SecurityEvent - Multiple authentication failures followed by success"".",T1110.001,Password Guessing,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1110,0 +228,"The ""Summary of user logons by logon type"" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. +The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""VIP account more than 6 failed logons in 10"", ""Multiple Failed Logon on SQL Server in Short time Span"", ""Permutations on logon attempts by UserPrincipalNames indicating potential brute force"", ""Potential IIS brute force"", ""Failed attempt to access Azure Portal"", ""Failed Login Attempt by Expired account"", ""Failed Logon Attempts on SQL Server"", ""Failed Logon on SQL Server from Same IPAddress in Short time Span"", ""Failed service logon attempt by user account with available AuditData"", ""Login attempt by Blocked MFA user"", ""Login spike with increase failure rate"", ""Attempts to sign-in to disabled accounts by IP address"", ""Attempts to sign-in to disabled accounts by account name"", ""Brute Force attack against Azure Portal"", and ""Anomalous Failed Logon"" +The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""Brute force attack against Azure Portal"", ""Password spray attack against Azure AD application"", ""Successful logon from IP and failure from a different IP"", ""Failed logon attempts in authpriv"", ""Failed AzureAD logons but success logon to host"", ""Excessive Windows logon failures"", ""Failed login attempts to Azure Portal"", ""Failed logon attempts by valid accounts within 10 mins"", ""Brute Force Attack against GitHub Account"", ""Distributed Password cracking attempts in AzureAD"", ""Potential Password Spray Attack"" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, ""Attempts to sign in to disabled accounts"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""High count of failed logins by a user"", ""Hi count of failed attempts same client IP"", ""SSH - Potential Brute Force"", and ""SecurityEvent - Multiple authentication failures followed by success"".",T1110.003,Password Spraying,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1110,0 +229,"The ""Summary of user logons by logon type"" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. +The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""VIP account more than 6 failed logons in 10"", ""Multiple Failed Logon on SQL Server in Short time Span"", ""Permutations on logon attempts by UserPrincipalNames indicating potential brute force"", ""Potential IIS brute force"", ""Failed attempt to access Azure Portal"", ""Failed Login Attempt by Expired account"", ""Failed Logon Attempts on SQL Server"", ""Failed Logon on SQL Server from Same IPAddress in Short time Span"", ""Failed service logon attempt by user account with available AuditData"", ""Login attempt by Blocked MFA user"", ""Login spike with increase failure rate"", ""Attempts to sign-in to disabled accounts by IP address"", ""Attempts to sign-in to disabled accounts by account name"", ""Brute Force attack against Azure Portal"", and ""Anomalous Failed Logon"" +The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""Brute force attack against Azure Portal"", ""Password spray attack against Azure AD application"", ""Successful logon from IP and failure from a different IP"", ""Failed logon attempts in authpriv"", ""Failed AzureAD logons but success logon to host"", ""Excessive Windows logon failures"", ""Failed login attempts to Azure Portal"", ""Failed logon attempts by valid accounts within 10 mins"", ""Brute Force Attack against GitHub Account"", ""Distributed Password cracking attempts in AzureAD"", ""Potential Password Spray Attack"" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, ""Attempts to sign in to disabled accounts"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""High count of failed logins by a user"", ""Hi count of failed attempts same client IP"", ""SSH - Potential Brute Force"", and ""SecurityEvent - Multiple authentication failures followed by success"".",T1110.004,Credential Stuffing,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1110,0 +230,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +231,"The Azure Sentinel Hunting ""First access credential added to Application or Service Principal where no credential was present"" query can identify potentially malicious changes to Service Principal credentials. +The Azure Sentinel Analytics ""Credential added after admin consented to Application"" and ""New access credential added to Application or Service Principal"" queries can identify potentially malicious manipulation of additional cloud credentials.",T1098.001,Additional Cloud Credentials,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1098,0 +232,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +233,"The following Azure Sentinel Analytics queries can identify potentially malicious use of web protocols: ""Powershell Empire cmdlets seen in command line"" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. ""Request for single resource on domain"" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.",T1071.001,Web Protocols,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1071,0 +234,"The following Azure Sentinel Hunting queries can identify potentially malicious use of DNS: ""RareDNSLookupWithDataTransfer"" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. ""Abnormally Long DNS URI queries"" can identify suspicious DNS queries that may be indicative of command and control operations. ""DNS - domain anomalous lookup increase"", ""DNS Full Name anomalous lookup increase"", and ""DNS lookups for commonly abused TLDs"" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.",T1071.004,DNS,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1071,0 +235,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +236,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics ""SharePointFileOperation via previously unseen IPs"" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.",T1567.002,Exfiltration to Cloud Storage,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1567,0 +237,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics ""SharePointFileOperation via previously unseen IPs"" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.",T1567.001,Exfiltration to Code Repository,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1567,0 +238,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1595,Active Scanning,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +239,"The Azure Sentinel Analytics ""High count of connections by client IP on many ports"" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.",T1595.002,Vulnerability Scanning,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1595,0 +240,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +241,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -125,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +242,"The following Azure Sentinel Hunting queries can identify potential exfiltration: ""Abnormally long DNS URI queries"" can identify potential exfiltration via DNS. ""Multiple users email forwarded to same destination"" and ""Office Mail Forwarding - Hunting Version"" can detect potential exfiltration via email. +The Azure Sentinel Analytics ""Multiple users email forwarded to same destination"" query can detect potential exfiltration via email. The coverage for these queries is minimal resulting in an overall Minimal score.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1048,0 +243,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -126,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +244,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -127,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +245,"The Azure Sentinel Hunting ""Security Event Log Cleared"" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.",T1070.001,Clear Windows Event Logs,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1070,0 +246,"The Azure Sentinel Hunting ""Windows System Time changed on hosts"" query can detect potential timestomping activities. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which can timestomp files and/or payloads on a target machine to help them blend in.",T1070.006,Timestomp,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1070,0 +247,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -128,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +248,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which leverages PowerShell for the majority of its client-side agent tasks and can conduct PowerShell remoting. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.",T1059.001,PowerShell,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +249,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Azure Sentinel Analytics ""Base64 encoded Windows process command-lines"" query can identify Base64 encoded PE files being launched via the command line.",T1059.003,Windows Command Shell,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +250,"The Azure Sentinel Hunting ""Rare process running on a Linux host"" query can identify uncommon shell usage that may be malicious.",T1059.004,Unix Shell,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +251,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious.",T1059.007,JavaScript/JScript,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +252,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious.",T1059.005,Visual Basic,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +253,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious.",T1059.006,Python,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +254,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1018,Remote System Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -129,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +255,"The following Azure Sentinel Hunting queries can identify potentially malicious access to SharePoint: ""SharePointFileOperation via clientIP with previously unseen user agents"", ""SharePointFileOperation via devices with previously unseen user agents"", and ""SharePointFileOperation via previously unseen IPs"". +The Azure Sentinel Analytics ""SharePointFileOperation via devices with previously unseen user agents"" query can identify a high number of upload or download actions by an unknown and possible malicious actor.",T1213.002,Sharepoint,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1213,0 +256,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,True,0 -130,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +257,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1114,Email Collection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -131,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1018,Remote System Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +258,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -132,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +259,"The Azure Sentinel Hunting ""New User created on SQL Server"" query can detect a specific type of potentially malicious local account creation. +The following Azure Sentinel Analytics queries can identify potentially malicious local account creation: ""Summary of users created using uncommon/undocumented commandline switches"" which can identify use of the net command to create user accounts, ""User created by unauthorized user"", ""User Granted Access and associated audit activity"" and ""User Granted Access and Grants others Access"" which may identify account creation followed by suspicious behavior, ""User account created and deleted within 10 mins"" which suggests an account may have existed only long enough to fulfill a malicious purpose, and ""Powershell Empire cmdlets seen in command line"" which can identify use of Empire, including for account creation.",T1136.001,Local Account,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1136,0 +260,"The following Azure Sentinel Analytics queries can identify potentially malicious domain account creation: ""Summary of users created using uncommon/undocumented commandline switches"" which can identify use of the net command to create user accounts, ""User created by unauthorized user"", ""User Granted Access and associated audit activity"" and ""User Granted Access and Grants others Access"" which may identify account creation followed by suspicious behavior, ""User account created and deleted within 10 mins"" which suggests an account may have existed only long enough to fulfill a malicious purpose, and ""Powershell Empire cmdlets seen in command line"" which can identify use of Empire, including for account creation.",T1136.002,Domain Account,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1136,0 +261,"The Azure Sentinel Hunting queries can identify potentially malicious cloud account creation: ""External user added and removed in short timeframe"" and ""External user from a new organisation added"" can identify the addition of new external Teams user accounts. +The following Azure Sentinel Analytics queries can identify potentially malicious cloud account creation: ""User Granted Access and created resources"" which identifies a newly created user account gaining access and creating resources in Azure, and ""New Cloud Shell User"".",T1136.003,Cloud Account,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1136,0 +262,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1573,Encrypted Channel,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -133,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1114,Email Collection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +263,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which has the ability to collect emails on a target system. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.",T1114.001,Local Email Collection,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1114,0 +264,"The Azure Sentinel Hunting ""Suspect Mailbox Export on IIS/OWA"" query can identify potential malicious exfiltration hosting via IIS. The Azure Sentinel Hunting ""Host Exporting Mailbox and Removing Export"" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.",T1114.002,Remote Email Collection,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1114,0 +265,"The Azure Sentinel Hunting ""Mail redirect via ExO transport rule"" query can detect potentially malicious email redirection, but is limited to Exchange servers only.",T1114.003,Email Forwarding Rule,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1114,0 +266,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -134,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +267,"The Azure Sentinel Hunting ""Web shell command alert enrichment"", ""Web shell Detection"", and ""Web shell file alert enrichment"" queries can identify potentially malicious activity via web shell.",T1505.003,Web Shell,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1505,0 +268,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -135,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1573,Encrypted Channel,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +269,"The following Azure Sentinel Analytics queries can detect potentially malicious usage of asymmetric cryptography channels: ""DNS events related to ToR proxies"" can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc. ""Powershell Empire cmdlets seen in command line"" can identify use of Empire, which can use TLS to encrypt a command and control channel.",T1573.002,Asymmetric Cryptography,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1573,0 +270,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -136,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +271,"The Azure Sentinel Analytics ""DNS events related to ToR proxies"" query can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc.",T1090.003,Multi-hop Proxy,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1090,0 +272,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -137,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +273,"The following Azure Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: ""Azure Sentinel Analytics Rules Administrative Operations"", ""Azure Sentinel Connectors Administrative Operations"", and ""Azure Sentinel Workbooks Administrative Operations"". +The Azure Sentinel Analytics ""Starting or Stopping HealthService to Avoid Detection"" query can detect potentially malicious disabling of telemetry collection/detection. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1562.001,Disable or Modify Tools,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +274,"The Azure Sentinel Analytics ""Audit policy manipulation using auditpol utility"" query can detect potentially malicious to modification and/or disabling of logging via the auditpol utility. The coverage for these queries is minimal (specific to Audit policy) resulting in an overall Minimal score.",T1562.002,Disable Windows Event Logging,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +275,"The Azure Sentinel Hunting ""Azure Sentinel Analytics Rules Administrative Operations"" query can identify potential attempts to impair defenses by changing or deleting detection analytics. +The Azure Sentinel Analytics ""Azure DevOps - Retention Reduced to Zero"" query can identify that an adversary is looking to reduce their malicious activity's footprint by preventing retention of artifacts. Control is specific to indicators produced by Azure DevOps. The coverage for these queries is minimal resulting in an overall Minimal score.",T1562.006,Indicator Blocking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +276,"The following Azure Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: ""Azure Network Security Group NSG Administrative Operations"" query can identify potential defensive evasion involving changing or disabling network access rules. ""Port opened for an Azure Resource"" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration. +The Azure Sentinel Analytics ""Security Service Registry ACL Modification"" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.",T1562.007,Disable or Modify Cloud Firewall,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1562,0 +277,"The Azure Sentinel Analytics ""Exchange AuditLog disabled"" query can detect potentially malicious disabling of Exchange logs. The Azure Sentinel Analytics ""Azure DevOps Audit Stream Disabled"" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.",T1562.008,Disable Cloud Logs,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +278,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1568,Dynamic Resolution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -138,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +279,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -139,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +280,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1137,Office Application Startup,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -140,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1568,Dynamic Resolution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +281,"The Azure Sentinel Hunting ""Potential DGA detected"" query can detect clients with a high NXDomain count, which might indicate an adversary cycling through possible C2 domains where most C2s are not live. +The following Azure Sentinel Analytics queries can identify potential use of domain generation algorithms: ""Possible contact with a domain generated by a DGA"" and ""Potential DGA detected"" within DNS.",T1568.002,Domain Generation Algorithms,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1568,0 +282,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -141,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +283,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -142,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1137,Office Application Startup,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +284,"The following Azure Sentinel Analytics queries can identify potentially malicious use of Outlook rules: ""Office policy tampering"", ""Malicious Inbox Rule"" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and ""Mail redirect via ExO transport rule"" (potentially to an adversary mailbox configured to collect mail).",T1137.005,Outlook Rules,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1137,0 +285,"The Azure Sentinel Hunting ""Previously unseen bot or applicaiton added to Teams"" [sic] query can detect the addition of a potentially malicious add-in, but is specific to Microsoft Teams.",T1137.006,Add-ins,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1137,0 +286,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1047,Windows Management Instrumentation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -143,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +287,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1046,Network Service Scanning,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,False,0 -144,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +288,"Azure Sentinel Analytics includes a ""Potential Kerberoasting"" query. Kerberoasting via Empire can also be detected using the Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query.",T1558.003,Kerberoasting,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1558,0 +289,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect execution of these sub-techniques via Empire, but does not address other procedures.",T1558.001,Golden Ticket,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1558,0 +290,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect execution of these sub-techniques via Empire, but does not address other procedures.",T1558.002,Silver Ticket,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1558,0 +291,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -145,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1047,Windows Management Instrumentation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +292,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Protect,Minimal,True,0 -146,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1046,Network Service Scanning,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +293,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -147,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +294,"The Azure Sentinel Hunting ""anomalous RDP Activity"" query can detect potential lateral +movement employing RDP. + +The following Azure Sentinel Analytics queries can identify potentially malicious use +of RDP: +""Anomalous RDP Login Detections"", ""Multiple RDP connections from Single Systems"", +""Rare RDP Connections"", and ""RDP Nesting"".",T1021.001,Remote Desktop Protocol,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1021,0 +295,"The Azure Sentinel Hunting ""Anomalous Resource Access"" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).",T1021.002,SMB/Windows Admin Shares,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1021,0 +296,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage remote COM execution for lateral movement, but does not address other procedures.",T1021.003,Distributed Component Object Model,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1021,0 +297,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Azure Sentinel Analytics also provides a ""New internet-exposed SSH endpoints"" query. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1021.004,SSH,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1021,0 +298,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1590,Gather Victim Network Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -148,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Protect,Minimal,,0 +299,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1548,Abuse Elevation Control Mechanism,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -149,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +300,"The Azure Sentinel Analytics ""Azure DevOps - Variable Secret Not Secured"" query can identify credentials stored in the build process and protect against future credential access by suggesting that they be moved to a secret or stored in KeyVault before they can be accessed by an adversary. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1552.001,Credentials In Files,[],[],,Azure Sentinel,technique-scores,Protect,Minimal,T1552,0 +301,"The Azure Sentinel Hunting ""Query looking for secrets"" query can identify potentially malicious database requests for secrets like passwords or other credentials. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use various modules to search for files containing passwords, but does not address other procedures. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1552.001,Credentials In Files,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1552,0 +302,"The Azure Sentinel Analytics ""ADFS DKM Master Key Export"" and ""ADFS Key Export (Sysmon)"" queries can detect potentially malicious access intended to decrypt access tokens. The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures. +The coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.",T1552.004,Private Keys,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1552,0 +303,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -150,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1590,Gather Victim Network Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +304,"The Azure Sentinel Analytics ""Rare client observed with high reverse DNS lookup count"" query can detect if a particular IP is observed performing an unusually high number of reverse DNS lookups and has not been observed doing so previously.",T1590.002,DNS,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1590,0 +305,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -151,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1548,Abuse Elevation Control Mechanism,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +306,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which includes various modules to attempt to bypass UAC for privilege escalation, but does not address other procedures.",T1548.002,Bypass User Account Control,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1548,0 +307,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1560,Archive Collected Data,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -152,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +308,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.",T1134.002,Create Process with Token,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1134,0 +309,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.",T1134.005,SID-History Injection,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1134,0 +310,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -153,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +311,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious account discovery through the use of the net tool. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.",T1087.002,Domain Account,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1087,0 +312,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious account discovery through the use of the net tool. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.",T1087.001,Local Account,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1087,0 +313,"The Azure Sentinel Analytics ""Mail.Read Permissions Granted to Application"" query can identify applications that may have been abused to gain access to mailboxes.",T1087.003,Email Account,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1087,0 +314,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1217,Browser Bookmark Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -154,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1560,Archive Collected Data,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +315,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1115,Clipboard Data,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -155,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +316,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.",T1547.005,Security Support Provider,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1547,0 +317,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.",T1547.009,Shortcut Modification,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1547,0 +318,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.",T1547.001,Registry Run Keys / Startup Folder,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1547,0 +319,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -156,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1217,Browser Bookmark Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +320,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -157,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1115,Clipboard Data,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +321,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1484,Domain Policy Modification,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,True,0 -158,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +322,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.",T1543.003,Windows Service,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1543,0 +323,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -159,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +324,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can extract passwords from common web browsers including Firefox and Chrome, but does not address other procedures.",T1555.003,Credentials from Web Browsers,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1555,0 +325,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -160,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1484,Domain Policy Modification,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +326,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can modify group policy objects to install and execute malicious scheduled tasks, but does not address other procedures.",T1484.001,Group Policy Modification,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1484,0 +327,"The Azure Sentinel Analytics ""Modified Domain Federation Trust Settings"" query can detect potentially malicious changes to domain trust settings.",T1484.002,Domain Trust Modification,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1484,0 +328,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1041,Exfiltration Over C2 Channel,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -161,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +329,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -162,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +330,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.",T1546.008,Accessibility Features,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1546,0 +331,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -163,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1041,Exfiltration Over C2 Channel,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +332,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1083,File and Directory Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -164,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +333,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1574,Hijack Execution Flow,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -165,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +334,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1056,Input Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -166,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1083,File and Directory Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +335,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1557,Man-in-the-Middle,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -167,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1574,Hijack Execution Flow,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +336,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.001,DLL Search Order Hijacking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +337,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.007,Path Interception by PATH Environment Variable,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +338,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.008,Path Interception by Search Order Hijacking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +339,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.009,Path Interception by Unquoted Path,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +340,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1106,Native API,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -168,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1056,Input Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +341,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.",T1056.001,Keylogging,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1056,0 +342,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.",T1056.004,Credential API Hooking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1056,0 +343,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1135,Network Share Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -169,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1557,Man-in-the-Middle,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +344,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks, but does not address other procedures.",T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1557,0 +345,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -170,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1106,Native API,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +346,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -171,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1135,Network Share Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +347,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -172,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +348,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1057,Process Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -173,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +349,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -174,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +350,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.",T1003.001,LSASS Memory,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1003,0 +351,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -175,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1057,Process Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +352,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -176,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +353,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1518,Software Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -177,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +354,"The Azure Sentinel Hunting ""Editing Linux scheduled tasks through Crontab"" query can detect potentially malicious modification of cron jobs.",T1053.003,Cron,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1053,0 +355,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.",T1053.005,Scheduled Task,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1053,0 +356,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1082,System Information Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -178,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +357,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1016,System Network Configuration Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -179,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1518,Software Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +358,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate antivirus software on the target, but does not address other procedures.",T1518.001,Security Software Discovery,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1518,0 +359,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1049,System Network Connections Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -180,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1082,System Information Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +360,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1569,System Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -181,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1016,System Network Configuration Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +361,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1127,Trusted Developer Utilities Proxy Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -182,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1049,System Network Connections Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +362,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1550,Use Alternate Authentication Material,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -183,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1569,System Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +363,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.",T1569.002,Service Execution,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1569,0 +364,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1125,Video Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -184,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1127,Trusted Developer Utilities Proxy Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +365,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use abuse trusted utilities including MSBuild.exe, but does not address other procedures.",T1127.001,MSBuild,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1127,0 +366,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1102,Web Service,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -185,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1550,Use Alternate Authentication Material,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +367,"The Azure Sentinel Analytics ""Azure DevOps - PAT used with Browser."" query can identify potentially malicious usage of Personal Access Tokens intended for code or applications to be used through the web browser.",T1550.001,Application Access Token,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1550,0 +368,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can perform pass the hash attacks, but does not address other procedures.",T1550.002,Pass the Hash,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1550,0 +369,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1556,Modify Authentication Process,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -186,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1125,Video Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +370,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -187,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1102,Web Service,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +371,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use Dropbox and GitHub for command and control, but does not address other procedures.",T1102.002,Bidirectional Communication,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1102,0 +372,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1074,Data Staged,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -188,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1556,Modify Authentication Process,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +373,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1490,Inhibit System Recovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -189,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +374,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -190,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1074,Data Staged,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +375,"The Azure Sentinel Analytics ""Malware in the recycle bin"" query can detect local hidden malware.",T1074.001,Local Data Staging,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1074,0 +376,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -191,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1490,Inhibit System Recovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +377,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -192,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +378,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1036,Masquerading,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -193,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +379,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1578,Modify Cloud Compute Infrastructure,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -194,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +380,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -195,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1036,Masquerading,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +381,"The Azure Sentinel Hunting ""Exes with double file extension and access summary"" can identify malicious executable files that have been hidden as other file types.",T1036.004,Masquerade Task or Service,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1036,0 +382,"The Azure Sentinel Hunting ""Masquerading Files"" and ""Rare Process Path"" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Azure Sentinel Hunting ""Azure DevOps Display Name Changes"" query can detect potentially maliicous changes to the DevOps user display name.",T1036.005,Match Legitimate Name or Location,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1036,0 +383,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,False,0 -196,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1578,Modify Cloud Compute Infrastructure,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +384,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. -Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1069,Permission Groups Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,True,0 -197,"Most scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. But given sufficient resources, an adversary may still successfully execute the attack vectors included in this mapping.",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Azure AD Password Policy,technique-scores,Protect,Partial,True,0 -198,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1087,Account Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -199,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1482,Domain Trust Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,False,0 -200,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1201,Password Policy Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,False,0 -201,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1069,Permission Groups Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -202,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1210,Exploitation of Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,False,0 -203,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1550,Use Alternate Authentication Material,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,True,0 -204,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1557,Man-in-the-Middle,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -205,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1110,Brute Force,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,True,0 -206,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1558,Steal or Forge Kerberos Tickets,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,True,0 -207,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1133,External Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,False,0 -208,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1555,Credentials from Password Stores,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -209,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1047,Windows Management Instrumentation,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,False,0 -210,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1059,Command and Scripting Interpreter,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -211,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1021,Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -212,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1569,System Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -213,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1207,Rogue Domain Controller,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Significant,False,0 -214,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1003,OS Credential Dumping,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -215,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1556,Modify Authentication Process,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -216,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1098,Account Manipulation,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,False,0 -217,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1543,Create or Modify System Process,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -218,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -219,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,True,0 -220,This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv']","['Azure Defender', 'Azure Security Center Recommendation', 'Credentials']",,Azure Defender for Key Vault,technique-scores,Detect,Minimal,False,0 -221,This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv']","['Azure Defender', 'Azure Security Center Recommendation', 'Credentials']",,Azure Defender for Key Vault,technique-scores,Detect,Partial,False,0 -222,,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,False,0 -223,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Protect,Partial,False,0 -224,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,False,0 -225,,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,False,0 -226,,T1204,User Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,True,0 -227,,T1036,Masquerading,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,True,0 -228,,T1553,Subvert Trust Controls,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Minimal,True,0 -229,,T1554,Compromise Client Software Binary,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,False,0 -230,Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.,T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Credentials', 'Identity', 'Passwords', 'MFA']",,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,True,0 -231,Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Credentials', 'Identity', 'Passwords', 'MFA']",,Azure AD Multi-Factor Authentication,technique-scores,Protect,Minimal,True,0 -232,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1557,Man-in-the-Middle,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,True,0 -233,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1565,Data Manipulation,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Minimal,True,0 -234,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1499,Endpoint Denial of Service,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,True,0 -235,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1498,Network Denial of Service,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,True,0 -236,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1040,Network Sniffing,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,False,0 -237,Note there is also a Managed HSM service.,T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Minimal,True,0 -238,Note there is also a Managed HSM service.,T1588,Obtain Capabilities,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Partial,True,0 -239,Note there is also a Managed HSM service.,T1553,Subvert Trust Controls,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Partial,True,0 -240,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1195,Supply Chain Compromise,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,True,0 -241,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1072,Software Deployment Tools,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,False,0 -242,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1210,Exploitation of Remote Services,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,False,0 -243,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1211,Exploitation for Defense Evasion,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,False,0 -244,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1068,Exploitation for Privilege Escalation,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,False,0 -245,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,False,0 -246,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1212,Exploitation for Credential Access,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,False,0 -247,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1203,Exploitation for Client Execution,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,False,0 -248,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,True,0 -249,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1554,Compromise Client Software Binary,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,False,0 -250,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1189,Drive-by Compromise,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,False,0 -251,,T1584,Compromise Infrastructure,['https://docs.microsoft.com/en-us/azure/dns/dns-alias#prevent-dangling-dns-records'],"['DNS', 'Network']",,Azure DNS Alias Records,technique-scores,Protect,Minimal,True,0 -252,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1087,Account Discovery,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,True,0 -253,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,True,0 -254,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1136,Create Account,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,True,0 -255,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,True,0 -256,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1578,Modify Cloud Compute Infrastructure,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,True,0 -257,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1580,Cloud Infrastructure Discovery,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,False,0 -258,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1538,Cloud Service Dashboard,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,False,0 -259,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1530,Data from Cloud Storage Object,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,False,0 -260,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1528,Steal Application Access Token,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,False,0 -261,"This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections', 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection']","['Azure Security Center', 'Database']",,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,True,0 -262,"This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections', 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection']","['Azure Security Center', 'Database']",,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,False,0 -263,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +385,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +386,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1069,Permission Groups Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +387,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious group discovery through the use of the net tool.",T1069.002,Domain Groups,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1069,0 +388,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious group discovery through the use of the net tool.",T1069.001,Local Groups,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1069,0 +389,"Most scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. But given sufficient resources, an adversary may still successfully execute the attack vectors included in this mapping.",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Azure AD Password Policy,technique-scores,Protect,Partial,,0 +390,The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique.,T1110.001,Password Guessing,[],[],,Azure AD Password Policy,technique-scores,Protect,Significant,T1110,0 +391,"The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector. +In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).",T1110.002,Password Cracking,[],[],,Azure AD Password Policy,technique-scores,Protect,Partial,T1110,0 +392,"The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector. +In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).",T1110.004,Credential Stuffing,[],[],,Azure AD Password Policy,technique-scores,Protect,Partial,T1110,0 +393,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1087,Account Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +394,"The following alert of this control is able to detect domain account discovery: ""Account enumeration reconnaissance (external ID 2003)"". This shouldn't occur frequently and therefore the false positive rate should be minimal. +The ""Security principal reconnaissance (LDAP) (external ID 2038)"" alert is also relevant and its machine learning capabilities should reduce the false positive rate. +The ""User and IP address reconnaissance (SMB) (external ID 2012)"" alert can also provide a detection on a variation of this sub-technique.",T1087.002,Domain Account,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1087,0 +395,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1482,Domain Trust Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +396,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1201,Password Policy Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +397,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1069,Permission Groups Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +398,"This control's ""Security principal reconnaissance (LDAP) (external ID 2038)"" alert can be used to detect when an adversary ""perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed."" This alert employs machine learning which should reduce the number of false positives. +Additionally, this control's ""User and Group membership reconnaissance (SAMR) (external ID 2021)"" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.",T1069.002,Domain Groups,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1069,0 +399,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1210,Exploitation of Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +400,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1550,Use Alternate Authentication Material,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +401,"This control's ""Suspected identity theft (pass-the-hash) (external ID 2017)"" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. +This control's ""Suspected identity theft (pass-the-ticket) (external ID 2018)"" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.",T1550.002,Pass the Hash,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1550,0 +402,"This control's ""Suspected identity theft (pass-the-hash) (external ID 2017)"" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. +This control's ""Suspected identity theft (pass-the-ticket) (external ID 2018)"" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.",T1550.003,Pass the Ticket,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1550,0 +403,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1557,Man-in-the-Middle,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +404,"This control's ""Suspected NTLM relay attack (Exchange account) (external ID 2037)"" alert can detect NTLM relay attack specific to the Exchange service. Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score.",T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1557,0 +405,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1110,Brute Force,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +406,"This control's ""Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)"" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. +Similarly, its ""Suspected Brute Force attack (LDAP) (external ID 2004)"" alert can detect brute force attacks using LDAP simple binds. +The ""Suspected Brute Force attack (SMB) (external ID 2033)"" alert is also relevant but the details are sparse.",T1110.003,Password Spraying,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1110,0 +407,"This control's ""Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)"" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. +Similarly, its ""Suspected Brute Force attack (LDAP) (external ID 2004)"" alert can detect brute force attacks using LDAP simple binds. +The ""Suspected Brute Force attack (SMB) (external ID 2033)"" alert is also relevant but the details are sparse.",T1110.001,Password Guessing,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1110,0 +408,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1558,Steal or Forge Kerberos Tickets,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +409,"This control's ""Suspected Kerberos SPN exposure (external ID 2410)"" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. +Similarly its ""Suspected AS-REP Roasting attack (external ID 2412)"" alert is able to detect AS-REP Roasting sub-technique. +The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.",T1558.003,Kerberoasting,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1558,0 +410,"This control's ""Suspected Kerberos SPN exposure (external ID 2410)"" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. +Similarly its ""Suspected AS-REP Roasting attack (external ID 2412)"" alert is able to detect AS-REP Roasting sub-technique. +The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.",T1558.004,AS-REP Roasting,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1558,0 +411,This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives. The accuracy of these alerts is unknown resulting in a partial score.,T1558.001,Golden Ticket,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1558,0 +412,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1133,External Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +413,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1555,Credentials from Password Stores,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +414,"This control's ""Malicious request of Data Protection API master key (external ID 2020)"" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.",T1555.003,Credentials from Web Browsers,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1555,0 +415,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1047,Windows Management Instrumentation,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +416,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1059,Command and Scripting Interpreter,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +417,"This control's ""Remote code execution attempt (external ID 2019)"" alert can detect Remote code execution via Powershell. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.",T1059.001,PowerShell,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1059,0 +418,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1021,Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +419,"This control's ""Remote code execution attempt (external ID 2019)"" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. +This control's ""Data exfiltration over SMB (external ID 2030)"" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB. +",T1021.002,SMB/Windows Admin Shares,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1021,0 +420,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1569,System Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +421,"This control's ""Remote code execution attempt (external ID 2019)"" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.",T1569.002,Service Execution,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1569,0 +422,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1207,Rogue Domain Controller,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Significant,,0 +423,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1003,OS Credential Dumping,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +424,"This control's ""Suspected DCSync attack (replication of directory services) (external ID 2006)"" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.",T1003.006,DCSync,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1003,0 +425,"The documentation for this control's ""Data exfiltration over SMB (external ID 2030)"" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score.",T1003.003,NTDS,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1003,0 +426,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1556,Modify Authentication Process,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +427,"This control's ""Suspected skeleton key attack (encryption downgrade) (external ID 2010)"" alert can detect skeleton attacks. This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller. The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate.",T1556.001,Domain Controller Authentication,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1556,0 +428,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1098,Account Manipulation,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +429,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1543,Create or Modify System Process,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +430,"This control's ""Suspicious service creation (external ID 2026)"" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.",T1543.003,Windows Service,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1543,0 +431,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +432,"This control's ""Suspicious communication over DNS (external ID 2031)"" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.",T1071.004,DNS,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1071,0 +433,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +434,"This control's ""Suspicious communication over DNS (external ID 2031)"" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1048,0 +435,This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv']","['Azure Defender', 'Azure Security Center Recommendation', 'Credentials']",,Azure Defender for Key Vault,technique-scores,Detect,Minimal,,0 +436,This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv']","['Azure Defender', 'Azure Security Center Recommendation', 'Credentials']",,Azure Defender for Key Vault,technique-scores,Detect,Partial,,0 +437,,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,,0 +438,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Protect,Partial,,0 +439,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,,0 +440,,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,,0 +441,,T1204,User Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,,0 +442,"Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.",T1204.002,Malicious File,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1204,0 +443,,T1036,Masquerading,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,,0 +444,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.",T1036.005,Match Legitimate Name or Location,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1036,0 +445,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.",T1036.006,Space after Filename,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1036,0 +446,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.",T1036.001,Invalid Code Signature,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1036,0 +447,,T1553,Subvert Trust Controls,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Minimal,,0 +448,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.",T1553.002,Code Signing,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1553,0 +449,,T1554,Compromise Client Software Binary,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,,0 +450,Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.,T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Credentials', 'Identity', 'Passwords', 'MFA']",,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,,0 +451,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.001,Password Guessing,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,T1110,0 +452,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.003,Password Spraying,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,T1110,0 +453,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.004,Credential Stuffing,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,T1110,0 +454,Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Credentials', 'Identity', 'Passwords', 'MFA']",,Azure AD Multi-Factor Authentication,technique-scores,Protect,Minimal,,0 +455,MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. This is an incomplete protection measure though as the adversary may also have obtained credentials enabling bypassing the additional authentication method. ,T1078.004,Cloud Accounts,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Partial,T1078,0 +456,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1557,Man-in-the-Middle,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +457,"This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.",T1557.002,ARP Cache Poisoning,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1557,0 +458,"This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.",T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1557,0 +459,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1565,Data Manipulation,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Minimal,,0 +460,"This control reduces the likelihood of data manipulation for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.",T1565.002,Transmitted Data Manipulation,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1565,0 +461,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1499,Endpoint Denial of Service,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +462,,T1499.004,Application or System Exploitation,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +463,,T1499.003,Application Exhaustion Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +464,,T1499.002,Service Exhaustion Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +465,,T1499.001,OS Exhaustion Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +466,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1498,Network Denial of Service,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +467,,T1498.002,Reflection Amplification,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1498,0 +468,,T1498.001,Direct Network Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1498,0 +469,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1040,Network Sniffing,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +470,Note there is also a Managed HSM service.,T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Minimal,,0 +471,Provides significant protection of private keys.,T1552.004,Private Keys,[],[],,Azure Dedicated HSM,technique-scores,Protect,Significant,T1552,0 +472,Note there is also a Managed HSM service.,T1588,Obtain Capabilities,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Partial,,0 +473,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1588.004,Digital Certificates,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1588,0 +474,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1588.003,Code Signing Certificates,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1588,0 +475,Note there is also a Managed HSM service.,T1553,Subvert Trust Controls,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Partial,,0 +476,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1553.004,Install Root Certificate,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1553,0 +477,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1553.002,Code Signing,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1553,0 +478,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1195,Supply Chain Compromise,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +479,This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.,T1195.002,Compromise Software Supply Chain,[],[],,Azure Automation Update Management,technique-scores,Protect,Partial,T1195,0 +480,This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,Azure Automation Update Management,technique-scores,Protect,Partial,T1195,0 +481,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1072,Software Deployment Tools,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +482,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1210,Exploitation of Remote Services,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +483,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1211,Exploitation for Defense Evasion,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +484,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1068,Exploitation for Privilege Escalation,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +485,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +486,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1212,Exploitation for Credential Access,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +487,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1203,Exploitation for Client Execution,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +488,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +489,This control provides significant protection against Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.,T1499.004,Application or System Exploitation,[],[],,Azure Automation Update Management,technique-scores,Protect,Significant,T1499,0 +490,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1554,Compromise Client Software Binary,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +491,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1189,Drive-by Compromise,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +492,,T1584,Compromise Infrastructure,['https://docs.microsoft.com/en-us/azure/dns/dns-alias#prevent-dangling-dns-records'],"['DNS', 'Network']",,Azure DNS Alias Records,technique-scores,Protect,Minimal,,0 +493,"Alias records prevent dangling references by tightly coupling the life cycle of a DNS record with an Azure resource. For example, consider a DNS record that's qualified as an alias record to point to a public IP address or a Traffic Manager profile. If you delete those underlying resources, the DNS alias record becomes an empty record set. It no longer references the deleted resource. This control is effective for protecting DNS records that resolve to Azure resources but does not offer protection for records pointing to non-Azure resources, resulting in a Partial score.",T1584.001,Domains,[],[],,Azure DNS Alias Records,technique-scores,Protect,Partial,T1584,0 +494,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1087,Account Discovery,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,,0 +495,This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery.,T1087.004,Cloud Account,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1087,0 +496,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,,0 +497,This control can be used to implement the least-privilege principle for account management and thereby limit what an adversary can do with a valid account.,T1078.004,Cloud Accounts,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1078,0 +498,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1136,Create Account,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,,0 +499,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can create accounts.,T1136.003,Cloud Account,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1136,0 +500,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +501,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.,T1098.001,Additional Cloud Credentials,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1098,0 +502,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.,T1098.003,Add Office 365 Global Administrator Role,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1098,0 +503,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1578,Modify Cloud Compute Infrastructure,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +504,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.001,Create Snapshot,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +505,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.002,Create Cloud Instance,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +506,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.003,Delete Cloud Instance,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +507,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.004,Revert Cloud Instance,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +508,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1580,Cloud Infrastructure Discovery,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +509,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1538,Cloud Service Dashboard,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +510,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1530,Data from Cloud Storage Object,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +511,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1528,Steal Application Access Token,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +512,"This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections', 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection']","['Azure Security Center', 'Database']",,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,,0 +513,"This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is ""Access from an unusual location to a Cosmos DB account""",T1078.004,Cloud Accounts,[],[],,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,T1078,0 +514,"This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections', 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection']","['Azure Security Center', 'Database']",,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,,0 +515,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1053,Scheduled Task/Job,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Significant,True,0 -264,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1053,Scheduled Task/Job,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Significant,,0 +516,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.001,At (Linux),[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +517,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.002,At (Windows),[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +518,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.003,Cron,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +519,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.005,Scheduled Task,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +520,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.006,Systemd Timers,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +521,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,True,0 -265,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +522,"This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis. +",T1098.004,SSH Authorized Keys,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1098,0 +523,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1547,Boot or Logon Autostart Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -266,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1547,Boot or Logon Autostart Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +524,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.001,Registry Run Keys / Startup Folder,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +525,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.002,Authentication Package,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +526,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.003,Time Providers,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +527,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.004,Winlogon Helper DLL,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +528,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.005,Security Support Provider,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +529,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.006,Kernel Modules and Extensions,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +530,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.008,LSASS Driver,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +531,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.009,Shortcut Modification,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +532,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.010,Port Monitors,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +533,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.012,Print Processors,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +534,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1037,Boot or Logon Initialization Scripts,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -267,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1037,Boot or Logon Initialization Scripts,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +535,"This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis. +",T1037.001,Logon Script (Windows),[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1037,0 +536,"This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis. +",T1037.003,Network Logon Script,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1037,0 +537,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1543,Create or Modify System Process,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -268,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1543,Create or Modify System Process,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +538,"This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1543.002,Systemd Service,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1543,0 +539,"This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1543.003,Windows Service,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1543,0 +540,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1546,Event Triggered Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -269,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1546,Event Triggered Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +541,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.001,Change Default File Association,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +542,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.002,Screensaver,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +543,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.004,.bash_profile and .bashrc,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +544,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.007,Netsh Helper DLL,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +545,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.008,Accessibility Features,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +546,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.009,AppCert DLLs,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +547,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.011,Application Shimming,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +548,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.012,Image File Execution Options Injection,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +549,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.013,PowerShell Profile,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +550,"The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives. +",T1546.010,AppInit DLLs,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1546,0 +551,"The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives. +",T1546.015,Component Object Model Hijacking,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1546,0 +552,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1574,Hijack Execution Flow,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,True,0 -270,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1574,Hijack Execution Flow,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +553,"This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis. +",T1574.006,LD_PRELOAD,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1574,0 +554,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1137,Office Application Startup,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,True,0 -271,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1137,Office Application Startup,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +555,"This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1137.002,Office Test,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1137,0 +556,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1548,Abuse Elevation Control Mechanism,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,True,0 -272,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1548,Abuse Elevation Control Mechanism,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +557,"Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.",T1548.002,Bypass User Account Control,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1548,0 +558,"This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis. +",T1548.003,Sudo and Sudo Caching,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1548,0 +559,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1556,Modify Authentication Process,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -273,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1556,Modify Authentication Process,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +560,The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.,T1556.002,Password Filter DLL,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1556,0 +561,The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.,T1556.003,Pluggable Authentication Modules,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1556,0 +562,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1003,OS Credential Dumping,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,True,0 -274,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1003,OS Credential Dumping,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +563,This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal. ,T1003.001,LSASS Memory,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1003,0 +564,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1222,File and Directory Permissions Modification,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -275,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1222,File and Directory Permissions Modification,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +565,This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.,T1222.001,Windows File and Directory Permissions Modification,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1222,0 +566,This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1222,0 +567,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1562,Impair Defenses,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,True,0 -276,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +",T1562,Impair Defenses,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +568,"This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.",T1562.001,Disable or Modify Tools,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1562,0 +569,There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.,T1562.004,Disable or Modify System Firewall,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1562,0 +570,There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.,T1562.006,Indicator Blocking,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1562,0 +571,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. -",T1553,Subvert Trust Controls,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,True,0 -277,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1485,Data Destruction,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,False,0 -278,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1486,Data Encrypted for Impact,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,False,0 -279,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1491,Defacement,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,True,0 -280,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1561,Disk Wipe,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,True,0 -281,,T1552,Unsecured Credentials,['https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Managed identities for Azure resources,technique-scores,Protect,Minimal,True,0 -282,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -283,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -284,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1590,Gather Victim Network Information,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,True,0 -285,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,True,0 -286,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,True,0 -287,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Detect,Minimal,False,0 -288,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -289,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,True,0 -290,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -291,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -292,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -293,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -294,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,True,0 -295,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -296,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -297,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -298,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1538,Cloud Service Dashboard,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -299,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -300,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -301,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,True,0 -302,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,False,0 -303,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,True,0 -304,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1537,Transfer Data to Cloud Account,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -305,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,False,0 -306,"Associated with the Azure Security Center. -The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Significant,True,0 -307,"Associated with the Azure Security Center. -The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,True,0 -308,"Associated with the Azure Security Center. -The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Partial,False,0 -309,,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Minimal,True,0 -310,,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Partial,True,0 -311,,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Detect,Minimal,True,0 -312,,T1136,Create Account,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Minimal,True,0 -313,,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Significant,False,0 -314,,T1557,Man-in-the-Middle,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Significant,True,0 -315,,T1565,Data Manipulation,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Partial,True,0 -316,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,True,0 -317,,T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,False,0 -318,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,True,0 -319,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,False,0 -320,,T1498,Network Denial of Service,['https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure DDOS Protection Standard,technique-scores,Protect,Significant,True,0 -321,,T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure DDOS Protection Standard,technique-scores,Protect,Significant,True,0 -322,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1584,Compromise Infrastructure,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Protect,Minimal,True,0 -323,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -324,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -325,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -326,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Protect,Minimal,True,0 -327,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -328,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -329,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1595,Active Scanning,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -330,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1594,Search Victim-Owned Websites,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -331,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,True,0 -332,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -333,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -334,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -335,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -336,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -337,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -338,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,False,0 -339,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1559,Inter-Process Communication,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,True,0 -340,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1036,Masquerading,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -341,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -342,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -343,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1123,Audio Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -344,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -345,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -346,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -347,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1005,Data from Local System,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -348,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -349,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1574,Hijack Execution Flow,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -350,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1056,Input Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -351,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -352,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -353,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1057,Process Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -354,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1012,Query Registry,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -355,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -356,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -357,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -358,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,True,0 -359,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1047,Windows Management Instrumentation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,False,0 -360,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Significant,True,0 -361,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,True,0 -362,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1074,Data Staged,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,True,0 -363,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1530,Data from Cloud Storage Object,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,False,0 -364,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1213,Data from Information Repositories,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,True,0 -365,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,True,0 -366,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,True,0 -367,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,True,0 -368,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -369,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -370,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1187,Forced Authentication,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Significant,False,0 -371,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1187,Forced Authentication,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Significant,False,0 -372,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -373,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,False,0 -374,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -375,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -376,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Minimal,True,0 -377,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,True,0 -378,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,False,0 -379,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -380,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1565,Data Manipulation,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,True,0 -381,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,False,0 -382,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -383,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Significant,False,0 -384,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -385,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1484,Domain Policy Modification,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,True,0 -386,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,True,0 -387,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1578,Modify Cloud Compute Infrastructure,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,True,0 -388,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,False,0 -389,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -390,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -391,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,False,0 -392,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,True,0 -393,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,True,0 -394,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1534,Internal Spearphishing,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,False,0 -395,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Minimal,False,0 -396,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Minimal,False,0 -397,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Partial,False,0 -398,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Detect,Partial,False,0 -399,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +",T1553,Subvert Trust Controls,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +572,"This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.",T1553.003,SIP and Trust Provider Hijacking,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1553,0 +573,This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.,T1553.004,Install Root Certificate,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1553,0 +574,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1485,Data Destruction,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +575,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1486,Data Encrypted for Impact,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +576,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1491,Defacement,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +577,Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.,T1491.002,External Defacement,[],[],,Azure Backup,technique-scores,Respond,Significant,T1491,0 +578,Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.,T1491.001,Internal Defacement,[],[],,Azure Backup,technique-scores,Respond,Significant,T1491,0 +579,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1561,Disk Wipe,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +580,Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.,T1561.001,Disk Content Wipe,[],[],,Azure Backup,technique-scores,Respond,Significant,T1561,0 +581,"Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.",T1561.002,Disk Structure Wipe,[],[],,Azure Backup,technique-scores,Respond,Partial,T1561,0 +582,,T1552,Unsecured Credentials,['https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Managed identities for Azure resources,technique-scores,Protect,Minimal,,0 +583,"This control provides an alternative to hard-coding credentials for accessing Azure services in application code. This control only protects credentials for accessing Azure services and not other credential types, resulting in a Partial coverage score.",T1552.001,Credentials In Files,[],[],,Managed identities for Azure resources,technique-scores,Protect,Partial,T1552,0 +584,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +585,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +586,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1590,Gather Victim Network Information,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +587,,T1590.002,DNS,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +588,,T1590.004,Network Topology,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +589,,T1590.005,IP Addresses,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +590,,T1590.006,Network Security Appliances,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +591,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +592,This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.,T1078.004,Cloud Accounts,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1078,0 +593,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +594,"This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.",T1098.001,Additional Cloud Credentials,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1098,0 +595,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Detect,Minimal,,0 +596,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +597,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +598,This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique. ,T1505.001,SQL Stored Procedures,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1505,0 +599,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +600,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +601,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +602,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +603,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +604,"This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.",T1110.003,Password Spraying,[],[],,Azure Policy,technique-scores,Protect,Partial,T1110,0 +605,"This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.",T1110.001,Password Guessing,[],[],,Azure Policy,technique-scores,Protect,Partial,T1110,0 +606,"This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.",T1110.004,Credential Stuffing,[],[],,Azure Policy,technique-scores,Protect,Partial,T1110,0 +607,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +608,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +609,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +610,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1538,Cloud Service Dashboard,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +611,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +612,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +613,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +614,This control may provide recommendations to restrict public access to Remote Desktop Protocol.,T1021.001,Remote Desktop Protocol,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1021,0 +615,This control may provide recommendations to restrict public SSH access and enable usage of SSH keys. ,T1021.004,SSH,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1021,0 +616,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +617,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +618,This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.,T1071.004,DNS,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1071,0 +619,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1537,Transfer Data to Cloud Account,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +620,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +621,"Associated with the Azure Security Center. +The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Significant,,0 +622,"This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.",T1110.003,Password Spraying,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Significant,T1110,0 +623,"This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.",T1110.001,Password Guessing,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Significant,T1110,0 +624,"This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.",T1110.004,Credential Stuffing,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Significant,T1110,0 +625,"Associated with the Azure Security Center. +The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,,0 +626,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.004,DNS,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +627,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.003,Mail Protocols,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +628,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.002,File Transfer Protocols,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +629,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.001,Web Protocols,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +630,"Associated with the Azure Security Center. +The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Partial,,0 +631,,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Minimal,,0 +632,"This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access. This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely. This reduces the availability of valid accounts to adversaries. This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial.",T1078.004,Cloud Accounts,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Partial,T1078,0 +633,,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Partial,,0 +634,,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Detect,Minimal,,0 +635,This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user.,T1098.003,Add Office 365 Global Administrator Role,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Significant,T1098,0 +636,"This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal.",T1098.003,Add Office 365 Global Administrator Role,[],[],,Azure AD Privileged Identity Management,technique-scores,Detect,Significant,T1098,0 +637,Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.,T1098.001,Additional Cloud Credentials,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Significant,T1098,0 +638,,T1136,Create Account,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Minimal,,0 +639,"Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.",T1136.003,Cloud Account,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Significant,T1136,0 +640,,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Significant,,0 +641,,T1557,Man-in-the-Middle,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Significant,,0 +642,,T1557.002,ARP Cache Poisoning,[],[],,Azure VPN Gateway,technique-scores,Protect,Significant,T1557,0 +643,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Azure VPN Gateway,technique-scores,Protect,Significant,T1557,0 +644,,T1565,Data Manipulation,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Partial,,0 +645,,T1565.002,Transmitted Data Manipulation,[],[],,Azure VPN Gateway,technique-scores,Protect,Significant,T1565,0 +646,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +647,"This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases. ",T1078.004,Cloud Accounts,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Partial,T1078,0 +648,,T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +649,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +650,"This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.",T1110.001,Password Guessing,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,T1110,0 +651,"This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.",T1110.003,Password Spraying,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,T1110,0 +652,"This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.",T1110.004,Credential Stuffing,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,T1110,0 +653,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +654,,T1498,Network Denial of Service,['https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure DDOS Protection Standard,technique-scores,Protect,Significant,,0 +655,,T1498.002,Reflection Amplification,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1498,0 +656,,T1498.001,Direct Network Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1498,0 +657,,T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure DDOS Protection Standard,technique-scores,Protect,Significant,,0 +658,,T1499.003,Application Exhaustion Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1499,0 +659,,T1499.002,Service Exhaustion Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1499,0 +660,,T1499.001,OS Exhaustion Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1499,0 +661,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1584,Compromise Infrastructure,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Protect,Minimal,,0 +662,"Subdomain hijacking is a focus of this control, and its Dangling DNS detection alert feature is activated when an App Service website is decommissioned and its corresponding DNS entry is not deleted, allowing users to remove those entries before they can be leveraged by an adversary.",T1584.001,Domains,[],[],,Azure Defender for App Service,technique-scores,Protect,Significant,T1584,0 +663,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +664,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +665,"This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.",T1204.001,Malicious Link,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1204,0 +666,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +667,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Protect,Minimal,,0 +668,"This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.",T1566.002,Spearphishing Link,[],[],,Azure Defender for App Service,technique-scores,Protect,Minimal,T1566,0 +669,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +670,This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.,T1059.004,Unix Shell,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1059,0 +671,This control monitors for execution of known malicious PowerShell PowerSploit cmdlets. Temporal factor is uknown.,T1059.001,PowerShell,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1059,0 +672,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +673,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1595,Active Scanning,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +674,"This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.",T1595.002,Vulnerability Scanning,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1595,0 +675,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1594,Search Victim-Owned Websites,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +676,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +677,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.001,Dynamic-link Library Injection,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +678,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.002,Portable Executable Injection,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +679,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.003,Thread Execution Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +680,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.004,Asynchronous Procedure Call,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +681,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.005,Thread Local Storage,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +682,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.011,Extra Window Memory Injection,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +683,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.012,Process Hollowing,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +684,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.013,Process Doppelgänging,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +685,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.008,Ptrace System Calls,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +686,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.009,Proc Memory,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +687,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.014,VDSO Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +688,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +689,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +690,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +691,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +692,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +693,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +694,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +695,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1559,Inter-Process Communication,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +696,This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.,T1559.001,Component Object Model,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1559,0 +697,This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.,T1559.002,Dynamic Data Exchange,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1559,0 +698,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1036,Masquerading,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +699,"This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.",T1036.005,Match Legitimate Name or Location,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1036,0 +700,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +701,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +702,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1087.001,Local Account,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1087,0 +703,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1123,Audio Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +704,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +705,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Install-SSP module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1547.005,Security Support Provider,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1547,0 +706,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via New-UserPersistenceOption on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1547.001,Registry Run Keys / Startup Folder,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1547,0 +707,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +708,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1543.003,Windows Service,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1543,0 +709,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +710,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1005,Data from Local System,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +711,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +712,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1574,Hijack Execution Flow,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +713,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.001,DLL Search Order Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +714,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.007,Path Interception by PATH Environment Variable,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +715,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.008,Path Interception by Search Order Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +716,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.009,Path Interception by Unquoted Path,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +717,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1056,Input Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +718,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1056.001,Keylogging,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1056,0 +719,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +720,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1027.005,Indicator Removal from Tools,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1027,0 +721,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +722,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.",T1003.001,LSASS Memory,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1003,0 +723,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1057,Process Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +724,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1012,Query Registry,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +725,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +726,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1053.005,Scheduled Task,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1053,0 +727,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +728,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +729,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1558.003,Kerberoasting,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1558,0 +730,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +731,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal.",T1552.002,Credentials in Registry,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1552,0 +732,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1552.006,Group Policy Preferences,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1552,0 +733,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1047,Windows Management Instrumentation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +734,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Significant,,0 +735,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.001,Password Guessing,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +736,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.002,Password Cracking,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +737,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.003,Password Spraying,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +738,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.004,Credential Stuffing,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +739,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +740,"This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection). Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers.",T1078.004,Cloud Accounts,[],[],,Conditional Access,technique-scores,Protect,Significant,T1078,0 +741,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1074,Data Staged,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +742,"Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.",T1074.002,Remote Data Staging,[],[],,Conditional Access,technique-scores,Protect,Minimal,T1074,0 +743,"Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.",T1074.001,Local Data Staging,[],[],,Conditional Access,technique-scores,Protect,Minimal,T1074,0 +744,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1530,Data from Cloud Storage Object,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +745,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1213,Data from Information Repositories,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +746,"Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files. Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict cut, copy and paste operations. This can impede an adversary's ability to collect valuable information and/or files from the application. This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand.",T1213.002,Sharepoint,[],[],,Conditional Access,technique-scores,Protect,Partial,T1213,0 +747,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +748,"This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. +Relevant alerts include ""Activity from anonymous IP address"" , ""Activity from infrequent country"", ""Activity from suspicious IP address"", ""Impossible Travel"", and ""Activity performed by terminated user"".",T1078.004,Cloud Accounts,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1078,0 +749,"This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. +Relevant alerts include ""Activity from anonymous IP address"" , ""Activity from infrequent country"", ""Activity from suspicious IP address"", ""Impossible Travel"", and ""Activity performed by terminated user"".",T1078.002,Domain Accounts,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1078,0 +750,"This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. +Relevant alerts include ""Activity from anonymous IP address"" , ""Activity from infrequent country"", ""Activity from suspicious IP address"", ""Impossible Travel"", and ""Activity performed by terminated user"".",T1078.001,Default Accounts,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1078,0 +751,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +752,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +753,This control can identify large volume potential exfiltration activity.,T1567.002,Exfiltration to Cloud Storage,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1567,0 +754,"This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is ""Unusual file download (by user)"".",T1567.002,Exfiltration to Cloud Storage,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1567,0 +755,This control can identify large volume potential exfiltration activity.,T1567.001,Exfiltration to Code Repository,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1567,0 +756,"This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is ""Unusual file download (by user)"".",T1567.001,Exfiltration to Code Repository,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1567,0 +757,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +758,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +759,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1187,Forced Authentication,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Significant,,0 +760,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1187,Forced Authentication,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Significant,,0 +761,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +762,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +763,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +764,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +765,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Minimal,,0 +766,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +767,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.002,Sharepoint,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1213,0 +768,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.002,Sharepoint,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1213,0 +769,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.001,Confluence,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1213,0 +770,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.001,Confluence,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1213,0 +771,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +772,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +773,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1565,Data Manipulation,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +774,This control can detect and encrypt sensitive information at rest on supported platforms.,T1565.001,Stored Data Manipulation,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1565,0 +775,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +776,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +777,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Significant,,0 +778,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +779,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1484,Domain Policy Modification,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +780,This control can detect admin activity from risky IP addresses.,T1484.002,Domain Trust Modification,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1484,0 +781,This control can detect admin activity from risky IP addresses.,T1484.001,Group Policy Modification,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1484,0 +782,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +783,"This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include ""Unusual administrative activity (by user)"" and ""Unusual addition of credentials to an OAuth app"".",T1098.003,Add Office 365 Global Administrator Role,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1098,0 +784,"This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include ""Unusual administrative activity (by user)"" and ""Unusual addition of credentials to an OAuth app"".",T1098.001,Additional Cloud Credentials,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1098,0 +785,"This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include ""Unusual administrative activity (by user)"" and ""Unusual addition of credentials to an OAuth app"".",T1098.002,Exchange Email Delegate Permissions,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1098,0 +786,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1578,Modify Cloud Compute Infrastructure,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +787,This control can identify anomalous admin activity.,T1578.004,Revert Cloud Instance,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +788,This control can identify anomalous admin activity.,T1578.003,Delete Cloud Instance,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +789,This control can identify anomalous admin activity.,T1578.001,Create Snapshot,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +790,This control can identify anomalous admin activity.,T1578.002,Create Cloud Instance,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +791,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +792,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +793,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +794,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +795,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +796,"This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include ""Suspicious inbox forwarding"" and ""Suspicious inbox manipulation rule"".",T1071.003,Mail Protocols,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1071,0 +797,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +798,"This control can detect some activity indicative of brute force attempts to login. Relevant alert is ""Multiple failed login attempts"".",T1110.004,Credential Stuffing,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1110,0 +799,"This control can detect some activity indicative of brute force attempts to login. Relevant alert is ""Multiple failed login attempts"".",T1110.003,Password Spraying,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1110,0 +800,"This control can detect some activity indicative of brute force attempts to login. Relevant alert is ""Multiple failed login attempts"".",T1110.001,Password Guessing,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1110,0 +801,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1534,Internal Spearphishing,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +802,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Minimal,,0 +803,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Minimal,,0 +804,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Partial,,0 +805,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Detect,Partial,,0 +806,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,True,0 -400,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +807,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.001,Password Guessing,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +808,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.002,Password Cracking,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +809,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.003,Password Spraying,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +810,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.004,Credential Stuffing,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +811,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,True,0 -401,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,,0 +812,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Minimal,True,0 -402,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Minimal,,0 +813,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations of MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. See the mapping for MFA for more details. +This control's ""Use limited administrative roles"" recommendation recommends reviewing and limiting the number of accounts with global admin privilege, reducing what an adversary can do with a compromised valid account. +Because these are recommendations and do not actually enforce the protections, the assessed score is capped at Partial. ",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1078,0 +814,"This control's ""Turn on sign-in risk policy"" and ""Turn on user risk policy"" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts. See the mapping for Azure AD Identity Protection.",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Detect,Partial,T1078,0 +815,"This control's ""Remove dormant accounts from sensitive groups"" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant. +Because these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal. ",T1078.002,Domain Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,T1078,0 +816,"This control's ""Protect and manage local admin passwords with Microsoft LAPS"" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. +Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ",T1078.003,Local Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,T1078,0 +817,"This control's ""Protect and manage local admin passwords with Microsoft LAPS"" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. +Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ",T1078.001,Default Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,T1078,0 +818,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,False,0 -403,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +819,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,False,0 -404,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +820,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Partial,True,0 -405,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Partial,,0 +821,"This control's ""Turn on sign-in risk policy"" and ""Turn on user risk policy"" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens. This is a recommendation and therefore the score is capped at Partial.",T1606.002,SAML Tokens,[],[],,Azure AD Identity Secure Score,technique-scores,Detect,Partial,T1606,0 +822,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,True,0 -406,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +823,"This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication. Preauthentication offers protection against offline (Kerberos) Password Cracking. +Because this is a recommendation its score is capped as Partial.",T1558.004,AS-REP Roasting,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1558,0 +824,"This control's ""Reduce lateral movement path risk to sensitive entities"" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket. It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller. Because this is a recommendation, its score has been capped as Partial.",T1558.001,Golden Ticket,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1558,0 +825,"This control's ""Modify unsecure Kerberos delegations to prevent impersonation"" recommendation promotes running the ""Unsecure Kerberos delegation"" report that can identify accounts that have unsecure Kerberos delegation configured. Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting. Due to this control providing a recommendation its score is capped at Partial.",T1558.003,Kerberoasting,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1558,0 +826,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,False,0 -407,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,,0 +827,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1550,Use Alternate Authentication Material,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,True,0 -408,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1550,Use Alternate Authentication Material,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +828,"This control's ""Reduce lateral movement path risk to sensitive entities"" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.",T1550.003,Pass the Ticket,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1550,0 +829,"This control's ""Reduce lateral movement path risk to sensitive entities"" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.",T1550.002,Pass the Hash,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1550,0 +830,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,False,0 -409,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,,0 +831,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Partial,False,0 -410,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Partial,,0 +832,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. The following improvement actions were analyzed: Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. -All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Minimal,True,0 -411,"All scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. Due to the fact that a user's password is not checked against the banned list of passwords unless the user changes or resets their password (which is an infrequent event), there is still ample opportunity for attackers to utilize this technique to gain access. This is what prevented the score from being elevated to Significant. -",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Azure Active Directory Password Protection,technique-scores,Protect,Partial,True,0 -412,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,True,0 -413,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,True,0 -414,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,True,0 -415,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,False,0 -416,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,False,0 -417,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,True,0 -418,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,True,0 -419,,T1595,Active Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Partial,True,0 -420,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Significant,False,0 -421,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Significant,False,0 -422,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Partial,False,0 -423,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Partial,False,0 -424,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Minimal,True,0 -425,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Minimal,True,0 -426,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,True,0 -427,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1568,Dynamic Resolution,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,True,0 -428,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,True,0 -429,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1041,Exfiltration Over C2 Channel,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,False,0 -430,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1566,Phishing,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,True,0 -431,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Minimal,False,0 -432,,T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Significant,False,0 -433,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Significant,True,0 -434,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,False,0 -435,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,True,0 -436,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,True,0 -437,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Partial,False,0 -438,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1112,Modify Registry,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,False,0 -439,,T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Passwordless Authentication,technique-scores,Protect,Significant,True,0 -440,,T1590,Gather Victim Network Information,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,True,0 -441,,T1595,Active Scanning,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,True,0 -442,,T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,False,0 -443,,T1205,Traffic Signaling,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,True,0 -444,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,False,0 -445,,T1018,Remote System Discovery,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,False,0 -446,,T1008,Fallback Channels,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,False,0 -447,,T1095,Non-Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,False,0 -448,,T1571,Non-Standard Port,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Significant,False,0 -449,,T1219,Remote Access Software,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,False,0 -450,,T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,True,0 -451,,T1568,Dynamic Resolution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Partial,True,0 -452,,T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,True,0 -453,,T1572,Protocol Tunneling,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,False,0 -454,,T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,False,0 -455,,T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,False,0 -456,,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation'],"['Azure Active Directory', 'Identity']",,Continuous Access Evaluation,technique-scores,Respond,Minimal,True,0 -457,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -458,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -459,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -460,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -461,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -462,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -463,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. -All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,False,0 -464,,T1528,Steal Application Access Token,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,False,0 -465,,T1555,Credentials from Password Stores,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,False,0 -466,,T1552,Unsecured Credentials,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,False,0 -467,,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Minimal,False,0 -468,,T1199,Trusted Relationship,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,False,0 -469,,T1602,Data from Configuration Repository,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -470,,T1542,Pre-OS Boot,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Minimal,True,0 -471,,T1563,Remote Service Session Hijacking,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -472,,T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -473,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,False,0 -474,,T1021,Remote Services,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -475,,T1072,Software Deployment Tools,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,False,0 -476,,T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,False,0 -477,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Significant,False,0 -478,,T1571,Non-Standard Port,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Significant,False,0 -479,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -480,,T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -481,,T1090,Proxy,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,True,0 -482,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1525,Implant Container Image,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Detect,Minimal,False,0 -483,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1548,Abuse Elevation Control Mechanism,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,True,0 -484,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,False,0 -485,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,False,0 -486,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1083,File and Directory Discovery,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,False,0 -487,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1021,Remote Services,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,True,0 -488,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1005,Data from Local System,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,False,0 +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Minimal,,0 +833,"This control's ""Remove unsecure SID history attributes from entities"" recommendation promotes running the ""Unsecure SID history attributes"" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial. ",T1134.005,SID-History Injection,[],[],,Azure AD Identity Secure Score,technique-scores,Detect,Partial,T1134,0 +834,"All scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. Due to the fact that a user's password is not checked against the banned list of passwords unless the user changes or resets their password (which is an infrequent event), there is still ample opportunity for attackers to utilize this technique to gain access. This is what prevented the score from being elevated to Significant. +",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Azure Active Directory Password Protection,technique-scores,Protect,Partial,,0 +835,,T1110.001,Password Guessing,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +836,,T1110.002,Password Cracking,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +837,,T1110.003,Password Spraying,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +838,,T1110.004,Credential Stuffing,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +839,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +840,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,,0 +841,This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.,T1566.001,Spearphishing Attachment,[],[],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,T1566,0 +842,This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.,T1566.001,Spearphishing Attachment,[],[],,Microsoft Antimalware for Azure,technique-scores,Detect,Partial,T1566,0 +843,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +844,This control monitors activity in cloud services and on virtual machines to block malware execution. This is dependent on a signature being available. ,T1204.002,Malicious File,[],[],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,T1204,0 +845,This control monitors activity in cloud services and on virtual machines to detect malware execution. This is dependent on a signature being available. ,T1204.002,Malicious File,[],[],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,T1204,0 +846,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +847,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,,0 +848,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +849,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,,0 +850,This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.,T1027.002,Software Packing,[],[],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,T1027,0 +851,This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.,T1027.002,Software Packing,[],[],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,T1027,0 +852,,T1595,Active Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Partial,,0 +853,Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).,T1595.002,Vulnerability Scanning,[],[],,Azure Web Application Firewall,technique-scores,Protect,Partial,T1595,0 +854,,T1595.002,Vulnerability Scanning,[],[],,Azure Web Application Firewall,technique-scores,Detect,Partial,T1595,0 +855,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Significant,,0 +856,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Significant,,0 +857,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Partial,,0 +858,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Partial,,0 +859,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Minimal,,0 +860,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Minimal,,0 +861,This control can protect web applications from protocol attacks that may be indicative of adversary activity.,T1071.001,Web Protocols,[],[],,Azure Web Application Firewall,technique-scores,Protect,Partial,T1071,0 +862,This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.,T1071.001,Web Protocols,[],[],,Azure Web Application Firewall,technique-scores,Detect,Partial,T1071,0 +863,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +864,This control can be used forensically to identify clients that communicated with identified C2 hosts.,T1071.004,DNS,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1071,0 +865,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1568,Dynamic Resolution,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +866,This control can be used for after-the-fact analysis of potential fast-flux DNS C2,T1568.001,Fast Flux DNS,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1568,0 +867,This control can be used for after-the-fact analysis of potential fast-flux DNS C2,T1568.002,Domain Generation Algorithms,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1568,0 +868,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +869,This control can potentially be used to forensically identify exfiltration via DNS protocol.,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1048,0 +870,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1041,Exfiltration Over C2 Channel,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +871,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1566,Phishing,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +872,"This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.",T1566.002,Spearphishing Link,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1566,0 +873,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Minimal,,0 +874,,T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Significant,,0 +875,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Significant,,0 +876,"This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.",T1110.003,Password Spraying,[],[],,Just-in-Time VM Access,technique-scores,Protect,Significant,T1110,0 +877,"This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.",T1110.001,Password Guessing,[],[],,Just-in-Time VM Access,technique-scores,Protect,Significant,T1110,0 +878,"This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.",T1110.004,Credential Stuffing,[],[],,Just-in-Time VM Access,technique-scores,Protect,Significant,T1110,0 +879,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +880,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +881,This control may provide recommendations to disable default accounts and restrict permissions for existing accounts.,T1078.001,Default Accounts,[],[],,SQL Vulnerability Assessment,technique-scores,Protect,Partial,T1078,0 +882,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +883,This control may scan for users with unnecessary access to SQL stored procedures.,T1505.001,SQL Stored Procedures,[],[],,SQL Vulnerability Assessment,technique-scores,Protect,Partial,T1505,0 +884,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Partial,,0 +885,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1112,Modify Registry,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +886,,T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Passwordless Authentication,technique-scores,Protect,Significant,,0 +887,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.004,Credential Stuffing,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +888,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.001,Password Guessing,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +889,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.003,Password Spraying,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +890,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.002,Password Cracking,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +891,,T1590,Gather Victim Network Information,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +892,This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.,T1590.004,Network Topology,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1590,0 +893,This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.,T1590.005,IP Addresses,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1590,0 +894,This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.,T1590.006,Network Security Appliances,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1590,0 +895,,T1595,Active Scanning,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +896,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.001,Scanning IP Blocks,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1595,0 +897,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.002,Vulnerability Scanning,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1595,0 +898,,T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +899,,T1205,Traffic Signaling,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +900,"This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.",T1205.001,Port Knocking,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1205,0 +901,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +902,,T1018,Remote System Discovery,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +903,,T1008,Fallback Channels,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +904,,T1095,Non-Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +905,,T1571,Non-Standard Port,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Significant,,0 +906,,T1219,Remote Access Software,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +907,,T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +908,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1048,0 +909,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1048,0 +910,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1048,0 +911,,T1568,Dynamic Resolution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Partial,,0 +912,"Detects ""random"" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign ""random"" DNS names.",T1568.001,Fast Flux DNS,[],[],,Alerts for DNS,technique-scores,Detect,Partial,T1568,0 +913,"Detects ""random"" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign ""random"" DNS names.",T1568.002,Domain Generation Algorithms,[],[],,Alerts for DNS,technique-scores,Detect,Partial,T1568,0 +914,,T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +915,Can alert on anomalies and misuse of the DNS protocol.,T1071.004,DNS,[],[],,Alerts for DNS,technique-scores,Detect,Significant,T1071,0 +916,,T1572,Protocol Tunneling,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +917,,T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +918,,T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +919,,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation'],"['Azure Active Directory', 'Identity']",,Continuous Access Evaluation,technique-scores,Respond,Minimal,,0 +920,Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data. This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA. This mitigates the impact of an adversary using a valid account. This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ,T1078.004,Cloud Accounts,[],[],,Continuous Access Evaluation,technique-scores,Respond,Partial,T1078,0 +921,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +922,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +923,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +924,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +925,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +926,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +927,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +928,,T1528,Steal Application Access Token,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,,0 +929,,T1555,Credentials from Password Stores,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,,0 +930,,T1552,Unsecured Credentials,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,,0 +931,,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Minimal,,0 +932,,T1199,Trusted Relationship,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +933,,T1602,Data from Configuration Repository,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +934,,T1602.001,SNMP (MIB Dump),[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1602,0 +935,,T1602.002,Network Device Configuration Dump,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1602,0 +936,,T1542,Pre-OS Boot,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Minimal,,0 +937,This control can be used to identify anomalous TFTP boot traffic.,T1542.005,TFTP Boot,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1542,0 +938,,T1563,Remote Service Session Hijacking,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +939,,T1563.002,RDP Hijacking,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1563,0 +940,,T1563.001,SSH Hijacking,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1563,0 +941,,T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +942,This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1048,0 +943,This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1048,0 +944,This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1048,0 +945,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +946,,T1021,Remote Services,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +947,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.006,Windows Remote Management,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +948,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.005,VNC,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +949,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.004,SSH,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +950,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.002,SMB/Windows Admin Shares,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +951,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.001,Remote Desktop Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +952,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.003,Distributed Component Object Model,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +953,,T1072,Software Deployment Tools,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +954,,T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +955,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Significant,,0 +956,,T1571,Non-Standard Port,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Significant,,0 +957,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +958,This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).,T1071.004,DNS,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1071,0 +959,This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).,T1071.003,Mail Protocols,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1071,0 +960,This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).,T1071.002,File Transfer Protocols,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1071,0 +961,,T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +962,,T1499.003,Application Exhaustion Flood,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1499,0 +963,,T1499.002,Service Exhaustion Flood,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1499,0 +964,,T1499.001,OS Exhaustion Flood,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1499,0 +965,,T1090,Proxy,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +966,,T1090.003,Multi-hop Proxy,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1090,0 +967,,T1090.002,External Proxy,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1090,0 +968,,T1090.001,Internal Proxy,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1090,0 +969,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1525,Implant Container Image,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Detect,Minimal,,0 +970,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1548,Abuse Elevation Control Mechanism,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +971,This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.,T1548.001,Setuid and Setgid,[],[],,Docker Host Hardening,technique-scores,Protect,Minimal,T1548,0 +972,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +973,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +974,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1083,File and Directory Discovery,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +975,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1021,Remote Services,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +976,This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.,T1021.004,SSH,[],[],,Docker Host Hardening,technique-scores,Protect,Minimal,T1021,0 +977,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1005,Data from Local System,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack_objects.csv new file mode 100644 index 00000000..69677dfe --- /dev/null +++ b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_attack_objects.csv @@ -0,0 +1,1476 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata-key +0,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Partial,,0 +1,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Partial,,0 +2,"This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives. +The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1078,0 +3,"Response Type: Eradication +Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Protection,technique-scores,Respond,Significant,T1078,0 +4,"When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial. + +The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).",T1078.002,Domain Accounts,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1078,0 +5,"Response Type: Containment +Supports risk detection responses such as blocking a user's access and enforcing MFA. These responses contain the impact of this sub-technique but do not eradicate it (by forcing a password reset).",T1078.002,Domain Accounts,[],[],,Azure AD Identity Protection,technique-scores,Respond,Partial,T1078,0 +6,,T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Partial,,0 +7,,T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Partial,,0 +8,This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial.,T1606.002,SAML Tokens,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1606,0 +9,"Response Type: Eradication +Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.",T1606.002,SAML Tokens,[],[],,Azure AD Identity Protection,technique-scores,Respond,Significant,T1606,0 +10,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Detect,Minimal,,0 +11,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection', 'https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328']","['Credentials', 'Azure Active Directory', 'Identity', 'Microsoft 365 Defender']",,Azure AD Identity Protection,technique-scores,Respond,Minimal,,0 +12,This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours).,T1110.003,Password Spraying,[],[],,Azure AD Identity Protection,technique-scores,Detect,Partial,T1110,0 +13,"Response Type: Eradication +Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.",T1110.003,Password Spraying,[],[],,Azure AD Identity Protection,technique-scores,Respond,Significant,T1110,0 +14,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +15,"This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"".",T1078.003,Local Accounts,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1078,0 +16,"This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"".",T1078.001,Default Accounts,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1078,0 +17,,T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +18,"This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: ""Detected anomalous mix of upper and lower case characters in command-line"", ""Detected encoded executable in command line data"", ""Detected obfuscated command line"", ""Detected suspicious combination of HTA and PowerShell"", ""Detected suspicious commandline arguments"", ""Detected suspicious commandline used to start all executables in a directory"", ""Detected suspicious credentials in commandline"", ""Dynamic PS script construction"", ""Suspicious PowerShell Activity Detected"", ""Suspicious PowerShell cmdlets executed"", ""Suspicious command execution"".",T1059.001,PowerShell,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1059,0 +19,"This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: ""Detected anomalous mix of upper and lower case characters in command-line"", ""Detected encoded executable in command line data"", ""Detected obfuscated command line"", ""Detected suspicious combination of HTA and PowerShell"", ""Detected suspicious commandline arguments"", ""Detected suspicious commandline used to start all executables in a directory"", ""Detected suspicious credentials in commandline"", ""Dynamic PS script construction"", ""Suspicious PowerShell Activity Detected"", ""Suspicious PowerShell cmdlets executed"", ""Suspicious command execution"".",T1059.003,Windows Command Shell,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1059,0 +20,,T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +21,"This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: ""Detected possible execution of keygen executable"", ""Detected possible execution of malware dropper"", ""Detected suspicious file creation"".",T1204.002,Malicious File,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1204,0 +22,,T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +23,"This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: ""Windows registry persistence method detected"".",T1547.001,Registry Run Keys / Startup Folder,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1547,0 +24,,T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +25,"This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: ""Suspicious Account Creation Detected"".",T1136.001,Local Account,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1136,0 +26,,T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +27,"This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: ""Suspect service installation"".",T1543.003,Windows Service,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1543,0 +28,,T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +29,"This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: ""Suspicious Screensaver process executed"".",T1546.002,Screensaver,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1546,0 +30,"This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: ""Sticky keys attack detected"".",T1546.008,Accessibility Features,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1546,0 +31,,T1548,Abuse Elevation Control Mechanism,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +32,"This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: ""Detected change to a registry key that can be abused to bypass UAC""",T1548.002,Bypass User Account Control,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1548,0 +33,,T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +34,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.001,Dynamic-link Library Injection,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +35,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.002,Portable Executable Injection,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +36,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.003,Thread Execution Hijacking,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +37,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.005,Thread Local Storage,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +38,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.004,Asynchronous Procedure Call,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +39,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.011,Extra Window Memory Injection,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +40,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.012,Process Hollowing,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +41,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: ""Fileless attack technique detected"", ""Fileless attack behavior detected"", ""Fileless attack toolkit detected"", ""Suspicious SVCHOST process executed"".",T1055.013,Process Doppelgänging,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1055,0 +42,,T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +43,,T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +44,,T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +45,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +46,,T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +47,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +48,,T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +49,,T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +50,,T1222,File and Directory Permissions Modification,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +51,"This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: ""Detected suspicious use of Cacls to lower the security state of the system"".",T1222.001,Windows File and Directory Permissions Modification,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1222,0 +52,,T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +53,"This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: ""Suspicious WindowPosition registry value detected"".",T1564.003,Hidden Window,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1564,0 +54,,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +55,"This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: ""Malicious firewall rule created by ZINC server implant [seen multiple times]"", ""Detected suspicious new firewall rule"".",T1562.004,Disable or Modify System Firewall,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1562,0 +56,"This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: ""Detected the disabling of critical services"", ""Detected actions indicative of disabling and deleting IIS log files"".",T1562.001,Disable or Modify Tools,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1562,0 +57,,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +58,"This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: ""Detected suspicious file cleanup commands"", ""Suspicious Volume Shadow Copy Activity"".",T1070.004,File Deletion,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1070,0 +59,"This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: ""Detected actions indicative of disabling and deleting IIS log files"", ""An event log was cleared"".",T1070.001,Clear Windows Event Logs,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1070,0 +60,,T1112,Modify Registry,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +61,,T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +62,,T1218,Signed Binary Proxy Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +63,"This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: ""Detected suspicious execution via rundll32.exe"", ""Detected suspicious combination of HTA and PowerShell"".",T1218.005,Mshta,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1218,0 +64,"This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: ""Detected suspicious execution via rundll32.exe"", ""Detected suspicious combination of HTA and PowerShell"".",T1218.011,Rundll32,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1218,0 +65,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +66,"This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"", ""Successful brute force attack"", ""Suspicious authentication activity"".",T1110.003,Password Spraying,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1110,0 +67,"This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"", ""Successful brute force attack"", ""Suspicious authentication activity"".",T1110.001,Password Guessing,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1110,0 +68,"This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: ""A logon from a malicious IP has been detected"", ""A logon from a malicious IP has been detected. [seen multiple times]"", ""Successful brute force attack"", ""Suspicious authentication activity"".",T1110.004,Credential Stuffing,[],[],,Alerts for Windows Machines,technique-scores,Detect,Significant,T1110,0 +69,,T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +70,"This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: ""Detected enabling of the WDigest UseLogonCredential registry key"".",T1003.004,LSA Secrets,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1003,0 +71,,T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +72,"This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: ""Suspected Kerberos Golden Ticket attack parameters observed"".",T1558.001,Golden Ticket,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1558,0 +73,,T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +74,"This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: ""Multiple Domain Accounts Queried"", ""Local Administrators group members were enumerated"".",T1087.001,Local Account,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1087,0 +75,"This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: ""Multiple Domain Accounts Queried"", ""Local Administrators group members were enumerated"".",T1087.002,Domain Account,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1087,0 +76,,T1082,System Information Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +77,,T1563,Remote Service Session Hijacking,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +78,"This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: ""Suspect integrity level indicative of RDP hijacking"", ""Suspect service installation"".",T1563.002,RDP Hijacking,[],[],,Alerts for Windows Machines,technique-scores,Detect,Partial,T1563,0 +79,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Partial,,0 +80,,T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +81,"This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: ""Detected potentially suspicious use of Telegram tool"".",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Alerts for Windows Machines,technique-scores,Detect,Minimal,T1048,0 +82,,T1489,Service Stop,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +83,,T1202,Indirect Command Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows']","['Azure Defender', 'Azure Defender for Servers', 'Windows']",,Alerts for Windows Machines,technique-scores,Detect,Minimal,,0 +84,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +85,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +86,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +87,"This control's ""Authentication to Linux machines should require SSH keys"" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.",T1110.001,Password Guessing,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1110,0 +88,"This control's ""Authentication to Linux machines should require SSH keys"" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.",T1110.003,Password Spraying,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1110,0 +89,"This control's ""Authentication to Linux machines should require SSH keys"" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.",T1110.004,Credential Stuffing,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1110,0 +90,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1542,Pre-OS Boot,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +91,"This control's ""Secure Boot should be enabled on your Linux virtual machine"" and ""Virtual machines should be attested for boot integrity health"" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.",T1542.001,System Firmware,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1542,0 +92,"This control's ""Secure Boot should be enabled on your Linux virtual machine"" and ""Virtual machines should be attested for boot integrity health"" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.",T1542.003,Bootkit,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1542,0 +93,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1499,Endpoint Denial of Service,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +94,"This control's ""Container CPU and memory limits should be enforced"" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.",T1499.001,OS Exhaustion Flood,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1499,0 +95,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +96,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +97,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +98,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.",T1098.004,SSH Authorized Keys,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1098,0 +99,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1554,Compromise Client Software Binary,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +100,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +101,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.",T1136.001,Local Account,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1136,0 +102,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +103,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1543.002,Systemd Service,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1543,0 +104,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +105,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1546.004,.bash_profile and .bashrc,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1546,0 +106,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +107,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1505.003,Web Shell,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1505,0 +108,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1222,File and Directory Permissions Modification,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +109,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1222,0 +110,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +111,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1564.001,Hidden Files and Directories,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1564,0 +112,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1564.005,Hidden File System,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1564,0 +113,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1564.006,Run Virtual Instance,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1564,0 +114,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +115,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1053.003,Cron,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1053,0 +116,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1053.006,Systemd Timers,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1053,0 +117,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1556,Modify Authentication Process,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +118,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.",T1556.003,Pluggable Authentication Modules,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1556,0 +119,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +120,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1074,Data Staged,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +121,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.",T1074.001,Local Data Staging,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1074,0 +122,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +123,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +124,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1565,Data Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +125,"This control's ""Immutable (read-only) root filesystem should be enforced for containers"" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. + +Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications. + +Due to it being a recommendation, its score is capped at Partial.",T1565.001,Stored Data Manipulation,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Partial,T1565,0 +126,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Minimal,,0 +127,"This control's ""Deprecated accounts should be removed from your subscription"" and ""Deprecated accounts with owner permissions should be removed from your subscription"" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. +Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. +Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.",T1078.004,Cloud Accounts,[],[],,Azure Security Center Recommendations,technique-scores,Protect,Minimal,T1078,0 +128,"Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. ""Azure Defender for App Service should be enabled""). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the ""Azure Security Center Recommendation"" tag. +All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions. +IoT related recommendations were not included in this mapping.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction']","['Azure Security Center', 'Azure Security Center Recommendation']",,Azure Security Center Recommendations,technique-scores,Protect,Partial,,0 +129,,T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Significant,,0 +130,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Minimal,,0 +131,"This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access. ",T1078.004,Cloud Accounts,[],[],,Azure Defender for Storage,technique-scores,Detect,Significant,T1078,0 +132,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,,0 +133,,T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Respond,Partial,,0 +134,,T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,,0 +135,,T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Respond,Partial,,0 +136,,T1537,Transfer Data to Cloud Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Partial,,0 +137,,T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage']","['Azure Defender', 'Azure Security Center Recommendation']",,Azure Defender for Storage,technique-scores,Detect,Minimal,,0 +138,Detections are periodic at an unknown rate.,T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +139,"This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.",T1059.004,Unix Shell,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1059,0 +140,Detections are periodic at an unknown rate.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +141,Detections are periodic at an unknown rate.,T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +142,This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.,T1098.004,SSH Authorized Keys,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1098,0 +143,Detections are periodic at an unknown rate.,T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +144,This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.,T1547.006,Kernel Modules and Extensions,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1547,0 +145,Detections are periodic at an unknown rate.,T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +146,This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.,T1136.001,Local Account,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1136,0 +147,Detections are periodic at an unknown rate.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +148,This control may alert on usage of web shells. No documentation is provided on logic for this detection.,T1505.003,Web Shell,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1505,0 +149,Detections are periodic at an unknown rate.,T1564,Hide Artifacts,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +150,"This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.",T1564.001,Hidden Files and Directories,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1564,0 +151,"This control may alert on containers using privileged commands, running SSH servers, or running mining software.",T1564.006,Run Virtual Instance,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1564,0 +152,Detections are periodic at an unknown rate.,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +153,This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.,T1562.004,Disable or Modify System Firewall,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1562,0 +154,This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.,T1562.006,Indicator Blocking,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1562,0 +155,Detections are periodic at an unknown rate.,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +156,"This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.",T1070.002,Clear Linux or Mac System Logs,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1070,0 +157,This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.,T1070.003,Clear Command History,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1070,0 +158,Detections are periodic at an unknown rate.,T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +159,This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.,T1027.004,Compile After Delivery,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,T1027,0 +160,Detections are periodic at an unknown rate.,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +161,This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.,T1110.001,Password Guessing,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1110,0 +162,This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.,T1110.003,Password Spraying,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1110,0 +163,This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.,T1110.004,Credential Stuffing,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1110,0 +164,Detections are periodic at an unknown rate.,T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +165,"This control may alert on suspicious access to encrypted user passwords. The documentation does not reference ""/etc/passwd"" and ""/etc/shadow"" directly nor does it describe the logic in determining suspicious access.",T1003.008,/etc/passwd and /etc/shadow,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1003,0 +166,Detections are periodic at an unknown rate.,T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Minimal,,0 +167,"This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.",T1021.004,SSH,[],[],,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,T1021,0 +168,Detections are periodic at an unknown rate.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +169,Detections are periodic at an unknown rate.,T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux']","['Azure Defender', 'Linux']",,Linux auditd alerts and Log Analytics agent integration,technique-scores,Detect,Partial,,0 +170,,T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +171,"The following alerts are available for Windows Defender security features being disabled but none for third party security tools: ""Antimalware broad files exclusion in your virtual machine"", ""Antimalware disabled and code execution in your virtual machine"", ""Antimalware disabled in your virtual machine"", ""Antimalware file exclusion and code execution in your virtual machine"", ""Antimalware file exclusion in your virtual machine"", ""Antimalware real-time protection was disabled in your virtual machine"", ""Antimalware real-time protection was disabled temporarily in your virtual machine"", ""Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine"", ""Antimalware temporarily disabled in your virtual machine"", ""Antimalware unusual file exclusion in your virtual machine"".",T1562.001,Disable or Modify Tools,[],[],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,T1562,0 +172,,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,,0 +173,,T1538,Cloud Service Dashboard,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,,0 +174,,T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,,0 +175,,T1069,Permission Groups Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +176,"This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: ""MicroBurst exploitation toolkit used to enumerate resources in your subscriptions"", ""Azurite toolkit run detected"".",T1069.003,Cloud Groups,[],[],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,T1069,0 +177,,T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +178,"This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: ""PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables"", ""PowerZure exploitation toolkit used to enumerate resources"", ""MicroBurst exploitation toolkit used to enumerate resources in your subscriptions"", ""Azurite toolkit run detected"".",T1087.004,Cloud Account,[],[],,Azure Defender for Resource Manager,technique-scores,Detect,Partial,T1087,0 +179,,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +180,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager']",['Azure Defender'],,Azure Defender for Resource Manager,technique-scores,Detect,Minimal,,0 +181,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1199,Trusted Relationship,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +182,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1557,Man-in-the-Middle,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +183,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1602,Data from Configuration Repository,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +184,Can limit access to client management interfaces or configuration databases,T1602.002,Network Device Configuration Dump,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1602,0 +185,Can limit access to client management interfaces or configuration databases,T1602.001,SNMP (MIB Dump),[],[],,Network Security Groups,technique-scores,Protect,Partial,T1602,0 +186,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1542,Pre-OS Boot,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Minimal,,0 +187,This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.,T1542.005,TFTP Boot,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1542,0 +188,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Significant,,0 +189,"This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1048,0 +190,"This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1048,0 +191,"This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1048,0 +192,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +193,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +194,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.006,Windows Remote Management,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +195,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.005,VNC,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +196,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.004,SSH,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +197,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.003,Distributed Component Object Model,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +198,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.002,SMB/Windows Admin Shares,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +199,This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.,T1021.001,Remote Desktop Protocol,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1021,0 +200,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1072,Software Deployment Tools,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +201,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +202,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +203,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1046,Network Service Scanning,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +204,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1095,Non-Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +205,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1571,Non-Standard Port,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Significant,,0 +206,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1499,Endpoint Denial of Service,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +207,This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.,T1499.003,Application Exhaustion Flood,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1499,0 +208,This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.,T1499.002,Service Exhaustion Flood,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1499,0 +209,This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.,T1499.001,OS Exhaustion Flood,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1499,0 +210,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1570,Lateral Tool Transfer,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +211,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1498,Network Denial of Service,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +212,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +213,"This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.003,Multi-hop Proxy,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1090,0 +214,"This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.002,External Proxy,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1090,0 +215,"This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.",T1090.001,Internal Proxy,[],[],,Network Security Groups,technique-scores,Protect,Partial,T1090,0 +216,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +217,"Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.",T1205,Traffic Signaling,"['https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview', 'https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works', 'https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening']","['Adaptive Network Hardening', 'Azure Security Center Recommendation', 'Network']",,Network Security Groups,technique-scores,Protect,Partial,,0 +218,"This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.",T1205.001,Port Knocking,[],[],,Network Security Groups,technique-scores,Protect,Significant,T1205,0 +219,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +220,"The Azure Sentinel Hunting ""Rare processes run by Service accounts"" query can identify potential misuse of default accounts. Because this detection is specific to rare processes its coverage score is Minimal resulting in a Minimal score.",T1078.001,Default Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1078,0 +221,"The following Azure Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: ""Suspicious Windows Login outside normal hours"", ""User account added or removed from security group by an unauthorized user"", ""User Account added to Built in Domain Local or Global Group"", ""User Login IP Address Teleportation"", ""User made Owner of multiple teams"", ""Tracking Privileged Account Rare Activity"", ""New Admin account activity which was not seen historically"", ""New client running queries"", ""New users running queries"", ""Non-owner mailbox login activity"", ""Powershell or non-browser mailbox login activity"", ""Rare User Agent strings"", ""Same IP address with multiple csUserAgent"" which may indicate that an account is being used from a new device, ""Rare domains seen in Cloud Logs"" when accounts from uncommon domains access or attempt to access cloud resources, ""Same User - Successful logon for a given App and failure on another App within 1m and low distribution"", ""Hosts with new logons"", ""Inactive or new account signins"", ""Long lookback User Account Created and Deleted within 10mins"", ""Anomalous Geo Location Logon"", and ""Anomalous Sign-in Activity"". +The following Azure Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: ""Anomalous User Agent connection attempt"", ""New UserAgent observed in last 24 hours"" which may indicate that an account is being used from a new device, ""Anomalous sign-in location by user account and authenticating application"", ""Anomalous login followed by Teams action"", ""GitHub Signin Burst from Multiple Locations"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""Failed Host logons but success logon to AzureAD"", and ""Anomalous RDP Login Detections"".",T1078.002,Domain Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1078,0 +222,"The following Azure Sentinel Hunting queries can identify potential compromise of local accounts based on access attempts and/or account usage: ""Suspicious Windows Login outside normal hours"", ""User Login IP Address Teleportation"", ""User account added or removed from a security group by an unauthorized user"", ""User Account added to Built in Domain Local or Global Group"", ""User added to SQL Server SecurityAdmin Group"", ""User Role altered on SQL Server"", ""User made Owner of multiple teams"", ""Tracking Privileged Account Rare Activity"", and ""Anomalous Login to Devices"". +The following Azure Sentinel Analytics queries can identify potential compromise of local accounts based on access attempts and/or account usage: ""User account enabled and disabled within 10 mins"", ""Long lookback User Account Created and Deleted within 10mins"", ""Explicit MFA Deny"", ""Hosts with new logons"", ""Inactive or new account signins"", ""Anomalous SSH Login Detection"", and ""Anomalous RDP Login Detections"".",T1078.003,Local Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1078,0 +223,"The following Azure Sentinel Hunting queries can identify potential compromise of cloud accounts: ""New Admin account activity which was not seen historically"", ""New client running queries"", ""New users running queries"", ""User returning more data than daily average"", ""User Login IP Address Teleportation"", ""Non-owner mailbox login activity"", ""Powershell or non-browser mailbox login activity"", ""Rare User Agent strings"" and ""Same IP address with multiple csUserAgent"" which may indicate that an account is being used from a new device, ""Rare domains seen in Cloud Logs"", ""Same User - Successful logon for a given App and failure on another App within 1m and low distribution"", ""Anomalous Azure Active Directory Apps based on authentication location"", ""Anomalous Geo Location Logon"", ""Anomalous Sign-in Activity"", ""Azure Active Directory sign-in burst from multiple locations"", and ""Azure Active Directory signins from new locations"". + +The following Azure Sentinel Analytics queries can identify potential compromise of cloud accounts: ""Anomalous User Agent connection attempt"" and ""New UserAgent observed in last 24 hours"", which may indicate that an account is being used from a new device which may belong to an adversary; ""Anomalous sign-in location by user account and authenticating application"", ""GitHub Signin Burst from Multiple Locations"", ""GitHub Activites from a New Country"", and ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", which may indicate adversary access from atypical locations; ""Azure Active Directory PowerShell accessing non-AAD resources"", ""Anomalous login followed by Teams action"", ""Login to AWS management console without MFA"", and ""Azure Active Directory PowerShell accessing non-AAD resources"" which may indicate an adversary attempting to use a valid account to access resources from other contexts. The ""Correlate Unfamiliar sign-in properties"" query can further enhance detection of anomalous activity.",T1078.004,Cloud Accounts,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1078,0 +224,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1195,Supply Chain Compromise,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +225,"The following Azure Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: ""Azure DevOps - Project Visibility changed to public"" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. ""Azure DevOps - Public project created"" and ""Azure DevOps - Public project enabled by admin"" can identify specific instances of potential defense evasion. +The following Azure Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: ""AzureDevops Service Connection Abuse"" can detect potential malicious behavior associated with use of large number of service connections, ""External Upstream Source added to Azure DevOps"" identifies a specific behavior that could compromise the DevOps build pipeline, ""Azure DevOps Pull Request Policy Bypassing - History"" can identify specific potentially malicious behavior that compromises the build process, ""Azure DevOps Pipeline modified by a New User"" identifies potentially malicious activity that could compromise the DevOps pipeline, ""Azure DevOps Administrator Group Monitoring"" monitors for specific activity which could compromise the build/release process, ""New Agent Added to Pool by New User or a New OS"" can detect a suspicious behavior that could potentially compromise DevOps pipeline.",T1195.001,Compromise Software Dependencies and Development Tools,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1195,0 +226,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +227,"The ""Summary of user logons by logon type"" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. +The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""VIP account more than 6 failed logons in 10"", ""Multiple Failed Logon on SQL Server in Short time Span"", ""Permutations on logon attempts by UserPrincipalNames indicating potential brute force"", ""Potential IIS brute force"", ""Failed attempt to access Azure Portal"", ""Failed Login Attempt by Expired account"", ""Failed Logon Attempts on SQL Server"", ""Failed Logon on SQL Server from Same IPAddress in Short time Span"", ""Failed service logon attempt by user account with available AuditData"", ""Login attempt by Blocked MFA user"", ""Login spike with increase failure rate"", ""Attempts to sign-in to disabled accounts by IP address"", ""Attempts to sign-in to disabled accounts by account name"", ""Brute Force attack against Azure Portal"", and ""Anomalous Failed Logon"" +The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""Brute force attack against Azure Portal"", ""Password spray attack against Azure AD application"", ""Successful logon from IP and failure from a different IP"", ""Failed logon attempts in authpriv"", ""Failed AzureAD logons but success logon to host"", ""Excessive Windows logon failures"", ""Failed login attempts to Azure Portal"", ""Failed logon attempts by valid accounts within 10 mins"", ""Brute Force Attack against GitHub Account"", ""Distributed Password cracking attempts in AzureAD"", ""Potential Password Spray Attack"" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, ""Attempts to sign in to disabled accounts"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""High count of failed logins by a user"", ""Hi count of failed attempts same client IP"", ""SSH - Potential Brute Force"", and ""SecurityEvent - Multiple authentication failures followed by success"".",T1110.001,Password Guessing,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1110,0 +228,"The ""Summary of user logons by logon type"" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. +The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""VIP account more than 6 failed logons in 10"", ""Multiple Failed Logon on SQL Server in Short time Span"", ""Permutations on logon attempts by UserPrincipalNames indicating potential brute force"", ""Potential IIS brute force"", ""Failed attempt to access Azure Portal"", ""Failed Login Attempt by Expired account"", ""Failed Logon Attempts on SQL Server"", ""Failed Logon on SQL Server from Same IPAddress in Short time Span"", ""Failed service logon attempt by user account with available AuditData"", ""Login attempt by Blocked MFA user"", ""Login spike with increase failure rate"", ""Attempts to sign-in to disabled accounts by IP address"", ""Attempts to sign-in to disabled accounts by account name"", ""Brute Force attack against Azure Portal"", and ""Anomalous Failed Logon"" +The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""Brute force attack against Azure Portal"", ""Password spray attack against Azure AD application"", ""Successful logon from IP and failure from a different IP"", ""Failed logon attempts in authpriv"", ""Failed AzureAD logons but success logon to host"", ""Excessive Windows logon failures"", ""Failed login attempts to Azure Portal"", ""Failed logon attempts by valid accounts within 10 mins"", ""Brute Force Attack against GitHub Account"", ""Distributed Password cracking attempts in AzureAD"", ""Potential Password Spray Attack"" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, ""Attempts to sign in to disabled accounts"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""High count of failed logins by a user"", ""Hi count of failed attempts same client IP"", ""SSH - Potential Brute Force"", and ""SecurityEvent - Multiple authentication failures followed by success"".",T1110.003,Password Spraying,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1110,0 +229,"The ""Summary of user logons by logon type"" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. +The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""VIP account more than 6 failed logons in 10"", ""Multiple Failed Logon on SQL Server in Short time Span"", ""Permutations on logon attempts by UserPrincipalNames indicating potential brute force"", ""Potential IIS brute force"", ""Failed attempt to access Azure Portal"", ""Failed Login Attempt by Expired account"", ""Failed Logon Attempts on SQL Server"", ""Failed Logon on SQL Server from Same IPAddress in Short time Span"", ""Failed service logon attempt by user account with available AuditData"", ""Login attempt by Blocked MFA user"", ""Login spike with increase failure rate"", ""Attempts to sign-in to disabled accounts by IP address"", ""Attempts to sign-in to disabled accounts by account name"", ""Brute Force attack against Azure Portal"", and ""Anomalous Failed Logon"" +The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: ""Brute force attack against Azure Portal"", ""Password spray attack against Azure AD application"", ""Successful logon from IP and failure from a different IP"", ""Failed logon attempts in authpriv"", ""Failed AzureAD logons but success logon to host"", ""Excessive Windows logon failures"", ""Failed login attempts to Azure Portal"", ""Failed logon attempts by valid accounts within 10 mins"", ""Brute Force Attack against GitHub Account"", ""Distributed Password cracking attempts in AzureAD"", ""Potential Password Spray Attack"" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, ""Attempts to sign in to disabled accounts"", ""Sign-ins from IPs that attempt sign-ins to disabled accounts"", ""High count of failed logins by a user"", ""Hi count of failed attempts same client IP"", ""SSH - Potential Brute Force"", and ""SecurityEvent - Multiple authentication failures followed by success"".",T1110.004,Credential Stuffing,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1110,0 +230,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +231,"The Azure Sentinel Hunting ""First access credential added to Application or Service Principal where no credential was present"" query can identify potentially malicious changes to Service Principal credentials. +The Azure Sentinel Analytics ""Credential added after admin consented to Application"" and ""New access credential added to Application or Service Principal"" queries can identify potentially malicious manipulation of additional cloud credentials.",T1098.001,Additional Cloud Credentials,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1098,0 +232,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +233,"The following Azure Sentinel Analytics queries can identify potentially malicious use of web protocols: ""Powershell Empire cmdlets seen in command line"" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. ""Request for single resource on domain"" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.",T1071.001,Web Protocols,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1071,0 +234,"The following Azure Sentinel Hunting queries can identify potentially malicious use of DNS: ""RareDNSLookupWithDataTransfer"" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. ""Abnormally Long DNS URI queries"" can identify suspicious DNS queries that may be indicative of command and control operations. ""DNS - domain anomalous lookup increase"", ""DNS Full Name anomalous lookup increase"", and ""DNS lookups for commonly abused TLDs"" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.",T1071.004,DNS,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1071,0 +235,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +236,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics ""SharePointFileOperation via previously unseen IPs"" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.",T1567.002,Exfiltration to Cloud Storage,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1567,0 +237,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics ""SharePointFileOperation via previously unseen IPs"" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.",T1567.001,Exfiltration to Code Repository,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1567,0 +238,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1595,Active Scanning,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +239,"The Azure Sentinel Analytics ""High count of connections by client IP on many ports"" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.",T1595.002,Vulnerability Scanning,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1595,0 +240,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +241,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +242,"The following Azure Sentinel Hunting queries can identify potential exfiltration: ""Abnormally long DNS URI queries"" can identify potential exfiltration via DNS. ""Multiple users email forwarded to same destination"" and ""Office Mail Forwarding - Hunting Version"" can detect potential exfiltration via email. +The Azure Sentinel Analytics ""Multiple users email forwarded to same destination"" query can detect potential exfiltration via email. The coverage for these queries is minimal resulting in an overall Minimal score.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1048,0 +243,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +244,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +245,"The Azure Sentinel Hunting ""Security Event Log Cleared"" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.",T1070.001,Clear Windows Event Logs,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1070,0 +246,"The Azure Sentinel Hunting ""Windows System Time changed on hosts"" query can detect potential timestomping activities. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which can timestomp files and/or payloads on a target machine to help them blend in.",T1070.006,Timestomp,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1070,0 +247,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +248,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which leverages PowerShell for the majority of its client-side agent tasks and can conduct PowerShell remoting. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.",T1059.001,PowerShell,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +249,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Azure Sentinel Analytics ""Base64 encoded Windows process command-lines"" query can identify Base64 encoded PE files being launched via the command line.",T1059.003,Windows Command Shell,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +250,"The Azure Sentinel Hunting ""Rare process running on a Linux host"" query can identify uncommon shell usage that may be malicious.",T1059.004,Unix Shell,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +251,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious.",T1059.007,JavaScript/JScript,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +252,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious.",T1059.005,Visual Basic,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +253,"The Azure Sentinel Hunting ""Cscript script daily summary breakdown"" can detect potentially malicious scripting. The Azure Sentinel Hunting ""Hosts running a rare process with commandline"" query can identify uncommon command shell usage that may be malicious.",T1059.006,Python,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1059,0 +254,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +255,"The following Azure Sentinel Hunting queries can identify potentially malicious access to SharePoint: ""SharePointFileOperation via clientIP with previously unseen user agents"", ""SharePointFileOperation via devices with previously unseen user agents"", and ""SharePointFileOperation via previously unseen IPs"". +The Azure Sentinel Analytics ""SharePointFileOperation via devices with previously unseen user agents"" query can identify a high number of upload or download actions by an unknown and possible malicious actor.",T1213.002,Sharepoint,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1213,0 +256,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +257,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1018,Remote System Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +258,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1136,Create Account,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +259,"The Azure Sentinel Hunting ""New User created on SQL Server"" query can detect a specific type of potentially malicious local account creation. +The following Azure Sentinel Analytics queries can identify potentially malicious local account creation: ""Summary of users created using uncommon/undocumented commandline switches"" which can identify use of the net command to create user accounts, ""User created by unauthorized user"", ""User Granted Access and associated audit activity"" and ""User Granted Access and Grants others Access"" which may identify account creation followed by suspicious behavior, ""User account created and deleted within 10 mins"" which suggests an account may have existed only long enough to fulfill a malicious purpose, and ""Powershell Empire cmdlets seen in command line"" which can identify use of Empire, including for account creation.",T1136.001,Local Account,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1136,0 +260,"The following Azure Sentinel Analytics queries can identify potentially malicious domain account creation: ""Summary of users created using uncommon/undocumented commandline switches"" which can identify use of the net command to create user accounts, ""User created by unauthorized user"", ""User Granted Access and associated audit activity"" and ""User Granted Access and Grants others Access"" which may identify account creation followed by suspicious behavior, ""User account created and deleted within 10 mins"" which suggests an account may have existed only long enough to fulfill a malicious purpose, and ""Powershell Empire cmdlets seen in command line"" which can identify use of Empire, including for account creation.",T1136.002,Domain Account,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1136,0 +261,"The Azure Sentinel Hunting queries can identify potentially malicious cloud account creation: ""External user added and removed in short timeframe"" and ""External user from a new organisation added"" can identify the addition of new external Teams user accounts. +The following Azure Sentinel Analytics queries can identify potentially malicious cloud account creation: ""User Granted Access and created resources"" which identifies a newly created user account gaining access and creating resources in Azure, and ""New Cloud Shell User"".",T1136.003,Cloud Account,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1136,0 +262,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1114,Email Collection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +263,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can identify use of Empire, which has the ability to collect emails on a target system. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.",T1114.001,Local Email Collection,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1114,0 +264,"The Azure Sentinel Hunting ""Suspect Mailbox Export on IIS/OWA"" query can identify potential malicious exfiltration hosting via IIS. The Azure Sentinel Hunting ""Host Exporting Mailbox and Removing Export"" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.",T1114.002,Remote Email Collection,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1114,0 +265,"The Azure Sentinel Hunting ""Mail redirect via ExO transport rule"" query can detect potentially malicious email redirection, but is limited to Exchange servers only.",T1114.003,Email Forwarding Rule,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1114,0 +266,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +267,"The Azure Sentinel Hunting ""Web shell command alert enrichment"", ""Web shell Detection"", and ""Web shell file alert enrichment"" queries can identify potentially malicious activity via web shell.",T1505.003,Web Shell,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1505,0 +268,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1573,Encrypted Channel,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +269,"The following Azure Sentinel Analytics queries can detect potentially malicious usage of asymmetric cryptography channels: ""DNS events related to ToR proxies"" can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc. ""Powershell Empire cmdlets seen in command line"" can identify use of Empire, which can use TLS to encrypt a command and control channel.",T1573.002,Asymmetric Cryptography,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1573,0 +270,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +271,"The Azure Sentinel Analytics ""DNS events related to ToR proxies"" query can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc.",T1090.003,Multi-hop Proxy,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1090,0 +272,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1562,Impair Defenses,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +273,"The following Azure Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: ""Azure Sentinel Analytics Rules Administrative Operations"", ""Azure Sentinel Connectors Administrative Operations"", and ""Azure Sentinel Workbooks Administrative Operations"". +The Azure Sentinel Analytics ""Starting or Stopping HealthService to Avoid Detection"" query can detect potentially malicious disabling of telemetry collection/detection. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1562.001,Disable or Modify Tools,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +274,"The Azure Sentinel Analytics ""Audit policy manipulation using auditpol utility"" query can detect potentially malicious to modification and/or disabling of logging via the auditpol utility. The coverage for these queries is minimal (specific to Audit policy) resulting in an overall Minimal score.",T1562.002,Disable Windows Event Logging,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +275,"The Azure Sentinel Hunting ""Azure Sentinel Analytics Rules Administrative Operations"" query can identify potential attempts to impair defenses by changing or deleting detection analytics. +The Azure Sentinel Analytics ""Azure DevOps - Retention Reduced to Zero"" query can identify that an adversary is looking to reduce their malicious activity's footprint by preventing retention of artifacts. Control is specific to indicators produced by Azure DevOps. The coverage for these queries is minimal resulting in an overall Minimal score.",T1562.006,Indicator Blocking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +276,"The following Azure Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: ""Azure Network Security Group NSG Administrative Operations"" query can identify potential defensive evasion involving changing or disabling network access rules. ""Port opened for an Azure Resource"" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration. +The Azure Sentinel Analytics ""Security Service Registry ACL Modification"" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.",T1562.007,Disable or Modify Cloud Firewall,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1562,0 +277,"The Azure Sentinel Analytics ""Exchange AuditLog disabled"" query can detect potentially malicious disabling of Exchange logs. The Azure Sentinel Analytics ""Azure DevOps Audit Stream Disabled"" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.",T1562.008,Disable Cloud Logs,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1562,0 +278,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +279,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +280,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1568,Dynamic Resolution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +281,"The Azure Sentinel Hunting ""Potential DGA detected"" query can detect clients with a high NXDomain count, which might indicate an adversary cycling through possible C2 domains where most C2s are not live. +The following Azure Sentinel Analytics queries can identify potential use of domain generation algorithms: ""Possible contact with a domain generated by a DGA"" and ""Potential DGA detected"" within DNS.",T1568.002,Domain Generation Algorithms,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1568,0 +282,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +283,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1137,Office Application Startup,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +284,"The following Azure Sentinel Analytics queries can identify potentially malicious use of Outlook rules: ""Office policy tampering"", ""Malicious Inbox Rule"" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and ""Mail redirect via ExO transport rule"" (potentially to an adversary mailbox configured to collect mail).",T1137.005,Outlook Rules,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1137,0 +285,"The Azure Sentinel Hunting ""Previously unseen bot or applicaiton added to Teams"" [sic] query can detect the addition of a potentially malicious add-in, but is specific to Microsoft Teams.",T1137.006,Add-ins,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1137,0 +286,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +287,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +288,"Azure Sentinel Analytics includes a ""Potential Kerberoasting"" query. Kerberoasting via Empire can also be detected using the Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query.",T1558.003,Kerberoasting,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1558,0 +289,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect execution of these sub-techniques via Empire, but does not address other procedures.",T1558.001,Golden Ticket,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1558,0 +290,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect execution of these sub-techniques via Empire, but does not address other procedures.",T1558.002,Silver Ticket,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1558,0 +291,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1047,Windows Management Instrumentation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +292,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1046,Network Service Scanning,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +293,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +294,"The Azure Sentinel Hunting ""anomalous RDP Activity"" query can detect potential lateral +movement employing RDP. + +The following Azure Sentinel Analytics queries can identify potentially malicious use +of RDP: +""Anomalous RDP Login Detections"", ""Multiple RDP connections from Single Systems"", +""Rare RDP Connections"", and ""RDP Nesting"".",T1021.001,Remote Desktop Protocol,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1021,0 +295,"The Azure Sentinel Hunting ""Anomalous Resource Access"" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).",T1021.002,SMB/Windows Admin Shares,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1021,0 +296,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage remote COM execution for lateral movement, but does not address other procedures.",T1021.003,Distributed Component Object Model,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1021,0 +297,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Azure Sentinel Analytics also provides a ""New internet-exposed SSH endpoints"" query. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1021.004,SSH,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1021,0 +298,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Protect,Minimal,,0 +299,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +300,"The Azure Sentinel Analytics ""Azure DevOps - Variable Secret Not Secured"" query can identify credentials stored in the build process and protect against future credential access by suggesting that they be moved to a secret or stored in KeyVault before they can be accessed by an adversary. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1552.001,Credentials In Files,[],[],,Azure Sentinel,technique-scores,Protect,Minimal,T1552,0 +301,"The Azure Sentinel Hunting ""Query looking for secrets"" query can identify potentially malicious database requests for secrets like passwords or other credentials. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use various modules to search for files containing passwords, but does not address other procedures. +The coverage for these queries is minimal resulting in an overall Minimal score.",T1552.001,Credentials In Files,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1552,0 +302,"The Azure Sentinel Analytics ""ADFS DKM Master Key Export"" and ""ADFS Key Export (Sysmon)"" queries can detect potentially malicious access intended to decrypt access tokens. The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures. +The coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.",T1552.004,Private Keys,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1552,0 +303,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1590,Gather Victim Network Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +304,"The Azure Sentinel Analytics ""Rare client observed with high reverse DNS lookup count"" query can detect if a particular IP is observed performing an unusually high number of reverse DNS lookups and has not been observed doing so previously.",T1590.002,DNS,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1590,0 +305,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1548,Abuse Elevation Control Mechanism,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +306,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which includes various modules to attempt to bypass UAC for privilege escalation, but does not address other procedures.",T1548.002,Bypass User Account Control,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1548,0 +307,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +308,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.",T1134.002,Create Process with Token,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1134,0 +309,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.",T1134.005,SID-History Injection,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1134,0 +310,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +311,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious account discovery through the use of the net tool. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.",T1087.002,Domain Account,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1087,0 +312,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious account discovery through the use of the net tool. +The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.",T1087.001,Local Account,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1087,0 +313,"The Azure Sentinel Analytics ""Mail.Read Permissions Granted to Application"" query can identify applications that may have been abused to gain access to mailboxes.",T1087.003,Email Account,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1087,0 +314,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1560,Archive Collected Data,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +315,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +316,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.",T1547.005,Security Support Provider,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1547,0 +317,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.",T1547.009,Shortcut Modification,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1547,0 +318,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.",T1547.001,Registry Run Keys / Startup Folder,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1547,0 +319,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1217,Browser Bookmark Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +320,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1115,Clipboard Data,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +321,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +322,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.",T1543.003,Windows Service,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1543,0 +323,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +324,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can extract passwords from common web browsers including Firefox and Chrome, but does not address other procedures.",T1555.003,Credentials from Web Browsers,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1555,0 +325,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1484,Domain Policy Modification,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Partial,,0 +326,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can modify group policy objects to install and execute malicious scheduled tasks, but does not address other procedures.",T1484.001,Group Policy Modification,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1484,0 +327,"The Azure Sentinel Analytics ""Modified Domain Federation Trust Settings"" query can detect potentially malicious changes to domain trust settings.",T1484.002,Domain Trust Modification,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1484,0 +328,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +329,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1546,Event Triggered Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +330,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.",T1546.008,Accessibility Features,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1546,0 +331,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1041,Exfiltration Over C2 Channel,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +332,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +333,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +334,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1083,File and Directory Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +335,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1574,Hijack Execution Flow,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +336,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.001,DLL Search Order Hijacking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +337,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.007,Path Interception by PATH Environment Variable,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +338,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.008,Path Interception by Search Order Hijacking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +339,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.",T1574.009,Path Interception by Unquoted Path,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1574,0 +340,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1056,Input Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +341,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.",T1056.001,Keylogging,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1056,0 +342,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.",T1056.004,Credential API Hooking,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1056,0 +343,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1557,Man-in-the-Middle,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +344,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks, but does not address other procedures.",T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1557,0 +345,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1106,Native API,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +346,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1135,Network Share Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +347,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +348,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +349,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +350,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.",T1003.001,LSASS Memory,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1003,0 +351,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1057,Process Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +352,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +353,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +354,"The Azure Sentinel Hunting ""Editing Linux scheduled tasks through Crontab"" query can detect potentially malicious modification of cron jobs.",T1053.003,Cron,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1053,0 +355,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.",T1053.005,Scheduled Task,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1053,0 +356,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +357,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1518,Software Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +358,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can enumerate antivirus software on the target, but does not address other procedures.",T1518.001,Security Software Discovery,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1518,0 +359,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1082,System Information Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +360,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1016,System Network Configuration Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +361,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1049,System Network Connections Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +362,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1569,System Services,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +363,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.",T1569.002,Service Execution,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1569,0 +364,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1127,Trusted Developer Utilities Proxy Execution,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +365,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use abuse trusted utilities including MSBuild.exe, but does not address other procedures.",T1127.001,MSBuild,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1127,0 +366,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1550,Use Alternate Authentication Material,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +367,"The Azure Sentinel Analytics ""Azure DevOps - PAT used with Browser."" query can identify potentially malicious usage of Personal Access Tokens intended for code or applications to be used through the web browser.",T1550.001,Application Access Token,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1550,0 +368,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can perform pass the hash attacks, but does not address other procedures.",T1550.002,Pass the Hash,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1550,0 +369,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1125,Video Capture,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +370,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1102,Web Service,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +371,"The Azure Sentinel Analytics ""Powershell Empire cmdlets seen in command line"" query can detect the use of Empire, which can use Dropbox and GitHub for command and control, but does not address other procedures.",T1102.002,Bidirectional Communication,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1102,0 +372,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1556,Modify Authentication Process,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +373,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1080,Taint Shared Content,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +374,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1074,Data Staged,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +375,"The Azure Sentinel Analytics ""Malware in the recycle bin"" query can detect local hidden malware.",T1074.001,Local Data Staging,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1074,0 +376,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1490,Inhibit System Recovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +377,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +378,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +379,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +380,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1036,Masquerading,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +381,"The Azure Sentinel Hunting ""Exes with double file extension and access summary"" can identify malicious executable files that have been hidden as other file types.",T1036.004,Masquerade Task or Service,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1036,0 +382,"The Azure Sentinel Hunting ""Masquerading Files"" and ""Rare Process Path"" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Azure Sentinel Hunting ""Azure DevOps Display Name Changes"" query can detect potentially maliicous changes to the DevOps user display name.",T1036.005,Match Legitimate Name or Location,[],[],,Azure Sentinel,technique-scores,Detect,Partial,T1036,0 +383,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1578,Modify Cloud Compute Infrastructure,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +384,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +385,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +386,"The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries +Queries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping. +Azure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours. +Azure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.",T1069,Permission Groups Discovery,"['https://docs.microsoft.com/en-us/azure/sentinel/overview', 'https://docs.microsoft.com/en-us/azure/sentinel/hunting']","['Analytics', 'Threat Hunting']",,Azure Sentinel,technique-scores,Detect,Minimal,,0 +387,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious group discovery through the use of the net tool.",T1069.002,Domain Groups,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1069,0 +388,"The Azure Sentinel Hunting ""Enumeration of users and groups"" query can identify potentially malicious group discovery through the use of the net tool.",T1069.001,Local Groups,[],[],,Azure Sentinel,technique-scores,Detect,Minimal,T1069,0 +389,"Most scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. But given sufficient resources, an adversary may still successfully execute the attack vectors included in this mapping.",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Azure AD Password Policy,technique-scores,Protect,Partial,,0 +390,The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique.,T1110.001,Password Guessing,[],[],,Azure AD Password Policy,technique-scores,Protect,Significant,T1110,0 +391,"The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector. +In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).",T1110.002,Password Cracking,[],[],,Azure AD Password Policy,technique-scores,Protect,Partial,T1110,0 +392,"The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector. +In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).",T1110.004,Credential Stuffing,[],[],,Azure AD Password Policy,technique-scores,Protect,Partial,T1110,0 +393,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1087,Account Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +394,"The following alert of this control is able to detect domain account discovery: ""Account enumeration reconnaissance (external ID 2003)"". This shouldn't occur frequently and therefore the false positive rate should be minimal. +The ""Security principal reconnaissance (LDAP) (external ID 2038)"" alert is also relevant and its machine learning capabilities should reduce the false positive rate. +The ""User and IP address reconnaissance (SMB) (external ID 2012)"" alert can also provide a detection on a variation of this sub-technique.",T1087.002,Domain Account,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1087,0 +395,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1482,Domain Trust Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +396,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1201,Password Policy Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +397,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1069,Permission Groups Discovery,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +398,"This control's ""Security principal reconnaissance (LDAP) (external ID 2038)"" alert can be used to detect when an adversary ""perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed."" This alert employs machine learning which should reduce the number of false positives. +Additionally, this control's ""User and Group membership reconnaissance (SAMR) (external ID 2021)"" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.",T1069.002,Domain Groups,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1069,0 +399,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1210,Exploitation of Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +400,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1550,Use Alternate Authentication Material,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +401,"This control's ""Suspected identity theft (pass-the-hash) (external ID 2017)"" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. +This control's ""Suspected identity theft (pass-the-ticket) (external ID 2018)"" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.",T1550.002,Pass the Hash,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1550,0 +402,"This control's ""Suspected identity theft (pass-the-hash) (external ID 2017)"" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. +This control's ""Suspected identity theft (pass-the-ticket) (external ID 2018)"" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.",T1550.003,Pass the Ticket,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1550,0 +403,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1557,Man-in-the-Middle,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +404,"This control's ""Suspected NTLM relay attack (Exchange account) (external ID 2037)"" alert can detect NTLM relay attack specific to the Exchange service. Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score.",T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1557,0 +405,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1110,Brute Force,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +406,"This control's ""Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)"" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. +Similarly, its ""Suspected Brute Force attack (LDAP) (external ID 2004)"" alert can detect brute force attacks using LDAP simple binds. +The ""Suspected Brute Force attack (SMB) (external ID 2033)"" alert is also relevant but the details are sparse.",T1110.003,Password Spraying,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1110,0 +407,"This control's ""Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)"" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. +Similarly, its ""Suspected Brute Force attack (LDAP) (external ID 2004)"" alert can detect brute force attacks using LDAP simple binds. +The ""Suspected Brute Force attack (SMB) (external ID 2033)"" alert is also relevant but the details are sparse.",T1110.001,Password Guessing,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1110,0 +408,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1558,Steal or Forge Kerberos Tickets,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +409,"This control's ""Suspected Kerberos SPN exposure (external ID 2410)"" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. +Similarly its ""Suspected AS-REP Roasting attack (external ID 2412)"" alert is able to detect AS-REP Roasting sub-technique. +The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.",T1558.003,Kerberoasting,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1558,0 +410,"This control's ""Suspected Kerberos SPN exposure (external ID 2410)"" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. +Similarly its ""Suspected AS-REP Roasting attack (external ID 2412)"" alert is able to detect AS-REP Roasting sub-technique. +The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.",T1558.004,AS-REP Roasting,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1558,0 +411,This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives. The accuracy of these alerts is unknown resulting in a partial score.,T1558.001,Golden Ticket,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1558,0 +412,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1133,External Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +413,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1555,Credentials from Password Stores,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +414,"This control's ""Malicious request of Data Protection API master key (external ID 2020)"" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.",T1555.003,Credentials from Web Browsers,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1555,0 +415,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1047,Windows Management Instrumentation,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +416,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1059,Command and Scripting Interpreter,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +417,"This control's ""Remote code execution attempt (external ID 2019)"" alert can detect Remote code execution via Powershell. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.",T1059.001,PowerShell,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1059,0 +418,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1021,Remote Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +419,"This control's ""Remote code execution attempt (external ID 2019)"" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. +This control's ""Data exfiltration over SMB (external ID 2030)"" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB. +",T1021.002,SMB/Windows Admin Shares,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1021,0 +420,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1569,System Services,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +421,"This control's ""Remote code execution attempt (external ID 2019)"" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.",T1569.002,Service Execution,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1569,0 +422,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1207,Rogue Domain Controller,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Significant,,0 +423,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1003,OS Credential Dumping,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +424,"This control's ""Suspected DCSync attack (replication of directory services) (external ID 2006)"" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.",T1003.006,DCSync,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Significant,T1003,0 +425,"The documentation for this control's ""Data exfiltration over SMB (external ID 2030)"" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score.",T1003.003,NTDS,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1003,0 +426,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1556,Modify Authentication Process,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +427,"This control's ""Suspected skeleton key attack (encryption downgrade) (external ID 2010)"" alert can detect skeleton attacks. This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller. The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate.",T1556.001,Domain Controller Authentication,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1556,0 +428,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1098,Account Manipulation,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Partial,,0 +429,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1543,Create or Modify System Process,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +430,"This control's ""Suspicious service creation (external ID 2026)"" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.",T1543.003,Windows Service,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Minimal,T1543,0 +431,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +432,"This control's ""Suspicious communication over DNS (external ID 2031)"" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.",T1071.004,DNS,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1071,0 +433,"Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.",T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/defender-for-identity/what-is'],"['Credentials', 'DNS', 'Identity', 'Microsoft 365 Defender', 'Windows']",,Microsoft Defender for Identity,technique-scores,Detect,Minimal,,0 +434,"This control's ""Suspicious communication over DNS (external ID 2031)"" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Microsoft Defender for Identity,technique-scores,Detect,Partial,T1048,0 +435,This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv']","['Azure Defender', 'Azure Security Center Recommendation', 'Credentials']",,Azure Defender for Key Vault,technique-scores,Detect,Minimal,,0 +436,This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv']","['Azure Defender', 'Azure Security Center Recommendation', 'Credentials']",,Azure Defender for Key Vault,technique-scores,Detect,Partial,,0 +437,,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,,0 +438,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Protect,Partial,,0 +439,,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,,0 +440,,T1070,Indicator Removal on Host,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Kubernetes,technique-scores,Detect,Partial,,0 +441,,T1204,User Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,,0 +442,"Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.",T1204.002,Malicious File,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1204,0 +443,,T1036,Masquerading,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,,0 +444,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.",T1036.005,Match Legitimate Name or Location,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1036,0 +445,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.",T1036.006,Space after Filename,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1036,0 +446,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.",T1036.001,Invalid Code Signature,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1036,0 +447,,T1553,Subvert Trust Controls,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Minimal,,0 +448,"Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.",T1553.002,Code Signing,[],[],,Adaptive Application Controls,technique-scores,Detect,Partial,T1553,0 +449,,T1554,Compromise Client Software Binary,['https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Adaptive Application Controls,technique-scores,Detect,Partial,,0 +450,Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.,T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Credentials', 'Identity', 'Passwords', 'MFA']",,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,,0 +451,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.001,Password Guessing,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,T1110,0 +452,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.003,Password Spraying,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,T1110,0 +453,"MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.",T1110.004,Credential Stuffing,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Significant,T1110,0 +454,Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Credentials', 'Identity', 'Passwords', 'MFA']",,Azure AD Multi-Factor Authentication,technique-scores,Protect,Minimal,,0 +455,MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. This is an incomplete protection measure though as the adversary may also have obtained credentials enabling bypassing the additional authentication method. ,T1078.004,Cloud Accounts,[],[],,Azure AD Multi-Factor Authentication,technique-scores,Protect,Partial,T1078,0 +456,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1557,Man-in-the-Middle,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +457,"This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.",T1557.002,ARP Cache Poisoning,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1557,0 +458,"This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.",T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1557,0 +459,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1565,Data Manipulation,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Minimal,,0 +460,"This control reduces the likelihood of data manipulation for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.",T1565.002,Transmitted Data Manipulation,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1565,0 +461,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1499,Endpoint Denial of Service,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +462,,T1499.004,Application or System Exploitation,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +463,,T1499.003,Application Exhaustion Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +464,,T1499.002,Service Exhaustion Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +465,,T1499.001,OS Exhaustion Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1499,0 +466,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1498,Network Denial of Service,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +467,,T1498.002,Reflection Amplification,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1498,0 +468,,T1498.001,Direct Network Flood,[],[],,Azure Private Link,technique-scores,Protect,Partial,T1498,0 +469,"This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.",T1040,Network Sniffing,['https://docs.microsoft.com/azure/private-link/private-link-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Private Link,technique-scores,Protect,Partial,,0 +470,Note there is also a Managed HSM service.,T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Minimal,,0 +471,Provides significant protection of private keys.,T1552.004,Private Keys,[],[],,Azure Dedicated HSM,technique-scores,Protect,Significant,T1552,0 +472,Note there is also a Managed HSM service.,T1588,Obtain Capabilities,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Partial,,0 +473,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1588.004,Digital Certificates,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1588,0 +474,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1588.003,Code Signing Certificates,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1588,0 +475,Note there is also a Managed HSM service.,T1553,Subvert Trust Controls,"['https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview', 'https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/']",['Credentials'],,Azure Dedicated HSM,technique-scores,Protect,Partial,,0 +476,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1553.004,Install Root Certificate,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1553,0 +477,Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.,T1553.002,Code Signing,[],[],,Azure Dedicated HSM,technique-scores,Protect,Partial,T1553,0 +478,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1195,Supply Chain Compromise,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +479,This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.,T1195.002,Compromise Software Supply Chain,[],[],,Azure Automation Update Management,technique-scores,Protect,Partial,T1195,0 +480,This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.,T1195.001,Compromise Software Dependencies and Development Tools,[],[],,Azure Automation Update Management,technique-scores,Protect,Partial,T1195,0 +481,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1072,Software Deployment Tools,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +482,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1210,Exploitation of Remote Services,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +483,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1211,Exploitation for Defense Evasion,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +484,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1068,Exploitation for Privilege Escalation,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +485,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +486,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1212,Exploitation for Credential Access,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +487,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1203,Exploitation for Client Execution,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Significant,,0 +488,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +489,This control provides significant protection against Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.,T1499.004,Application or System Exploitation,[],[],,Azure Automation Update Management,technique-scores,Protect,Significant,T1499,0 +490,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1554,Compromise Client Software Binary,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +491,"This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ",T1189,Drive-by Compromise,['https://docs.microsoft.com/en-us/azure/automation/update-management/overview'],"['Linux', 'Windows']",,Azure Automation Update Management,technique-scores,Protect,Partial,,0 +492,,T1584,Compromise Infrastructure,['https://docs.microsoft.com/en-us/azure/dns/dns-alias#prevent-dangling-dns-records'],"['DNS', 'Network']",,Azure DNS Alias Records,technique-scores,Protect,Minimal,,0 +493,"Alias records prevent dangling references by tightly coupling the life cycle of a DNS record with an Azure resource. For example, consider a DNS record that's qualified as an alias record to point to a public IP address or a Traffic Manager profile. If you delete those underlying resources, the DNS alias record becomes an empty record set. It no longer references the deleted resource. This control is effective for protecting DNS records that resolve to Azure resources but does not offer protection for records pointing to non-Azure resources, resulting in a Partial score.",T1584.001,Domains,[],[],,Azure DNS Alias Records,technique-scores,Protect,Partial,T1584,0 +494,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1087,Account Discovery,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,,0 +495,This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery.,T1087.004,Cloud Account,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1087,0 +496,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,,0 +497,This control can be used to implement the least-privilege principle for account management and thereby limit what an adversary can do with a valid account.,T1078.004,Cloud Accounts,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1078,0 +498,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1136,Create Account,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Minimal,,0 +499,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can create accounts.,T1136.003,Cloud Account,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1136,0 +500,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +501,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.,T1098.001,Additional Cloud Credentials,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1098,0 +502,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.,T1098.003,Add Office 365 Global Administrator Role,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1098,0 +503,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1578,Modify Cloud Compute Infrastructure,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +504,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.001,Create Snapshot,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +505,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.002,Create Cloud Instance,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +506,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.003,Delete Cloud Instance,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +507,This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.,T1578.004,Revert Cloud Instance,[],[],,Role Based Access Control,technique-scores,Protect,Partial,T1578,0 +508,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1580,Cloud Infrastructure Discovery,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +509,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1538,Cloud Service Dashboard,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +510,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1530,Data from Cloud Storage Object,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +511,RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.,T1528,Steal Application Access Token,['https://docs.microsoft.com/en-us/azure/role-based-access-control/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Role Based Access Control,technique-scores,Protect,Partial,,0 +512,"This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections', 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection']","['Azure Security Center', 'Database']",,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,,0 +513,"This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is ""Access from an unusual location to a Cosmos DB account""",T1078.004,Cloud Accounts,[],[],,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,T1078,0 +514,"This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections', 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection']","['Azure Security Center', 'Database']",,Alerts for Azure Cosmos DB,technique-scores,Detect,Minimal,,0 +515,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1053,Scheduled Task/Job,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Significant,,0 +516,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.001,At (Linux),[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +517,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.002,At (Windows),[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +518,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.003,Cron,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +519,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.005,Scheduled Task,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +520,"This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1053.006,Systemd Timers,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1053,0 +521,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +522,"This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis. +",T1098.004,SSH Authorized Keys,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1098,0 +523,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1547,Boot or Logon Autostart Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +524,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.001,Registry Run Keys / Startup Folder,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +525,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.002,Authentication Package,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +526,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.003,Time Providers,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +527,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.004,Winlogon Helper DLL,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +528,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.005,Security Support Provider,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +529,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.006,Kernel Modules and Extensions,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +530,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.008,LSASS Driver,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +531,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.009,Shortcut Modification,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +532,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.010,Port Monitors,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +533,"This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis. +",T1547.012,Print Processors,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1547,0 +534,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1037,Boot or Logon Initialization Scripts,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +535,"This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis. +",T1037.001,Logon Script (Windows),[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1037,0 +536,"This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis. +",T1037.003,Network Logon Script,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1037,0 +537,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1543,Create or Modify System Process,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +538,"This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1543.002,Systemd Service,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1543,0 +539,"This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1543.003,Windows Service,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1543,0 +540,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1546,Event Triggered Execution,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +541,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.001,Change Default File Association,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +542,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.002,Screensaver,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +543,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.004,.bash_profile and .bashrc,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +544,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.007,Netsh Helper DLL,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +545,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.008,Accessibility Features,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +546,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.009,AppCert DLLs,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +547,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.011,Application Shimming,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +548,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.012,Image File Execution Options Injection,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +549,"This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1546.013,PowerShell Profile,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1546,0 +550,"The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives. +",T1546.010,AppInit DLLs,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1546,0 +551,"The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives. +",T1546.015,Component Object Model Hijacking,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1546,0 +552,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1574,Hijack Execution Flow,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +553,"This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis. +",T1574.006,LD_PRELOAD,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1574,0 +554,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1137,Office Application Startup,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +555,"This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis. +",T1137.002,Office Test,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1137,0 +556,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1548,Abuse Elevation Control Mechanism,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +557,"Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.",T1548.002,Bypass User Account Control,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1548,0 +558,"This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis. +",T1548.003,Sudo and Sudo Caching,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1548,0 +559,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1556,Modify Authentication Process,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +560,The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.,T1556.002,Password Filter DLL,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1556,0 +561,The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.,T1556.003,Pluggable Authentication Modules,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1556,0 +562,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1003,OS Credential Dumping,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +563,This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal. ,T1003.001,LSASS Memory,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1003,0 +564,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1222,File and Directory Permissions Modification,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +565,This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.,T1222.001,Windows File and Directory Permissions Modification,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1222,0 +566,This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.,T1222.002,Linux and Mac File and Directory Permissions Modification,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1222,0 +567,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1562,Impair Defenses,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Minimal,,0 +568,"This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.",T1562.001,Disable or Modify Tools,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1562,0 +569,There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.,T1562.004,Disable or Modify System Firewall,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1562,0 +570,There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.,T1562.006,Indicator Blocking,[],[],,File Integrity Monitoring,technique-scores,Detect,Minimal,T1562,0 +571,"The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. +The detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis. +",T1553,Subvert Trust Controls,['https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'],"['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender', 'Azure Defender for Servers', 'Windows', 'Linux']",,File Integrity Monitoring,technique-scores,Detect,Partial,,0 +572,"This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.",T1553.003,SIP and Trust Provider Hijacking,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1553,0 +573,This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.,T1553.004,Install Root Certificate,[],[],,File Integrity Monitoring,technique-scores,Detect,Partial,T1553,0 +574,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1485,Data Destruction,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +575,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1486,Data Encrypted for Impact,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +576,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1491,Defacement,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +577,Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.,T1491.002,External Defacement,[],[],,Azure Backup,technique-scores,Respond,Significant,T1491,0 +578,Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.,T1491.001,Internal Defacement,[],[],,Azure Backup,technique-scores,Respond,Significant,T1491,0 +579,"Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as ""Significant"" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.",T1561,Disk Wipe,['https://docs.microsoft.com/en-us/azure/backup/backup-overview'],['Azure Security Center Recommendation'],,Azure Backup,technique-scores,Respond,Significant,,0 +580,Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.,T1561.001,Disk Content Wipe,[],[],,Azure Backup,technique-scores,Respond,Significant,T1561,0 +581,"Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.",T1561.002,Disk Structure Wipe,[],[],,Azure Backup,technique-scores,Respond,Partial,T1561,0 +582,,T1552,Unsecured Credentials,['https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview'],"['Azure Active Directory', 'Azure Security Center Recommendation', 'Identity']",,Managed identities for Azure resources,technique-scores,Protect,Minimal,,0 +583,"This control provides an alternative to hard-coding credentials for accessing Azure services in application code. This control only protects credentials for accessing Azure services and not other credential types, resulting in a Partial coverage score.",T1552.001,Credentials In Files,[],[],,Managed identities for Azure resources,technique-scores,Protect,Partial,T1552,0 +584,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +585,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +586,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1590,Gather Victim Network Information,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +587,,T1590.002,DNS,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +588,,T1590.004,Network Topology,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +589,,T1590.005,IP Addresses,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +590,,T1590.006,Network Security Appliances,[],[],,Azure Policy,technique-scores,Protect,Partial,T1590,0 +591,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +592,This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.,T1078.004,Cloud Accounts,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1078,0 +593,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +594,"This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.",T1098.001,Additional Cloud Credentials,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1098,0 +595,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Detect,Minimal,,0 +596,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +597,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +598,This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique. ,T1505.001,SQL Stored Procedures,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1505,0 +599,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +600,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +601,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +602,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +603,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +604,"This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.",T1110.003,Password Spraying,[],[],,Azure Policy,technique-scores,Protect,Partial,T1110,0 +605,"This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.",T1110.001,Password Guessing,[],[],,Azure Policy,technique-scores,Protect,Partial,T1110,0 +606,"This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.",T1110.004,Credential Stuffing,[],[],,Azure Policy,technique-scores,Protect,Partial,T1110,0 +607,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +608,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +609,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1580,Cloud Infrastructure Discovery,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +610,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1538,Cloud Service Dashboard,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +611,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +612,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +613,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1021,Remote Services,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +614,This control may provide recommendations to restrict public access to Remote Desktop Protocol.,T1021.001,Remote Desktop Protocol,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1021,0 +615,This control may provide recommendations to restrict public SSH access and enable usage of SSH keys. ,T1021.004,SSH,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1021,0 +616,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Partial,,0 +617,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +618,This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.,T1071.004,DNS,[],[],,Azure Policy,technique-scores,Protect,Minimal,T1071,0 +619,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1537,Transfer Data to Cloud Account,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +620,This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1485,Data Destruction,"['https://docs.microsoft.com/en-us/azure/governance/policy/overview', 'https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir']",['Azure Security Center Recommendation'],,Azure Policy,technique-scores,Protect,Minimal,,0 +621,"Associated with the Azure Security Center. +The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Significant,,0 +622,"This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.",T1110.003,Password Spraying,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Significant,T1110,0 +623,"This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.",T1110.001,Password Guessing,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Significant,T1110,0 +624,"This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.",T1110.004,Credential Stuffing,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Significant,T1110,0 +625,"Associated with the Azure Security Center. +The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,,0 +626,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.004,DNS,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +627,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.003,Mail Protocols,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +628,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.002,File Transfer Protocols,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +629,This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ,T1071.001,Web Protocols,[],[],,Azure Alerts for Network Layer,technique-scores,Detect,Minimal,T1071,0 +630,"Associated with the Azure Security Center. +The alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).",T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer'],"['Analytics', 'Azure Security Center', 'Network']",,Azure Alerts for Network Layer,technique-scores,Detect,Partial,,0 +631,,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Minimal,,0 +632,"This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access. This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely. This reduces the availability of valid accounts to adversaries. This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial.",T1078.004,Cloud Accounts,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Partial,T1078,0 +633,,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Partial,,0 +634,,T1098,Account Manipulation,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Detect,Minimal,,0 +635,This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user.,T1098.003,Add Office 365 Global Administrator Role,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Significant,T1098,0 +636,"This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal.",T1098.003,Add Office 365 Global Administrator Role,[],[],,Azure AD Privileged Identity Management,technique-scores,Detect,Significant,T1098,0 +637,Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.,T1098.001,Additional Cloud Credentials,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Significant,T1098,0 +638,,T1136,Create Account,['https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure'],"['Azure Active Directory', 'Identity', 'MFA']",,Azure AD Privileged Identity Management,technique-scores,Protect,Minimal,,0 +639,"Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.",T1136.003,Cloud Account,[],[],,Azure AD Privileged Identity Management,technique-scores,Protect,Significant,T1136,0 +640,,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Significant,,0 +641,,T1557,Man-in-the-Middle,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Significant,,0 +642,,T1557.002,ARP Cache Poisoning,[],[],,Azure VPN Gateway,technique-scores,Protect,Significant,T1557,0 +643,,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,[],[],,Azure VPN Gateway,technique-scores,Protect,Significant,T1557,0 +644,,T1565,Data Manipulation,['https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways'],['Network'],,Azure VPN Gateway,technique-scores,Protect,Partial,,0 +645,,T1565.002,Transmitted Data Manipulation,[],[],,Azure VPN Gateway,technique-scores,Protect,Significant,T1565,0 +646,,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +647,"This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases. ",T1078.004,Cloud Accounts,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Partial,T1078,0 +648,,T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +649,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +650,"This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.",T1110.001,Password Guessing,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,T1110,0 +651,"This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.",T1110.003,Password Spraying,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,T1110,0 +652,"This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.",T1110.004,Credential Stuffing,[],[],,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,T1110,0 +653,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse']","['Azure Defender', 'Azure Defender for SQL', 'Azure Security Center', 'Azure Security Center Recommendation', 'Database']",,Advanced Threat Protection for Azure SQL Database,technique-scores,Detect,Minimal,,0 +654,,T1498,Network Denial of Service,['https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure DDOS Protection Standard,technique-scores,Protect,Significant,,0 +655,,T1498.002,Reflection Amplification,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1498,0 +656,,T1498.001,Direct Network Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1498,0 +657,,T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview'],"['Azure Security Center Recommendation', 'Network']",,Azure DDOS Protection Standard,technique-scores,Protect,Significant,,0 +658,,T1499.003,Application Exhaustion Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1499,0 +659,,T1499.002,Service Exhaustion Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1499,0 +660,,T1499.001,OS Exhaustion Flood,[],[],,Azure DDOS Protection Standard,technique-scores,Protect,Significant,T1499,0 +661,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1584,Compromise Infrastructure,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Protect,Minimal,,0 +662,"Subdomain hijacking is a focus of this control, and its Dangling DNS detection alert feature is activated when an App Service website is decommissioned and its corresponding DNS entry is not deleted, allowing users to remove those entries before they can be leveraged by an adversary.",T1584.001,Domains,[],[],,Azure Defender for App Service,technique-scores,Protect,Significant,T1584,0 +663,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +664,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +665,"This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.",T1204.001,Malicious Link,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1204,0 +666,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1140,Deobfuscate/Decode Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +667,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Protect,Minimal,,0 +668,"This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.",T1566.002,Spearphishing Link,[],[],,Azure Defender for App Service,technique-scores,Protect,Minimal,T1566,0 +669,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1059,Command and Scripting Interpreter,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +670,This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.,T1059.004,Unix Shell,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1059,0 +671,This control monitors for execution of known malicious PowerShell PowerSploit cmdlets. Temporal factor is uknown.,T1059.001,PowerShell,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1059,0 +672,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +673,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1595,Active Scanning,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +674,"This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.",T1595.002,Vulnerability Scanning,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1595,0 +675,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1594,Search Victim-Owned Websites,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +676,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1055,Process Injection,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +677,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.001,Dynamic-link Library Injection,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +678,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.002,Portable Executable Injection,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +679,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.003,Thread Execution Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +680,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.004,Asynchronous Procedure Call,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +681,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.005,Thread Local Storage,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +682,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.011,Extra Window Memory Injection,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +683,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.012,Process Hollowing,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +684,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.013,Process Doppelgänging,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +685,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.008,Ptrace System Calls,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +686,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.009,Proc Memory,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +687,"Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.",T1055.014,VDSO Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1055,0 +688,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +689,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +690,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +691,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +692,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +693,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +694,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +695,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1559,Inter-Process Communication,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Partial,,0 +696,This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.,T1559.001,Component Object Model,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1559,0 +697,This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.,T1559.002,Dynamic Data Exchange,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1559,0 +698,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1036,Masquerading,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +699,"This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.",T1036.005,Match Legitimate Name or Location,[],[],,Azure Defender for App Service,technique-scores,Detect,Partial,T1036,0 +700,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +701,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1087,Account Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +702,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1087.001,Local Account,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1087,0 +703,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1123,Audio Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +704,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1547,Boot or Logon Autostart Execution,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +705,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Install-SSP module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1547.005,Security Support Provider,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1547,0 +706,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via New-UserPersistenceOption on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1547.001,Registry Run Keys / Startup Folder,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1547,0 +707,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1543,Create or Modify System Process,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +708,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1543.003,Windows Service,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1543,0 +709,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1555,Credentials from Password Stores,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +710,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1005,Data from Local System,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +711,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1482,Domain Trust Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +712,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1574,Hijack Execution Flow,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +713,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.001,DLL Search Order Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +714,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.007,Path Interception by PATH Environment Variable,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +715,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.008,Path Interception by Search Order Hijacking,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +716,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1574.009,Path Interception by Unquoted Path,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1574,0 +717,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1056,Input Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +718,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1056.001,Keylogging,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1056,0 +719,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +720,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.",T1027.005,Indicator Removal from Tools,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1027,0 +721,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1003,OS Credential Dumping,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +722,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.",T1003.001,LSASS Memory,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1003,0 +723,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1057,Process Discovery,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +724,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1012,Query Registry,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +725,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1053,Scheduled Task/Job,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +726,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1053.005,Scheduled Task,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1053,0 +727,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1113,Screen Capture,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +728,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +729,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1558.003,Kerberoasting,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1558,0 +730,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +731,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal.",T1552.002,Credentials in Registry,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1552,0 +732,"This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.",T1552.006,Group Policy Preferences,[],[],,Azure Defender for App Service,technique-scores,Detect,Minimal,T1552,0 +733,"The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.",T1047,Windows Management Instrumentation,"['https://docs.microsoft.com/en-us/azure/security-center/alerts-reference', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction', 'https://azure.microsoft.com/en-us/services/app-service/', 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction']","['Azure Defender', 'Azure Security Center', 'Azure Security Center Recommendation', 'Linux', 'Windows']",,Azure Defender for App Service,technique-scores,Detect,Minimal,,0 +734,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Significant,,0 +735,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.001,Password Guessing,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +736,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.002,Password Cracking,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +737,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.003,Password Spraying,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +738,"Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.",T1110.004,Credential Stuffing,[],[],,Conditional Access,technique-scores,Protect,Significant,T1110,0 +739,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +740,"This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection). Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers.",T1078.004,Cloud Accounts,[],[],,Conditional Access,technique-scores,Protect,Significant,T1078,0 +741,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1074,Data Staged,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +742,"Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.",T1074.002,Remote Data Staging,[],[],,Conditional Access,technique-scores,Protect,Minimal,T1074,0 +743,"Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.",T1074.001,Local Data Staging,[],[],,Conditional Access,technique-scores,Protect,Minimal,T1074,0 +744,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1530,Data from Cloud Storage Object,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +745,"At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.",T1213,Data from Information Repositories,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview'],"['Azure Active Directory', 'Identity', 'MFA']",,Conditional Access,technique-scores,Protect,Minimal,,0 +746,"Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files. Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict cut, copy and paste operations. This can impede an adversary's ability to collect valuable information and/or files from the application. This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand.",T1213.002,Sharepoint,[],[],,Conditional Access,technique-scores,Protect,Partial,T1213,0 +747,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +748,"This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. +Relevant alerts include ""Activity from anonymous IP address"" , ""Activity from infrequent country"", ""Activity from suspicious IP address"", ""Impossible Travel"", and ""Activity performed by terminated user"".",T1078.004,Cloud Accounts,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1078,0 +749,"This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. +Relevant alerts include ""Activity from anonymous IP address"" , ""Activity from infrequent country"", ""Activity from suspicious IP address"", ""Impossible Travel"", and ""Activity performed by terminated user"".",T1078.002,Domain Accounts,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1078,0 +750,"This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. +Relevant alerts include ""Activity from anonymous IP address"" , ""Activity from infrequent country"", ""Activity from suspicious IP address"", ""Impossible Travel"", and ""Activity performed by terminated user"".",T1078.001,Default Accounts,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1078,0 +751,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +752,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1567,Exfiltration Over Web Service,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +753,This control can identify large volume potential exfiltration activity.,T1567.002,Exfiltration to Cloud Storage,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1567,0 +754,"This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is ""Unusual file download (by user)"".",T1567.002,Exfiltration to Cloud Storage,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1567,0 +755,This control can identify large volume potential exfiltration activity.,T1567.001,Exfiltration to Code Repository,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1567,0 +756,"This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is ""Unusual file download (by user)"".",T1567.001,Exfiltration to Code Repository,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1567,0 +757,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +758,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1535,Unused/Unsupported Cloud Regions,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +759,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1187,Forced Authentication,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Significant,,0 +760,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1187,Forced Authentication,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Significant,,0 +761,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1530,Data from Cloud Storage Object,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +762,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +763,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +764,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1526,Cloud Service Discovery,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +765,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Minimal,,0 +766,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1213,Data from Information Repositories,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +767,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.002,Sharepoint,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1213,0 +768,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.002,Sharepoint,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1213,0 +769,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.001,Confluence,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1213,0 +770,This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.,T1213.001,Confluence,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1213,0 +771,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +772,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1119,Automated Collection,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +773,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1565,Data Manipulation,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +774,This control can detect and encrypt sensitive information at rest on supported platforms.,T1565.001,Stored Data Manipulation,[],[],,Cloud App Security Policies,technique-scores,Protect,Partial,T1565,0 +775,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Partial,,0 +776,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +777,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Protect,Significant,,0 +778,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1219,Remote Access Software,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +779,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1484,Domain Policy Modification,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +780,This control can detect admin activity from risky IP addresses.,T1484.002,Domain Trust Modification,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1484,0 +781,This control can detect admin activity from risky IP addresses.,T1484.001,Group Policy Modification,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1484,0 +782,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1098,Account Manipulation,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +783,"This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include ""Unusual administrative activity (by user)"" and ""Unusual addition of credentials to an OAuth app"".",T1098.003,Add Office 365 Global Administrator Role,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1098,0 +784,"This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include ""Unusual administrative activity (by user)"" and ""Unusual addition of credentials to an OAuth app"".",T1098.001,Additional Cloud Credentials,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1098,0 +785,"This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include ""Unusual administrative activity (by user)"" and ""Unusual addition of credentials to an OAuth app"".",T1098.002,Exchange Email Delegate Permissions,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1098,0 +786,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1578,Modify Cloud Compute Infrastructure,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +787,This control can identify anomalous admin activity.,T1578.004,Revert Cloud Instance,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +788,This control can identify anomalous admin activity.,T1578.003,Delete Cloud Instance,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +789,This control can identify anomalous admin activity.,T1578.001,Create Snapshot,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +790,This control can identify anomalous admin activity.,T1578.002,Create Cloud Instance,[],[],,Cloud App Security Policies,technique-scores,Detect,Minimal,T1578,0 +791,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +792,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1496,Resource Hijacking,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +793,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1485,Data Destruction,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +794,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1486,Data Encrypted for Impact,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +795,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +796,"This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include ""Suspicious inbox forwarding"" and ""Suspicious inbox manipulation rule"".",T1071.003,Mail Protocols,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1071,0 +797,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Partial,,0 +798,"This control can detect some activity indicative of brute force attempts to login. Relevant alert is ""Multiple failed login attempts"".",T1110.004,Credential Stuffing,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1110,0 +799,"This control can detect some activity indicative of brute force attempts to login. Relevant alert is ""Multiple failed login attempts"".",T1110.003,Password Spraying,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1110,0 +800,"This control can detect some activity indicative of brute force attempts to login. Relevant alert is ""Multiple failed login attempts"".",T1110.001,Password Guessing,[],[],,Cloud App Security Policies,technique-scores,Detect,Partial,T1110,0 +801,"This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.",T1534,Internal Spearphishing,"['https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery', 'https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection', 'https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts']",[],,Cloud App Security Policies,technique-scores,Detect,Minimal,,0 +802,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Minimal,,0 +803,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Minimal,,0 +804,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Protect,Partial,,0 +805,This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.,T1525,Implant Container Image,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction', 'https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro']","['Azure Defender', 'Azure Security Center Recommendation', 'Containers']",,Azure Defender for Container Registries,technique-scores,Detect,Partial,,0 +806,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +807,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.001,Password Guessing,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +808,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.002,Password Cracking,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +809,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.003,Password Spraying,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +810,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. +This control's ""Do not expire passwords"" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. +This control's ""Enable policy to block legacy authentication"" and ""Stop legacy protocols communication"" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. +This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. +Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ",T1110.004,Credential Stuffing,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1110,0 +811,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,,0 +812,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Minimal,,0 +813,"This control's ""Require MFA for administrative roles"" and ""Ensure all users can complete multi-factor authentication for secure access"" recommendations of MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. See the mapping for MFA for more details. +This control's ""Use limited administrative roles"" recommendation recommends reviewing and limiting the number of accounts with global admin privilege, reducing what an adversary can do with a compromised valid account. +Because these are recommendations and do not actually enforce the protections, the assessed score is capped at Partial. ",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1078,0 +814,"This control's ""Turn on sign-in risk policy"" and ""Turn on user risk policy"" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts. See the mapping for Azure AD Identity Protection.",T1078.004,Cloud Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Detect,Partial,T1078,0 +815,"This control's ""Remove dormant accounts from sensitive groups"" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant. +Because these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal. ",T1078.002,Domain Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,T1078,0 +816,"This control's ""Protect and manage local admin passwords with Microsoft LAPS"" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. +Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ",T1078.003,Local Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,T1078,0 +817,"This control's ""Protect and manage local admin passwords with Microsoft LAPS"" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. +Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ",T1078.001,Default Accounts,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,T1078,0 +818,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1531,Account Access Removal,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +819,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1528,Steal Application Access Token,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +820,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1606,Forge Web Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Partial,,0 +821,"This control's ""Turn on sign-in risk policy"" and ""Turn on user risk policy"" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens. This is a recommendation and therefore the score is capped at Partial.",T1606.002,SAML Tokens,[],[],,Azure AD Identity Secure Score,technique-scores,Detect,Partial,T1606,0 +822,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1558,Steal or Forge Kerberos Tickets,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +823,"This control's ""Resolve unsecure account attributes"" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication. Preauthentication offers protection against offline (Kerberos) Password Cracking. +Because this is a recommendation its score is capped as Partial.",T1558.004,AS-REP Roasting,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1558,0 +824,"This control's ""Reduce lateral movement path risk to sensitive entities"" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket. It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller. Because this is a recommendation, its score has been capped as Partial.",T1558.001,Golden Ticket,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1558,0 +825,"This control's ""Modify unsecure Kerberos delegations to prevent impersonation"" recommendation promotes running the ""Unsecure Kerberos delegation"" report that can identify accounts that have unsecure Kerberos delegation configured. Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting. Due to this control providing a recommendation its score is capped at Partial.",T1558.003,Kerberoasting,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1558,0 +826,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1552,Unsecured Credentials,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,,0 +827,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1550,Use Alternate Authentication Material,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Partial,,0 +828,"This control's ""Reduce lateral movement path risk to sensitive entities"" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.",T1550.003,Pass the Ticket,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1550,0 +829,"This control's ""Reduce lateral movement path risk to sensitive entities"" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.",T1550.002,Pass the Hash,[],[],,Azure AD Identity Secure Score,technique-scores,Protect,Partial,T1550,0 +830,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1040,Network Sniffing,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Protect,Minimal,,0 +831,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Partial,,0 +832,"This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant. +The following improvement actions were analyzed: +Require MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. +All scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.",T1134,Access Token Manipulation,"['https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score', 'https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#', 'https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes', 'https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675']","['Credentials', 'Azure Active Directory', 'Identity', 'MFA']",,Azure AD Identity Secure Score,technique-scores,Detect,Minimal,,0 +833,"This control's ""Remove unsecure SID history attributes from entities"" recommendation promotes running the ""Unsecure SID history attributes"" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial. ",T1134.005,SID-History Injection,[],[],,Azure AD Identity Secure Score,technique-scores,Detect,Partial,T1134,0 +834,"All scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. Due to the fact that a user's password is not checked against the banned list of passwords unless the user changes or resets their password (which is an infrequent event), there is still ample opportunity for attackers to utilize this technique to gain access. This is what prevented the score from being elevated to Significant. +",T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Azure Active Directory Password Protection,technique-scores,Protect,Partial,,0 +835,,T1110.001,Password Guessing,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +836,,T1110.002,Password Cracking,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +837,,T1110.003,Password Spraying,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +838,,T1110.004,Credential Stuffing,[],[],,Azure Active Directory Password Protection,technique-scores,Protect,Partial,T1110,0 +839,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +840,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1566,Phishing,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,,0 +841,This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.,T1566.001,Spearphishing Attachment,[],[],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,T1566,0 +842,This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.,T1566.001,Spearphishing Attachment,[],[],,Microsoft Antimalware for Azure,technique-scores,Detect,Partial,T1566,0 +843,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1204,User Execution,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +844,This control monitors activity in cloud services and on virtual machines to block malware execution. This is dependent on a signature being available. ,T1204.002,Malicious File,[],[],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,T1204,0 +845,This control monitors activity in cloud services and on virtual machines to detect malware execution. This is dependent on a signature being available. ,T1204.002,Malicious File,[],[],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,T1204,0 +846,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +847,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1105,Ingress Tool Transfer,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,,0 +848,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,,0 +849,"Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.",T1027,Obfuscated Files or Information,"['https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware', 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples']",['Azure Security Center'],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,,0 +850,This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.,T1027.002,Software Packing,[],[],,Microsoft Antimalware for Azure,technique-scores,Protect,Minimal,T1027,0 +851,This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.,T1027.002,Software Packing,[],[],,Microsoft Antimalware for Azure,technique-scores,Detect,Minimal,T1027,0 +852,,T1595,Active Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Partial,,0 +853,Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).,T1595.002,Vulnerability Scanning,[],[],,Azure Web Application Firewall,technique-scores,Protect,Partial,T1595,0 +854,,T1595.002,Vulnerability Scanning,[],[],,Azure Web Application Firewall,technique-scores,Detect,Partial,T1595,0 +855,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Significant,,0 +856,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Significant,,0 +857,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Partial,,0 +858,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Partial,,0 +859,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Protect,Minimal,,0 +860,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/web-application-firewall/overview'],['Azure Security Center Recommendation'],,Azure Web Application Firewall,technique-scores,Detect,Minimal,,0 +861,This control can protect web applications from protocol attacks that may be indicative of adversary activity.,T1071.001,Web Protocols,[],[],,Azure Web Application Firewall,technique-scores,Protect,Partial,T1071,0 +862,This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.,T1071.001,Web Protocols,[],[],,Azure Web Application Firewall,technique-scores,Detect,Partial,T1071,0 +863,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +864,This control can be used forensically to identify clients that communicated with identified C2 hosts.,T1071.004,DNS,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1071,0 +865,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1568,Dynamic Resolution,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +866,This control can be used for after-the-fact analysis of potential fast-flux DNS C2,T1568.001,Fast Flux DNS,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1568,0 +867,This control can be used for after-the-fact analysis of potential fast-flux DNS C2,T1568.002,Domain Generation Algorithms,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1568,0 +868,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +869,This control can potentially be used to forensically identify exfiltration via DNS protocol.,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1048,0 +870,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1041,Exfiltration Over C2 Channel,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +871,"The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. ""The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2."". Inventory-related data is uploaded every 48 hours.",T1566,Phishing,['https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics'],"['DNS', 'Network']",,Azure DNS Analytics,technique-scores,Detect,Minimal,,0 +872,"This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.",T1566.002,Spearphishing Link,[],[],,Azure DNS Analytics,technique-scores,Detect,Minimal,T1566,0 +873,,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Minimal,,0 +874,,T1133,External Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Significant,,0 +875,,T1110,Brute Force,"['https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api', 'https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained']","['Azure Security Center', 'Azure Security Center Recommendation', 'Azure Defender for Servers']",,Just-in-Time VM Access,technique-scores,Protect,Significant,,0 +876,"This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.",T1110.003,Password Spraying,[],[],,Just-in-Time VM Access,technique-scores,Protect,Significant,T1110,0 +877,"This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.",T1110.001,Password Guessing,[],[],,Just-in-Time VM Access,technique-scores,Protect,Significant,T1110,0 +878,"This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.",T1110.004,Credential Stuffing,[],[],,Just-in-Time VM Access,technique-scores,Protect,Significant,T1110,0 +879,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +880,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1078,Valid Accounts,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +881,This control may provide recommendations to disable default accounts and restrict permissions for existing accounts.,T1078.001,Default Accounts,[],[],,SQL Vulnerability Assessment,technique-scores,Protect,Partial,T1078,0 +882,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1505,Server Software Component,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +883,This control may scan for users with unnecessary access to SQL stored procedures.,T1505.001,SQL Stored Procedures,[],[],,SQL Vulnerability Assessment,technique-scores,Protect,Partial,T1505,0 +884,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Partial,,0 +885,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1112,Modify Registry,"['https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment', 'https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules']","['Azure Defender for SQL', 'Database']",,SQL Vulnerability Assessment,technique-scores,Protect,Minimal,,0 +886,,T1110,Brute Force,['https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless'],"['Azure Active Directory', 'Credentials', 'Identity', 'Passwords']",,Passwordless Authentication,technique-scores,Protect,Significant,,0 +887,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.004,Credential Stuffing,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +888,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.001,Password Guessing,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +889,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.003,Password Spraying,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +890,This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.,T1110.002,Password Cracking,[],[],,Passwordless Authentication,technique-scores,Protect,Significant,T1110,0 +891,,T1590,Gather Victim Network Information,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +892,This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.,T1590.004,Network Topology,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1590,0 +893,This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.,T1590.005,IP Addresses,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1590,0 +894,This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.,T1590.006,Network Security Appliances,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1590,0 +895,,T1595,Active Scanning,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +896,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.001,Scanning IP Blocks,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1595,0 +897,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1595.002,Vulnerability Scanning,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1595,0 +898,,T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +899,,T1205,Traffic Signaling,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +900,"This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.",T1205.001,Port Knocking,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1205,0 +901,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +902,,T1018,Remote System Discovery,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +903,,T1008,Fallback Channels,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +904,,T1095,Non-Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +905,,T1571,Non-Standard Port,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Significant,,0 +906,,T1219,Remote Access Software,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +907,,T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/firewall/overview'],"['Azure Security Center Recommendation', 'Network']",,Azure Firewall,technique-scores,Protect,Partial,,0 +908,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1048,0 +909,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1048,0 +910,"This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.",T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure Firewall,technique-scores,Protect,Partial,T1048,0 +911,,T1568,Dynamic Resolution,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Partial,,0 +912,"Detects ""random"" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign ""random"" DNS names.",T1568.001,Fast Flux DNS,[],[],,Alerts for DNS,technique-scores,Detect,Partial,T1568,0 +913,"Detects ""random"" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign ""random"" DNS names.",T1568.002,Domain Generation Algorithms,[],[],,Alerts for DNS,technique-scores,Detect,Partial,T1568,0 +914,,T1071,Application Layer Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +915,Can alert on anomalies and misuse of the DNS protocol.,T1071.004,DNS,[],[],,Alerts for DNS,technique-scores,Detect,Significant,T1071,0 +916,,T1572,Protocol Tunneling,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +917,,T1090,Proxy,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +918,,T1048,Exfiltration Over Alternative Protocol,"['https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction', 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns']","['Network', 'DNS']",,Alerts for DNS,technique-scores,Detect,Minimal,,0 +919,,T1078,Valid Accounts,['https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation'],"['Azure Active Directory', 'Identity']",,Continuous Access Evaluation,technique-scores,Respond,Minimal,,0 +920,Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data. This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA. This mitigates the impact of an adversary using a valid account. This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ,T1078.004,Cloud Accounts,[],[],,Continuous Access Evaluation,technique-scores,Respond,Partial,T1078,0 +921,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1189,Drive-by Compromise,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +922,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1190,Exploit Public-Facing Application,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +923,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1203,Exploitation for Client Execution,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +924,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1068,Exploitation for Privilege Escalation,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +925,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1211,Exploitation for Defense Evasion,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +926,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1212,Exploitation for Credential Access,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +927,"Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines. +All scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.",T1210,Exploitation of Remote Services,"['https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm', 'https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm']","['Azure Defender', 'Azure Security Center']",,Integrated Vulnerability Scanner Powered by Qualys,technique-scores,Protect,Partial,,0 +928,,T1528,Steal Application Access Token,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,,0 +929,,T1555,Credentials from Password Stores,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,,0 +930,,T1552,Unsecured Credentials,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Partial,,0 +931,,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/key-vault/general/overview'],"['Azure Security Center Recommendation', 'Credentials', 'Passwords']",,Azure Key Vault,technique-scores,Protect,Minimal,,0 +932,,T1199,Trusted Relationship,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +933,,T1602,Data from Configuration Repository,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +934,,T1602.001,SNMP (MIB Dump),[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1602,0 +935,,T1602.002,Network Device Configuration Dump,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1602,0 +936,,T1542,Pre-OS Boot,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Minimal,,0 +937,This control can be used to identify anomalous TFTP boot traffic.,T1542.005,TFTP Boot,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1542,0 +938,,T1563,Remote Service Session Hijacking,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +939,,T1563.002,RDP Hijacking,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1563,0 +940,,T1563.001,SSH Hijacking,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1563,0 +941,,T1048,Exfiltration Over Alternative Protocol,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +942,This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1048,0 +943,This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1048,0 +944,This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).,T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1048,0 +945,,T1190,Exploit Public-Facing Application,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +946,,T1021,Remote Services,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +947,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.006,Windows Remote Management,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +948,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.005,VNC,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +949,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.004,SSH,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +950,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.002,SMB/Windows Admin Shares,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +951,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.001,Remote Desktop Protocol,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +952,This control can detect anomalous traffic with respect to remote access protocols and groups.,T1021.003,Distributed Component Object Model,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1021,0 +953,,T1072,Software Deployment Tools,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +954,,T1133,External Remote Services,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +955,,T1046,Network Service Scanning,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Significant,,0 +956,,T1571,Non-Standard Port,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Significant,,0 +957,,T1071,Application Layer Protocol,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +958,This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).,T1071.004,DNS,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1071,0 +959,This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).,T1071.003,Mail Protocols,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1071,0 +960,This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).,T1071.002,File Transfer Protocols,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1071,0 +961,,T1499,Endpoint Denial of Service,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +962,,T1499.003,Application Exhaustion Flood,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1499,0 +963,,T1499.002,Service Exhaustion Flood,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1499,0 +964,,T1499.001,OS Exhaustion Flood,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1499,0 +965,,T1090,Proxy,['https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'],"['Analytics', 'Network']",,Azure Network Traffic Analytics,technique-scores,Detect,Partial,,0 +966,,T1090.003,Multi-hop Proxy,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1090,0 +967,,T1090.002,External Proxy,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1090,0 +968,,T1090.001,Internal Proxy,[],[],,Azure Network Traffic Analytics,technique-scores,Detect,Partial,T1090,0 +969,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1525,Implant Container Image,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Detect,Minimal,,0 +970,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1548,Abuse Elevation Control Mechanism,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +971,This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.,T1548.001,Setuid and Setgid,[],[],,Docker Host Hardening,technique-scores,Protect,Minimal,T1548,0 +972,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1068,Exploitation for Privilege Escalation,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +973,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1040,Network Sniffing,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +974,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1083,File and Directory Discovery,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +975,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1021,Remote Services,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 +976,This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.,T1021.004,SSH,[],[],,Docker Host Hardening,technique-scores,Protect,Minimal,T1021,0 +977,All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.,T1005,Data from Local System,['https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts'],"['Azure Security Center', 'Containers', 'Linux']",,Docker Host Hardening,technique-scores,Protect,Minimal,,0 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_metadata.csv new file mode 100644 index 00000000..c12a067f --- /dev/null +++ b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,1,8.2,enterprise,,ctid@mitre-engenuity.org,03/4/2021,,,Azure,,0 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_navigator_layer.json b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_navigator_layer.json index 80fc09e6..0f809341 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_navigator_layer.json +++ b/src/mappings_explorer/cli/mapex/security_stack_files/Azure/parsed_security_stack_mappings_navigator_layer.json @@ -1 +1 @@ -{"name": "security stack overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": 8.2}, "sorting": 3, "description": "security stack heatmap overview of security stack mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 18, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Alerts for Windows Machines, Azure Security Center Recommendations, Azure Defender for Storage, Azure Sentinel, Azure AD Multi-Factor Authentication, Role Based Access Control, Alerts for Azure Cosmos DB, Azure Policy, Azure AD Privileged Identity Management, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure AD Identity Secure Score, SQL Vulnerability Assessment, Continuous Access Evaluation"}, {"techniqueID": "T1606", "score": 3, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Azure AD Identity Secure Score"}, {"techniqueID": "T1110", "score": 18, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure AD Password Policy, Microsoft Defender for Identity, Azure AD Multi-Factor Authentication, Azure Policy, Azure Alerts for Network Layer, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Active Directory Password Protection, Just-in-Time VM Access, Passwordless Authentication"}, {"techniqueID": "T1059", "score": 5, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1204", "score": 4, "comment": "Related to Alerts for Windows Machines, Adaptive Application Controls, Azure Defender for App Service, Microsoft Antimalware for Azure"}, {"techniqueID": "T1547", "score": 5, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1136", "score": 6, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Role Based Access Control, Azure AD Privileged Identity Management"}, {"techniqueID": "T1543", "score": 6, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1548", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, File Integrity Monitoring, Docker Host Hardening"}, {"techniqueID": "T1055", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1203", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1212", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1211", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1068", "score": 13, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Defender for Resource Manager, Azure Sentinel, Azure Defender for Kubernetes, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Azure Defender for Container Registries, SQL Vulnerability Assessment, Integrated Vulnerability Scanner Powered by Qualys, Docker Host Hardening"}, {"techniqueID": "T1210", "score": 8, "comment": "Related to Alerts for Windows Machines, Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1190", "score": 15, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Azure Sentinel, Azure Defender for Kubernetes, Azure Automation Update Management, Azure Policy, Advanced Threat Protection for Azure SQL Database, Azure Defender for App Service, Azure Defender for Container Registries, Azure Web Application Firewall, Azure Web Application Firewall, Just-in-Time VM Access, SQL Vulnerability Assessment, Integrated Vulnerability Scanner Powered by Qualys, Azure Network Traffic Analytics"}, {"techniqueID": "T1189", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Defender for App Service, Cloud App Security Policies, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1140", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1222", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1564", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1562", "score": 5, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Defender for Resource Manager, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1070", "score": 4, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for Kubernetes"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Alerts for Windows Machines, SQL Vulnerability Assessment"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for App Service, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1218", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1003", "score": 6, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1558", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service, Azure AD Identity Secure Score"}, {"techniqueID": "T1087", "score": 6, "comment": "Related to Alerts for Windows Machines, Azure Defender for Resource Manager, Azure Sentinel, Microsoft Defender for Identity, Role Based Access Control, Azure Defender for App Service"}, {"techniqueID": "T1082", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Sentinel"}, {"techniqueID": "T1563", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Network Traffic Analytics"}, {"techniqueID": "T1105", "score": 7, "comment": "Related to Alerts for Windows Machines, Azure Defender for Storage, Azure Defender for Storage, Azure Sentinel, Azure Defender for App Service, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1048", "score": 8, "comment": "Related to Alerts for Windows Machines, Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure DNS Analytics, Azure Firewall, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1489", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1202", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1040", "score": 8, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Azure Private Link, Azure Policy, Azure VPN Gateway, Azure AD Identity Secure Score, Azure Key Vault, Docker Host Hardening"}, {"techniqueID": "T1542", "score": 3, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1499", "score": 6, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Azure Private Link, Azure Automation Update Management, Azure DDOS Protection Standard, Azure Network Traffic Analytics"}, {"techniqueID": "T1525", "score": 7, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Defender for Kubernetes, Azure Policy, Azure Defender for Container Registries, Azure Defender for Container Registries, Docker Host Hardening"}, {"techniqueID": "T1098", "score": 10, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, Role Based Access Control, File Integrity Monitoring, Azure Policy, Azure AD Privileged Identity Management, Azure AD Privileged Identity Management, Cloud App Security Policies"}, {"techniqueID": "T1554", "score": 3, "comment": "Related to Azure Security Center Recommendations, Adaptive Application Controls, Azure Automation Update Management"}, {"techniqueID": "T1505", "score": 5, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Policy, SQL Vulnerability Assessment"}, {"techniqueID": "T1053", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1556", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring"}, {"techniqueID": "T1080", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Defender for Storage, Azure Defender for Storage, Azure Sentinel"}, {"techniqueID": "T1074", "score": 3, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Conditional Access"}, {"techniqueID": "T1485", "score": 6, "comment": "Related to Azure Security Center Recommendations, Azure Defender for Storage, Azure Sentinel, Azure Backup, Azure Policy, Cloud App Security Policies"}, {"techniqueID": "T1486", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Azure Backup, Cloud App Security Policies"}, {"techniqueID": "T1565", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Private Link, Azure VPN Gateway, Cloud App Security Policies"}, {"techniqueID": "T1133", "score": 11, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Microsoft Defender for Identity, Azure Policy, Azure Alerts for Network Layer, Cloud App Security Policies, Cloud App Security Policies, Azure AD Identity Secure Score, Just-in-Time VM Access, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1530", "score": 6, "comment": "Related to Azure Defender for Storage, Azure Sentinel, Role Based Access Control, Azure Policy, Conditional Access, Cloud App Security Policies"}, {"techniqueID": "T1537", "score": 2, "comment": "Related to Azure Defender for Storage, Azure Policy"}, {"techniqueID": "T1021", "score": 7, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Policy, Azure Network Traffic Analytics, Docker Host Hardening"}, {"techniqueID": "T1113", "score": 3, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Azure Defender for Resource Manager, Azure Sentinel, Azure Defender for Key Vault, Role Based Access Control, Azure Policy"}, {"techniqueID": "T1538", "score": 3, "comment": "Related to Azure Defender for Resource Manager, Role Based Access Control, Azure Policy"}, {"techniqueID": "T1526", "score": 3, "comment": "Related to Azure Defender for Resource Manager, Azure Policy, Cloud App Security Policies"}, {"techniqueID": "T1069", "score": 3, "comment": "Related to Azure Defender for Resource Manager, Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1555", "score": 7, "comment": "Related to Azure Defender for Resource Manager, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for Key Vault, Azure Policy, Azure Defender for App Service, Azure Key Vault"}, {"techniqueID": "T1199", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1557", "score": 5, "comment": "Related to Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Private Link, Azure VPN Gateway"}, {"techniqueID": "T1602", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1072", "score": 3, "comment": "Related to Network Security Groups, Azure Automation Update Management, Azure Network Traffic Analytics"}, {"techniqueID": "T1482", "score": 4, "comment": "Related to Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1046", "score": 6, "comment": "Related to Network Security Groups, Azure Sentinel, Azure Web Application Firewall, Azure Web Application Firewall, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1095", "score": 2, "comment": "Related to Network Security Groups, Azure Firewall"}, {"techniqueID": "T1571", "score": 3, "comment": "Related to Network Security Groups, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1570", "score": 1, "comment": "Related to Network Security Groups"}, {"techniqueID": "T1498", "score": 3, "comment": "Related to Network Security Groups, Azure Private Link, Azure DDOS Protection Standard"}, {"techniqueID": "T1090", "score": 4, "comment": "Related to Network Security Groups, Azure Sentinel, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1219", "score": 4, "comment": "Related to Network Security Groups, Cloud App Security Policies, Cloud App Security Policies, Azure Firewall"}, {"techniqueID": "T1205", "score": 2, "comment": "Related to Network Security Groups, Azure Firewall"}, {"techniqueID": "T1195", "score": 2, "comment": "Related to Azure Sentinel, Azure Automation Update Management"}, {"techniqueID": "T1071", "score": 10, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Policy, Azure Alerts for Network Layer, Cloud App Security Policies, Azure Web Application Firewall, Azure Web Application Firewall, Azure DNS Analytics, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1595", "score": 4, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Azure Web Application Firewall, Azure Firewall"}, {"techniqueID": "T1496", "score": 3, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Cloud App Security Policies"}, {"techniqueID": "T1213", "score": 6, "comment": "Related to Azure Sentinel, Alerts for Azure Cosmos DB, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1531", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Azure AD Identity Secure Score"}, {"techniqueID": "T1018", "score": 2, "comment": "Related to Azure Sentinel, Azure Firewall"}, {"techniqueID": "T1114", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1573", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1119", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1568", "score": 3, "comment": "Related to Azure Sentinel, Azure DNS Analytics, Alerts for DNS"}, {"techniqueID": "T1137", "score": 2, "comment": "Related to Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1047", "score": 3, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1552", "score": 7, "comment": "Related to Azure Sentinel, Azure Sentinel, Azure Dedicated HSM, Managed identities for Azure resources, Azure Defender for App Service, Azure AD Identity Secure Score, Azure Key Vault"}, {"techniqueID": "T1590", "score": 3, "comment": "Related to Azure Sentinel, Azure Policy, Azure Firewall"}, {"techniqueID": "T1134", "score": 3, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Azure AD Identity Secure Score"}, {"techniqueID": "T1560", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1217", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1115", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1484", "score": 2, "comment": "Related to Azure Sentinel, Cloud App Security Policies"}, {"techniqueID": "T1041", "score": 2, "comment": "Related to Azure Sentinel, Azure DNS Analytics"}, {"techniqueID": "T1083", "score": 2, "comment": "Related to Azure Sentinel, Docker Host Hardening"}, {"techniqueID": "T1574", "score": 3, "comment": "Related to Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1056", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1135", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1057", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1518", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1016", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1049", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1569", "score": 2, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1127", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1550", "score": 3, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure AD Identity Secure Score"}, {"techniqueID": "T1125", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1102", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1490", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1535", "score": 3, "comment": "Related to Azure Sentinel, Azure Policy, Cloud App Security Policies"}, {"techniqueID": "T1036", "score": 3, "comment": "Related to Azure Sentinel, Adaptive Application Controls, Azure Defender for App Service"}, {"techniqueID": "T1578", "score": 3, "comment": "Related to Azure Sentinel, Role Based Access Control, Cloud App Security Policies"}, {"techniqueID": "T1528", "score": 6, "comment": "Related to Azure Sentinel, Role Based Access Control, Cloud App Security Policies, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Key Vault"}, {"techniqueID": "T1201", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1207", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1553", "score": 3, "comment": "Related to Adaptive Application Controls, Azure Dedicated HSM, File Integrity Monitoring"}, {"techniqueID": "T1588", "score": 1, "comment": "Related to Azure Dedicated HSM"}, {"techniqueID": "T1584", "score": 2, "comment": "Related to Azure DNS Alias Records, Azure Defender for App Service"}, {"techniqueID": "T1037", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1491", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1561", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1566", "score": 4, "comment": "Related to Azure Defender for App Service, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure, Azure DNS Analytics"}, {"techniqueID": "T1594", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1559", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1123", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1005", "score": 2, "comment": "Related to Azure Defender for App Service, Docker Host Hardening"}, {"techniqueID": "T1012", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1187", "score": 2, "comment": "Related to Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1534", "score": 1, "comment": "Related to Cloud App Security Policies"}, {"techniqueID": "T1008", "score": 1, "comment": "Related to Azure Firewall"}, {"techniqueID": "T1572", "score": 1, "comment": "Related to Alerts for DNS"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 18}} \ No newline at end of file +{"name": "security stack overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": 8.2}, "sorting": 3, "description": "security stack heatmap overview of security stack mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 18, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Alerts for Windows Machines, Azure Security Center Recommendations, Azure Defender for Storage, Azure Sentinel, Azure AD Multi-Factor Authentication, Role Based Access Control, Alerts for Azure Cosmos DB, Azure Policy, Azure AD Privileged Identity Management, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure AD Identity Secure Score, SQL Vulnerability Assessment, Continuous Access Evaluation"}, {"techniqueID": "T1078.004", "score": 16, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Azure Security Center Recommendations, Azure Defender for Storage, Azure Sentinel, Azure AD Multi-Factor Authentication, Role Based Access Control, Alerts for Azure Cosmos DB, Azure Policy, Azure AD Privileged Identity Management, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure AD Identity Secure Score, Continuous Access Evaluation"}, {"techniqueID": "T1078.002", "score": 5, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Azure Sentinel, Cloud App Security Policies, Azure AD Identity Secure Score"}, {"techniqueID": "T1606", "score": 3, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Azure AD Identity Secure Score"}, {"techniqueID": "T1606.002", "score": 3, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Azure AD Identity Secure Score"}, {"techniqueID": "T1110", "score": 18, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure AD Password Policy, Microsoft Defender for Identity, Azure AD Multi-Factor Authentication, Azure Policy, Azure Alerts for Network Layer, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Active Directory Password Protection, Just-in-Time VM Access, Passwordless Authentication"}, {"techniqueID": "T1110.003", "score": 17, "comment": "Related to Azure AD Identity Protection, Azure AD Identity Protection, Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, Azure AD Multi-Factor Authentication, Azure Policy, Azure Alerts for Network Layer, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Active Directory Password Protection, Just-in-Time VM Access, Passwordless Authentication"}, {"techniqueID": "T1078.003", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Azure AD Identity Secure Score"}, {"techniqueID": "T1078.001", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Cloud App Security Policies, Azure AD Identity Secure Score, SQL Vulnerability Assessment"}, {"techniqueID": "T1059", "score": 5, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1059.001", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1059.003", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Sentinel"}, {"techniqueID": "T1204", "score": 4, "comment": "Related to Alerts for Windows Machines, Adaptive Application Controls, Azure Defender for App Service, Microsoft Antimalware for Azure"}, {"techniqueID": "T1204.002", "score": 4, "comment": "Related to Alerts for Windows Machines, Adaptive Application Controls, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1547", "score": 5, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1547.001", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1136", "score": 6, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Role Based Access Control, Azure AD Privileged Identity Management"}, {"techniqueID": "T1136.001", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel"}, {"techniqueID": "T1543", "score": 6, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1543.003", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1546", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1546.002", "score": 2, "comment": "Related to Alerts for Windows Machines, File Integrity Monitoring"}, {"techniqueID": "T1546.008", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1548", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, File Integrity Monitoring, Docker Host Hardening"}, {"techniqueID": "T1548.002", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1055", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1055.001", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.002", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.003", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.005", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.004", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.011", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.012", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1055.013", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Defender for App Service"}, {"techniqueID": "T1203", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1212", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1211", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1068", "score": 13, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Defender for Resource Manager, Azure Sentinel, Azure Defender for Kubernetes, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Azure Defender for Container Registries, SQL Vulnerability Assessment, Integrated Vulnerability Scanner Powered by Qualys, Docker Host Hardening"}, {"techniqueID": "T1210", "score": 8, "comment": "Related to Alerts for Windows Machines, Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Automation Update Management, Azure Policy, Azure Defender for App Service, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1190", "score": 15, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Azure Sentinel, Azure Defender for Kubernetes, Azure Automation Update Management, Azure Policy, Advanced Threat Protection for Azure SQL Database, Azure Defender for App Service, Azure Defender for Container Registries, Azure Web Application Firewall, Azure Web Application Firewall, Just-in-Time VM Access, SQL Vulnerability Assessment, Integrated Vulnerability Scanner Powered by Qualys, Azure Network Traffic Analytics"}, {"techniqueID": "T1189", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Automation Update Management, Azure Defender for App Service, Cloud App Security Policies, Integrated Vulnerability Scanner Powered by Qualys"}, {"techniqueID": "T1140", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1222", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1222.001", "score": 2, "comment": "Related to Alerts for Windows Machines, File Integrity Monitoring"}, {"techniqueID": "T1564", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1564.003", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1562", "score": 5, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Defender for Resource Manager, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1562.004", "score": 3, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, File Integrity Monitoring"}, {"techniqueID": "T1562.001", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Defender for Resource Manager, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1070", "score": 4, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for Kubernetes"}, {"techniqueID": "T1070.004", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1070.001", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Sentinel"}, {"techniqueID": "T1112", "score": 2, "comment": "Related to Alerts for Windows Machines, SQL Vulnerability Assessment"}, {"techniqueID": "T1027", "score": 6, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for App Service, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1218", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1218.005", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1218.011", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1110.001", "score": 16, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure AD Password Policy, Microsoft Defender for Identity, Azure AD Multi-Factor Authentication, Azure Policy, Azure Alerts for Network Layer, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Active Directory Password Protection, Just-in-Time VM Access, Passwordless Authentication"}, {"techniqueID": "T1110.004", "score": 15, "comment": "Related to Alerts for Windows Machines, Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure AD Password Policy, Azure AD Multi-Factor Authentication, Azure Policy, Azure Alerts for Network Layer, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Active Directory Password Protection, Just-in-Time VM Access, Passwordless Authentication"}, {"techniqueID": "T1003", "score": 6, "comment": "Related to Alerts for Windows Machines, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1003.004", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1558", "score": 5, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service, Azure AD Identity Secure Score"}, {"techniqueID": "T1558.001", "score": 4, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Microsoft Defender for Identity, Azure AD Identity Secure Score"}, {"techniqueID": "T1087", "score": 6, "comment": "Related to Alerts for Windows Machines, Azure Defender for Resource Manager, Azure Sentinel, Microsoft Defender for Identity, Role Based Access Control, Azure Defender for App Service"}, {"techniqueID": "T1087.001", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1087.002", "score": 3, "comment": "Related to Alerts for Windows Machines, Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1082", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Sentinel"}, {"techniqueID": "T1563", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Network Traffic Analytics"}, {"techniqueID": "T1563.002", "score": 2, "comment": "Related to Alerts for Windows Machines, Azure Network Traffic Analytics"}, {"techniqueID": "T1105", "score": 7, "comment": "Related to Alerts for Windows Machines, Azure Defender for Storage, Azure Defender for Storage, Azure Sentinel, Azure Defender for App Service, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1048", "score": 8, "comment": "Related to Alerts for Windows Machines, Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure DNS Analytics, Azure Firewall, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1048.001", "score": 4, "comment": "Related to Alerts for Windows Machines, Network Security Groups, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1489", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1202", "score": 1, "comment": "Related to Alerts for Windows Machines"}, {"techniqueID": "T1040", "score": 8, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Azure Private Link, Azure Policy, Azure VPN Gateway, Azure AD Identity Secure Score, Azure Key Vault, Docker Host Hardening"}, {"techniqueID": "T1542", "score": 3, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1542.001", "score": 1, "comment": "Related to Azure Security Center Recommendations"}, {"techniqueID": "T1542.003", "score": 1, "comment": "Related to Azure Security Center Recommendations"}, {"techniqueID": "T1499", "score": 6, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Azure Private Link, Azure Automation Update Management, Azure DDOS Protection Standard, Azure Network Traffic Analytics"}, {"techniqueID": "T1499.001", "score": 5, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Azure Private Link, Azure DDOS Protection Standard, Azure Network Traffic Analytics"}, {"techniqueID": "T1525", "score": 7, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Defender for Kubernetes, Azure Policy, Azure Defender for Container Registries, Azure Defender for Container Registries, Docker Host Hardening"}, {"techniqueID": "T1098", "score": 10, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Microsoft Defender for Identity, Role Based Access Control, File Integrity Monitoring, Azure Policy, Azure AD Privileged Identity Management, Azure AD Privileged Identity Management, Cloud App Security Policies"}, {"techniqueID": "T1098.004", "score": 3, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, File Integrity Monitoring"}, {"techniqueID": "T1554", "score": 3, "comment": "Related to Azure Security Center Recommendations, Adaptive Application Controls, Azure Automation Update Management"}, {"techniqueID": "T1543.002", "score": 2, "comment": "Related to Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1546.004", "score": 2, "comment": "Related to Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1505", "score": 5, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Policy, SQL Vulnerability Assessment"}, {"techniqueID": "T1505.003", "score": 3, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration, Azure Sentinel"}, {"techniqueID": "T1222.002", "score": 2, "comment": "Related to Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1564.001", "score": 2, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1564.005", "score": 1, "comment": "Related to Azure Security Center Recommendations"}, {"techniqueID": "T1564.006", "score": 2, "comment": "Related to Azure Security Center Recommendations, Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1053", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1053.003", "score": 3, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1053.006", "score": 2, "comment": "Related to Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1556", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Microsoft Defender for Identity, File Integrity Monitoring"}, {"techniqueID": "T1556.003", "score": 2, "comment": "Related to Azure Security Center Recommendations, File Integrity Monitoring"}, {"techniqueID": "T1080", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Defender for Storage, Azure Defender for Storage, Azure Sentinel"}, {"techniqueID": "T1074", "score": 3, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Conditional Access"}, {"techniqueID": "T1074.001", "score": 3, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Conditional Access"}, {"techniqueID": "T1485", "score": 6, "comment": "Related to Azure Security Center Recommendations, Azure Defender for Storage, Azure Sentinel, Azure Backup, Azure Policy, Cloud App Security Policies"}, {"techniqueID": "T1486", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Sentinel, Azure Backup, Cloud App Security Policies"}, {"techniqueID": "T1565", "score": 4, "comment": "Related to Azure Security Center Recommendations, Azure Private Link, Azure VPN Gateway, Cloud App Security Policies"}, {"techniqueID": "T1565.001", "score": 2, "comment": "Related to Azure Security Center Recommendations, Cloud App Security Policies"}, {"techniqueID": "T1133", "score": 11, "comment": "Related to Azure Security Center Recommendations, Network Security Groups, Microsoft Defender for Identity, Azure Policy, Azure Alerts for Network Layer, Cloud App Security Policies, Cloud App Security Policies, Azure AD Identity Secure Score, Just-in-Time VM Access, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1530", "score": 6, "comment": "Related to Azure Defender for Storage, Azure Sentinel, Role Based Access Control, Azure Policy, Conditional Access, Cloud App Security Policies"}, {"techniqueID": "T1537", "score": 2, "comment": "Related to Azure Defender for Storage, Azure Policy"}, {"techniqueID": "T1059.004", "score": 3, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1547.006", "score": 2, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, File Integrity Monitoring"}, {"techniqueID": "T1562.006", "score": 3, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1070.002", "score": 1, "comment": "Related to Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1070.003", "score": 1, "comment": "Related to Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1027.004", "score": 1, "comment": "Related to Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1003.008", "score": 1, "comment": "Related to Linux auditd alerts and Log Analytics agent integration"}, {"techniqueID": "T1021", "score": 7, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Policy, Azure Network Traffic Analytics, Docker Host Hardening"}, {"techniqueID": "T1021.004", "score": 6, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Network Security Groups, Azure Sentinel, Azure Policy, Azure Network Traffic Analytics, Docker Host Hardening"}, {"techniqueID": "T1113", "score": 3, "comment": "Related to Linux auditd alerts and Log Analytics agent integration, Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1580", "score": 5, "comment": "Related to Azure Defender for Resource Manager, Azure Sentinel, Azure Defender for Key Vault, Role Based Access Control, Azure Policy"}, {"techniqueID": "T1538", "score": 3, "comment": "Related to Azure Defender for Resource Manager, Role Based Access Control, Azure Policy"}, {"techniqueID": "T1526", "score": 3, "comment": "Related to Azure Defender for Resource Manager, Azure Policy, Cloud App Security Policies"}, {"techniqueID": "T1069", "score": 3, "comment": "Related to Azure Defender for Resource Manager, Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1069.003", "score": 1, "comment": "Related to Azure Defender for Resource Manager"}, {"techniqueID": "T1087.004", "score": 2, "comment": "Related to Azure Defender for Resource Manager, Role Based Access Control"}, {"techniqueID": "T1555", "score": 7, "comment": "Related to Azure Defender for Resource Manager, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for Key Vault, Azure Policy, Azure Defender for App Service, Azure Key Vault"}, {"techniqueID": "T1199", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1557", "score": 5, "comment": "Related to Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Private Link, Azure VPN Gateway"}, {"techniqueID": "T1602", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1602.002", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1602.001", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1542.005", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1048.003", "score": 6, "comment": "Related to Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure DNS Analytics, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1048.002", "score": 3, "comment": "Related to Network Security Groups, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1021.006", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1021.005", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1021.003", "score": 3, "comment": "Related to Network Security Groups, Azure Sentinel, Azure Network Traffic Analytics"}, {"techniqueID": "T1021.002", "score": 4, "comment": "Related to Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Network Traffic Analytics"}, {"techniqueID": "T1021.001", "score": 4, "comment": "Related to Network Security Groups, Azure Sentinel, Azure Policy, Azure Network Traffic Analytics"}, {"techniqueID": "T1072", "score": 3, "comment": "Related to Network Security Groups, Azure Automation Update Management, Azure Network Traffic Analytics"}, {"techniqueID": "T1482", "score": 4, "comment": "Related to Network Security Groups, Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1046", "score": 6, "comment": "Related to Network Security Groups, Azure Sentinel, Azure Web Application Firewall, Azure Web Application Firewall, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1095", "score": 2, "comment": "Related to Network Security Groups, Azure Firewall"}, {"techniqueID": "T1571", "score": 3, "comment": "Related to Network Security Groups, Azure Firewall, Azure Network Traffic Analytics"}, {"techniqueID": "T1499.003", "score": 4, "comment": "Related to Network Security Groups, Azure Private Link, Azure DDOS Protection Standard, Azure Network Traffic Analytics"}, {"techniqueID": "T1499.002", "score": 4, "comment": "Related to Network Security Groups, Azure Private Link, Azure DDOS Protection Standard, Azure Network Traffic Analytics"}, {"techniqueID": "T1570", "score": 1, "comment": "Related to Network Security Groups"}, {"techniqueID": "T1498", "score": 3, "comment": "Related to Network Security Groups, Azure Private Link, Azure DDOS Protection Standard"}, {"techniqueID": "T1090", "score": 4, "comment": "Related to Network Security Groups, Azure Sentinel, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1090.003", "score": 3, "comment": "Related to Network Security Groups, Azure Sentinel, Azure Network Traffic Analytics"}, {"techniqueID": "T1090.002", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1090.001", "score": 2, "comment": "Related to Network Security Groups, Azure Network Traffic Analytics"}, {"techniqueID": "T1219", "score": 4, "comment": "Related to Network Security Groups, Cloud App Security Policies, Cloud App Security Policies, Azure Firewall"}, {"techniqueID": "T1205", "score": 2, "comment": "Related to Network Security Groups, Azure Firewall"}, {"techniqueID": "T1205.001", "score": 2, "comment": "Related to Network Security Groups, Azure Firewall"}, {"techniqueID": "T1195", "score": 2, "comment": "Related to Azure Sentinel, Azure Automation Update Management"}, {"techniqueID": "T1195.001", "score": 2, "comment": "Related to Azure Sentinel, Azure Automation Update Management"}, {"techniqueID": "T1098.001", "score": 5, "comment": "Related to Azure Sentinel, Role Based Access Control, Azure Policy, Azure AD Privileged Identity Management, Cloud App Security Policies"}, {"techniqueID": "T1071", "score": 10, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Policy, Azure Alerts for Network Layer, Cloud App Security Policies, Azure Web Application Firewall, Azure Web Application Firewall, Azure DNS Analytics, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1071.001", "score": 4, "comment": "Related to Azure Sentinel, Azure Alerts for Network Layer, Azure Web Application Firewall, Azure Web Application Firewall"}, {"techniqueID": "T1071.004", "score": 7, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Policy, Azure Alerts for Network Layer, Azure DNS Analytics, Alerts for DNS, Azure Network Traffic Analytics"}, {"techniqueID": "T1567", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1567.002", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1567.001", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1595", "score": 4, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Azure Web Application Firewall, Azure Firewall"}, {"techniqueID": "T1595.002", "score": 5, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Azure Web Application Firewall, Azure Web Application Firewall, Azure Firewall"}, {"techniqueID": "T1496", "score": 3, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Cloud App Security Policies"}, {"techniqueID": "T1070.006", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1059.007", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1059.005", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1059.006", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1213", "score": 6, "comment": "Related to Azure Sentinel, Alerts for Azure Cosmos DB, Advanced Threat Protection for Azure SQL Database, Conditional Access, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1213.002", "score": 4, "comment": "Related to Azure Sentinel, Conditional Access, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1531", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Azure AD Identity Secure Score"}, {"techniqueID": "T1018", "score": 2, "comment": "Related to Azure Sentinel, Azure Firewall"}, {"techniqueID": "T1136.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1136.003", "score": 3, "comment": "Related to Azure Sentinel, Role Based Access Control, Azure AD Privileged Identity Management"}, {"techniqueID": "T1114", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1114.001", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1114.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1114.003", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1573", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1573.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1562.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1562.007", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1562.008", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1119", "score": 3, "comment": "Related to Azure Sentinel, Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1568", "score": 3, "comment": "Related to Azure Sentinel, Azure DNS Analytics, Alerts for DNS"}, {"techniqueID": "T1568.002", "score": 3, "comment": "Related to Azure Sentinel, Azure DNS Analytics, Alerts for DNS"}, {"techniqueID": "T1137", "score": 2, "comment": "Related to Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1137.005", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1137.006", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1558.003", "score": 4, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service, Azure AD Identity Secure Score"}, {"techniqueID": "T1558.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1047", "score": 3, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Defender for App Service"}, {"techniqueID": "T1552", "score": 7, "comment": "Related to Azure Sentinel, Azure Sentinel, Azure Dedicated HSM, Managed identities for Azure resources, Azure Defender for App Service, Azure AD Identity Secure Score, Azure Key Vault"}, {"techniqueID": "T1552.001", "score": 3, "comment": "Related to Azure Sentinel, Azure Sentinel, Managed identities for Azure resources"}, {"techniqueID": "T1552.004", "score": 2, "comment": "Related to Azure Sentinel, Azure Dedicated HSM"}, {"techniqueID": "T1590", "score": 3, "comment": "Related to Azure Sentinel, Azure Policy, Azure Firewall"}, {"techniqueID": "T1590.002", "score": 2, "comment": "Related to Azure Sentinel, Azure Policy"}, {"techniqueID": "T1134", "score": 3, "comment": "Related to Azure Sentinel, Azure Defender for App Service, Azure AD Identity Secure Score"}, {"techniqueID": "T1134.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1134.005", "score": 2, "comment": "Related to Azure Sentinel, Azure AD Identity Secure Score"}, {"techniqueID": "T1087.003", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1560", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1547.005", "score": 3, "comment": "Related to Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1547.009", "score": 2, "comment": "Related to Azure Sentinel, File Integrity Monitoring"}, {"techniqueID": "T1217", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1115", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1555.003", "score": 2, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1484", "score": 2, "comment": "Related to Azure Sentinel, Cloud App Security Policies"}, {"techniqueID": "T1484.001", "score": 2, "comment": "Related to Azure Sentinel, Cloud App Security Policies"}, {"techniqueID": "T1484.002", "score": 2, "comment": "Related to Azure Sentinel, Cloud App Security Policies"}, {"techniqueID": "T1041", "score": 2, "comment": "Related to Azure Sentinel, Azure DNS Analytics"}, {"techniqueID": "T1083", "score": 2, "comment": "Related to Azure Sentinel, Docker Host Hardening"}, {"techniqueID": "T1574", "score": 3, "comment": "Related to Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1574.001", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1574.007", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1574.008", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1574.009", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1056", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1056.001", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1056.004", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1557.001", "score": 4, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure Private Link, Azure VPN Gateway"}, {"techniqueID": "T1106", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1135", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1003.001", "score": 3, "comment": "Related to Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1057", "score": 2, "comment": "Related to Azure Sentinel, Azure Defender for App Service"}, {"techniqueID": "T1053.005", "score": 3, "comment": "Related to Azure Sentinel, File Integrity Monitoring, Azure Defender for App Service"}, {"techniqueID": "T1518", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1518.001", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1016", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1049", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1569", "score": 2, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1569.002", "score": 2, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1127", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1127.001", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1550", "score": 3, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure AD Identity Secure Score"}, {"techniqueID": "T1550.001", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1550.002", "score": 3, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity, Azure AD Identity Secure Score"}, {"techniqueID": "T1125", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1102", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1102.002", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1490", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1535", "score": 3, "comment": "Related to Azure Sentinel, Azure Policy, Cloud App Security Policies"}, {"techniqueID": "T1036", "score": 3, "comment": "Related to Azure Sentinel, Adaptive Application Controls, Azure Defender for App Service"}, {"techniqueID": "T1036.004", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1036.005", "score": 3, "comment": "Related to Azure Sentinel, Adaptive Application Controls, Azure Defender for App Service"}, {"techniqueID": "T1578", "score": 3, "comment": "Related to Azure Sentinel, Role Based Access Control, Cloud App Security Policies"}, {"techniqueID": "T1528", "score": 6, "comment": "Related to Azure Sentinel, Role Based Access Control, Cloud App Security Policies, Cloud App Security Policies, Azure AD Identity Secure Score, Azure Key Vault"}, {"techniqueID": "T1069.002", "score": 2, "comment": "Related to Azure Sentinel, Microsoft Defender for Identity"}, {"techniqueID": "T1069.001", "score": 1, "comment": "Related to Azure Sentinel"}, {"techniqueID": "T1110.002", "score": 5, "comment": "Related to Azure AD Password Policy, Conditional Access, Azure AD Identity Secure Score, Azure Active Directory Password Protection, Passwordless Authentication"}, {"techniqueID": "T1201", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1550.003", "score": 2, "comment": "Related to Microsoft Defender for Identity, Azure AD Identity Secure Score"}, {"techniqueID": "T1558.004", "score": 2, "comment": "Related to Microsoft Defender for Identity, Azure AD Identity Secure Score"}, {"techniqueID": "T1207", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1003.006", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1003.003", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1556.001", "score": 1, "comment": "Related to Microsoft Defender for Identity"}, {"techniqueID": "T1036.006", "score": 1, "comment": "Related to Adaptive Application Controls"}, {"techniqueID": "T1036.001", "score": 1, "comment": "Related to Adaptive Application Controls"}, {"techniqueID": "T1553", "score": 3, "comment": "Related to Adaptive Application Controls, Azure Dedicated HSM, File Integrity Monitoring"}, {"techniqueID": "T1553.002", "score": 2, "comment": "Related to Adaptive Application Controls, Azure Dedicated HSM"}, {"techniqueID": "T1557.002", "score": 2, "comment": "Related to Azure Private Link, Azure VPN Gateway"}, {"techniqueID": "T1565.002", "score": 2, "comment": "Related to Azure Private Link, Azure VPN Gateway"}, {"techniqueID": "T1499.004", "score": 2, "comment": "Related to Azure Private Link, Azure Automation Update Management"}, {"techniqueID": "T1498.002", "score": 2, "comment": "Related to Azure Private Link, Azure DDOS Protection Standard"}, {"techniqueID": "T1498.001", "score": 2, "comment": "Related to Azure Private Link, Azure DDOS Protection Standard"}, {"techniqueID": "T1588", "score": 1, "comment": "Related to Azure Dedicated HSM"}, {"techniqueID": "T1588.004", "score": 1, "comment": "Related to Azure Dedicated HSM"}, {"techniqueID": "T1588.003", "score": 1, "comment": "Related to Azure Dedicated HSM"}, {"techniqueID": "T1553.004", "score": 2, "comment": "Related to Azure Dedicated HSM, File Integrity Monitoring"}, {"techniqueID": "T1195.002", "score": 1, "comment": "Related to Azure Automation Update Management"}, {"techniqueID": "T1584", "score": 2, "comment": "Related to Azure DNS Alias Records, Azure Defender for App Service"}, {"techniqueID": "T1584.001", "score": 2, "comment": "Related to Azure DNS Alias Records, Azure Defender for App Service"}, {"techniqueID": "T1098.003", "score": 4, "comment": "Related to Role Based Access Control, Azure AD Privileged Identity Management, Azure AD Privileged Identity Management, Cloud App Security Policies"}, {"techniqueID": "T1578.001", "score": 2, "comment": "Related to Role Based Access Control, Cloud App Security Policies"}, {"techniqueID": "T1578.002", "score": 2, "comment": "Related to Role Based Access Control, Cloud App Security Policies"}, {"techniqueID": "T1578.003", "score": 2, "comment": "Related to Role Based Access Control, Cloud App Security Policies"}, {"techniqueID": "T1578.004", "score": 2, "comment": "Related to Role Based Access Control, Cloud App Security Policies"}, {"techniqueID": "T1053.001", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1053.002", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1547.002", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1547.003", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1547.004", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1547.008", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1547.010", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1547.012", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1037", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1037.001", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1037.003", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.001", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.007", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.009", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.011", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.012", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.013", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.010", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1546.015", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1574.006", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1137.002", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1548.003", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1556.002", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1553.003", "score": 1, "comment": "Related to File Integrity Monitoring"}, {"techniqueID": "T1491", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1491.002", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1491.001", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1561", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1561.001", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1561.002", "score": 1, "comment": "Related to Azure Backup"}, {"techniqueID": "T1590.004", "score": 2, "comment": "Related to Azure Policy, Azure Firewall"}, {"techniqueID": "T1590.005", "score": 2, "comment": "Related to Azure Policy, Azure Firewall"}, {"techniqueID": "T1590.006", "score": 2, "comment": "Related to Azure Policy, Azure Firewall"}, {"techniqueID": "T1505.001", "score": 2, "comment": "Related to Azure Policy, SQL Vulnerability Assessment"}, {"techniqueID": "T1071.003", "score": 3, "comment": "Related to Azure Alerts for Network Layer, Cloud App Security Policies, Azure Network Traffic Analytics"}, {"techniqueID": "T1071.002", "score": 2, "comment": "Related to Azure Alerts for Network Layer, Azure Network Traffic Analytics"}, {"techniqueID": "T1204.001", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1566", "score": 4, "comment": "Related to Azure Defender for App Service, Microsoft Antimalware for Azure, Microsoft Antimalware for Azure, Azure DNS Analytics"}, {"techniqueID": "T1566.002", "score": 2, "comment": "Related to Azure Defender for App Service, Azure DNS Analytics"}, {"techniqueID": "T1594", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1055.008", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1055.009", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1055.014", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1559", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1559.001", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1559.002", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1123", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1005", "score": 2, "comment": "Related to Azure Defender for App Service, Docker Host Hardening"}, {"techniqueID": "T1027.005", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1012", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1552.002", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1552.006", "score": 1, "comment": "Related to Azure Defender for App Service"}, {"techniqueID": "T1074.002", "score": 1, "comment": "Related to Conditional Access"}, {"techniqueID": "T1187", "score": 2, "comment": "Related to Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1213.001", "score": 2, "comment": "Related to Cloud App Security Policies, Cloud App Security Policies"}, {"techniqueID": "T1098.002", "score": 1, "comment": "Related to Cloud App Security Policies"}, {"techniqueID": "T1534", "score": 1, "comment": "Related to Cloud App Security Policies"}, {"techniqueID": "T1566.001", "score": 2, "comment": "Related to Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1027.002", "score": 2, "comment": "Related to Microsoft Antimalware for Azure, Microsoft Antimalware for Azure"}, {"techniqueID": "T1568.001", "score": 2, "comment": "Related to Azure DNS Analytics, Alerts for DNS"}, {"techniqueID": "T1595.001", "score": 1, "comment": "Related to Azure Firewall"}, {"techniqueID": "T1008", "score": 1, "comment": "Related to Azure Firewall"}, {"techniqueID": "T1572", "score": 1, "comment": "Related to Alerts for DNS"}, {"techniqueID": "T1563.001", "score": 1, "comment": "Related to Azure Network Traffic Analytics"}, {"techniqueID": "T1548.001", "score": 1, "comment": "Related to Docker Host Hardening"}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 18}} \ No newline at end of file diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings.yaml b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings.yaml index 72eda332..a39c0ce8 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings.yaml +++ b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings.yaml @@ -11,7 +11,7 @@ attack-objects: - https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage - https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information - https://assets.virustotal.com/vt-360-outcomes.pdf - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -30,7 +30,7 @@ attack-objects: - https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage - https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information - https://assets.virustotal.com/vt-360-outcomes.pdf - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -49,7 +49,7 @@ attack-objects: - https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage - https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information - https://assets.virustotal.com/vt-360-outcomes.pdf - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -68,7 +68,7 @@ attack-objects: - https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage - https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information - https://assets.virustotal.com/vt-360-outcomes.pdf - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -87,7 +87,7 @@ attack-objects: - https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage - https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information - https://assets.virustotal.com/vt-360-outcomes.pdf - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -102,7 +102,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -116,7 +116,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -131,7 +131,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -146,7 +146,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -161,7 +161,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -176,7 +176,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -191,7 +191,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -206,7 +206,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/kms/docs/hsm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -220,7 +220,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/certificate-authority-service/docs - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -234,7 +234,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/asset-inventory/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -248,7 +248,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/asset-inventory/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -262,7 +262,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/asset-inventory/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -276,7 +276,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/asset-inventory/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -292,7 +292,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -308,7 +308,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -324,7 +324,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -340,7 +340,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -356,7 +356,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -372,7 +372,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -388,7 +388,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iap - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -404,7 +404,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -421,7 +421,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -438,7 +438,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -455,7 +455,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -472,7 +472,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -489,7 +489,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -506,7 +506,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -523,7 +523,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -540,7 +540,7 @@ attack-objects: references: - https://cloud.google.com/container-analysis/docs/container-analysis - https://cloud.google.com/container-analysis/docs/container-scanning-overview - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -557,7 +557,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -573,7 +573,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -589,7 +589,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -605,7 +605,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -621,7 +621,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -637,7 +637,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -653,7 +653,7 @@ attack-objects: references: - https://cloud.google.com/kubernetes-engine/docs/concepts/access-control - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -674,7 +674,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -697,7 +697,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -720,7 +720,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -743,7 +743,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -766,7 +766,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -789,7 +789,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -812,7 +812,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -835,7 +835,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -858,7 +858,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -881,7 +881,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -904,7 +904,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -927,7 +927,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -950,7 +950,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -973,7 +973,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -996,7 +996,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -1019,7 +1019,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -1042,7 +1042,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -1065,7 +1065,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -1088,7 +1088,7 @@ attack-objects: references: - https://cloud.google.com/intrusion-detection-system - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -1104,7 +1104,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1121,7 +1121,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1138,7 +1138,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1155,7 +1155,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1172,7 +1172,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -1189,7 +1189,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1206,7 +1206,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1223,7 +1223,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1240,7 +1240,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -1257,7 +1257,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1274,7 +1274,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1291,7 +1291,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1308,7 +1308,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1325,7 +1325,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1342,7 +1342,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1359,7 +1359,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1376,7 +1376,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1394,7 +1394,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -1408,7 +1408,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1422,7 +1422,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1436,7 +1436,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1450,7 +1450,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -1464,7 +1464,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -1478,7 +1478,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -1492,7 +1492,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -1506,7 +1506,7 @@ attack-objects: mapping-type: technique-scores references: - https://www.actifio.com/solutions/cloud/google/ - related-score: false + related-score: '' score-category: Respond score-value: Significant tags: @@ -1519,7 +1519,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1536,7 +1536,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1553,7 +1553,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1570,7 +1570,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1587,7 +1587,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1604,7 +1604,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1621,7 +1621,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1638,7 +1638,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1655,7 +1655,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1672,7 +1672,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1689,7 +1689,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1706,7 +1706,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1723,7 +1723,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1740,7 +1740,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1757,7 +1757,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1774,7 +1774,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1791,7 +1791,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1808,7 +1808,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1825,7 +1825,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1842,7 +1842,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -1859,7 +1859,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1876,7 +1876,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1893,7 +1893,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1910,7 +1910,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1927,7 +1927,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1944,7 +1944,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity-platform/docs/concepts - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -1963,7 +1963,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1980,7 +1980,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -1997,7 +1997,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -2014,7 +2014,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2031,7 +2031,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2048,7 +2048,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2065,7 +2065,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2082,7 +2082,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2099,7 +2099,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2116,7 +2116,7 @@ attack-objects: mapping-type: technique-scores references: - 'https://cloud.google.com/anthos-config-management/ ' - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2131,7 +2131,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/web-risk/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2144,7 +2144,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/web-risk/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2157,7 +2157,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/web-risk/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2170,7 +2170,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/web-risk/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2183,7 +2183,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/cdn/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2199,7 +2199,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2214,7 +2214,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2229,7 +2229,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2244,7 +2244,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2259,7 +2259,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2274,7 +2274,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2289,7 +2289,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2304,7 +2304,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -2319,7 +2319,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -2334,7 +2334,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/beyondcorp-enterprise/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2348,7 +2348,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2363,7 +2363,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2378,7 +2378,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2393,7 +2393,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2408,7 +2408,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2423,7 +2423,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2438,7 +2438,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2453,7 +2453,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2468,7 +2468,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2483,7 +2483,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2498,7 +2498,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2513,7 +2513,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/identity - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -2528,7 +2528,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/armor - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2542,7 +2542,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/armor - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2556,7 +2556,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/armor - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2570,7 +2570,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/armor - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2584,7 +2584,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/armor - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2598,7 +2598,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/armor - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2612,7 +2612,7 @@ attack-objects: mapping-type: technique-scores references: - https://support.google.com/a/answer/1734200?hl=en - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2626,7 +2626,7 @@ attack-objects: mapping-type: technique-scores references: - https://support.google.com/a/answer/1734200?hl=en - related-score: false + related-score: '' score-category: Respond score-value: Partial tags: @@ -2640,7 +2640,7 @@ attack-objects: mapping-type: technique-scores references: - https://support.google.com/a/answer/1734200?hl=en - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2654,7 +2654,7 @@ attack-objects: mapping-type: technique-scores references: - https://support.google.com/a/answer/1734200?hl=en - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2668,7 +2668,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2682,7 +2682,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2696,7 +2696,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2710,7 +2710,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2724,7 +2724,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2738,7 +2738,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2752,7 +2752,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -2765,7 +2765,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2778,7 +2778,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2791,7 +2791,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2804,7 +2804,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2817,7 +2817,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2830,7 +2830,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2843,7 +2843,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -2856,7 +2856,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -2869,7 +2869,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/security-key-management - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -2882,7 +2882,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/titan-security-key#section-3 - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -2900,7 +2900,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2920,7 +2920,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2940,7 +2940,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2960,7 +2960,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -2980,7 +2980,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3000,7 +3000,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3020,7 +3020,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3040,7 +3040,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3060,7 +3060,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3080,7 +3080,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3100,7 +3100,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3120,7 +3120,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3140,7 +3140,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3160,7 +3160,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3180,7 +3180,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3200,7 +3200,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3220,7 +3220,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3240,7 +3240,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3260,7 +3260,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3280,7 +3280,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3300,7 +3300,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3320,7 +3320,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3340,7 +3340,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3360,7 +3360,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3380,7 +3380,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3400,7 +3400,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3420,7 +3420,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3440,7 +3440,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3460,7 +3460,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3480,7 +3480,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3500,7 +3500,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3520,7 +3520,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3540,7 +3540,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3560,7 +3560,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3580,7 +3580,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3600,7 +3600,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3620,7 +3620,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3640,7 +3640,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3660,7 +3660,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3680,7 +3680,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3700,7 +3700,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3720,7 +3720,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3740,7 +3740,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3760,7 +3760,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3780,7 +3780,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3800,7 +3800,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3820,7 +3820,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3840,7 +3840,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3860,7 +3860,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3880,7 +3880,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3900,7 +3900,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3920,7 +3920,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3940,7 +3940,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3960,7 +3960,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -3980,7 +3980,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4000,7 +4000,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4020,7 +4020,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4040,7 +4040,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4060,7 +4060,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4080,7 +4080,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4100,7 +4100,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4120,7 +4120,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4140,7 +4140,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4160,7 +4160,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4180,7 +4180,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4200,7 +4200,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4220,7 +4220,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4240,7 +4240,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4260,7 +4260,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4280,7 +4280,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4300,7 +4300,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4320,7 +4320,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4340,7 +4340,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4360,7 +4360,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4380,7 +4380,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4400,7 +4400,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4420,7 +4420,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4440,7 +4440,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4460,7 +4460,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4480,7 +4480,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4500,7 +4500,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4520,7 +4520,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4540,7 +4540,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4560,7 +4560,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4580,7 +4580,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4600,7 +4600,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4620,7 +4620,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4640,7 +4640,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4660,7 +4660,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4680,7 +4680,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4700,7 +4700,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4720,7 +4720,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4740,7 +4740,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4760,7 +4760,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4780,7 +4780,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4800,7 +4800,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4820,7 +4820,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4840,7 +4840,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4860,7 +4860,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4880,7 +4880,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4900,7 +4900,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4920,7 +4920,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4940,7 +4940,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4960,7 +4960,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -4980,7 +4980,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5000,7 +5000,7 @@ attack-objects: references: - https://cloud.google.com/chronicle/docs/overview - https://github.com/chronicle/detection-rules - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5016,7 +5016,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5030,7 +5030,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -5044,7 +5044,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/shielded-vm/docs/shielded-vm - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5057,7 +5057,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/shielded-vm/docs/shielded-vm - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5074,7 +5074,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5093,7 +5093,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5112,7 +5112,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5131,7 +5131,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5150,7 +5150,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5169,7 +5169,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5188,7 +5188,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5207,7 +5207,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5226,7 +5226,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5245,7 +5245,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5264,7 +5264,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5283,7 +5283,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5302,7 +5302,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5321,7 +5321,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5340,7 +5340,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -5359,7 +5359,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5378,7 +5378,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5397,7 +5397,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -5416,7 +5416,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5435,7 +5435,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5454,7 +5454,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5473,7 +5473,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/firewalls - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -5500,7 +5500,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5527,7 +5527,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5554,7 +5554,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5581,7 +5581,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5608,7 +5608,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5635,7 +5635,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5662,7 +5662,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5689,7 +5689,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5716,7 +5716,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5743,7 +5743,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5770,7 +5770,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5797,7 +5797,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5824,7 +5824,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5851,7 +5851,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5878,7 +5878,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5905,7 +5905,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5932,7 +5932,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -5959,7 +5959,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -5986,7 +5986,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6013,7 +6013,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6040,7 +6040,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6067,7 +6067,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6094,7 +6094,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6121,7 +6121,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6148,7 +6148,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6175,7 +6175,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6202,7 +6202,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6229,7 +6229,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6256,7 +6256,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -6283,7 +6283,7 @@ attack-objects: references: - https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview - https://github.com/GoogleCloudPlatform/security-analytics - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -6300,7 +6300,7 @@ attack-objects: references: - https://cloud.google.com/storage/docs/encryption - https://cloud.google.com/storage - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6318,7 +6318,7 @@ attack-objects: references: - https://cloud.google.com/storage/docs/encryption - https://cloud.google.com/storage - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6336,7 +6336,7 @@ attack-objects: references: - https://cloud.google.com/storage/docs/encryption - https://cloud.google.com/storage - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6354,7 +6354,7 @@ attack-objects: references: - https://cloud.google.com/storage/docs/encryption - https://cloud.google.com/storage - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6370,7 +6370,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/dlp/docs - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6385,7 +6385,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6400,7 +6400,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6415,7 +6415,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6430,7 +6430,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6445,7 +6445,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6460,7 +6460,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6475,7 +6475,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6490,7 +6490,7 @@ attack-objects: references: - https://cloud.google.com/binary-authorization/docs/overview - https://cloud.google.com/binary-authorization/docs/attestations - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6503,7 +6503,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6517,7 +6517,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6531,7 +6531,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6545,7 +6545,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6559,7 +6559,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6573,7 +6573,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6587,7 +6587,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6601,7 +6601,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6615,7 +6615,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6629,7 +6629,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6643,7 +6643,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6657,7 +6657,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6671,7 +6671,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6685,7 +6685,7 @@ attack-objects: mapping-type: technique-scores references: - https://landing.google.com/advancedprotection/ - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6699,7 +6699,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/secret-manager/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6712,7 +6712,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/secret-manager/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6725,7 +6725,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/secret-manager/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6738,7 +6738,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/secret-manager/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6751,7 +6751,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6765,7 +6765,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6779,7 +6779,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6793,7 +6793,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6807,7 +6807,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6821,7 +6821,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6835,7 +6835,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6849,7 +6849,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6863,7 +6863,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6877,7 +6877,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6891,7 +6891,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6905,7 +6905,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6919,7 +6919,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6933,7 +6933,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -6947,7 +6947,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6961,7 +6961,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -6977,7 +6977,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -6993,7 +6993,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7009,7 +7009,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7025,7 +7025,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7041,7 +7041,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7057,7 +7057,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7073,7 +7073,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7089,7 +7089,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7105,7 +7105,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7121,7 +7121,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7137,7 +7137,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Detect score-value: Minimal tags: @@ -7153,7 +7153,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7169,7 +7169,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7185,7 +7185,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7201,7 +7201,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7217,7 +7217,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7233,7 +7233,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/policy-intelligence - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7249,7 +7249,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/recaptcha-enterprise - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7263,7 +7263,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/recaptcha-enterprise - related-score: false + related-score: '' score-category: Detect score-value: Significant tags: @@ -7277,7 +7277,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/recaptcha-enterprise - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7291,7 +7291,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -7306,7 +7306,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -7321,7 +7321,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Significant tags: @@ -7336,7 +7336,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7351,7 +7351,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/vpc-service-controls/docs/overview - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7367,7 +7367,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7385,7 +7385,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7403,7 +7403,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -7421,7 +7421,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -7439,7 +7439,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7457,7 +7457,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: @@ -7475,7 +7475,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7493,7 +7493,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7511,7 +7511,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -7529,7 +7529,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/iam - related-score: false + related-score: '' score-category: Protect score-value: Minimal tags: @@ -7547,7 +7547,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7564,7 +7564,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7581,7 +7581,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7598,7 +7598,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7615,7 +7615,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7632,7 +7632,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7649,7 +7649,7 @@ attack-objects: mapping-type: technique-scores references: - https://cloud.google.com/compute/docs/vm-manager - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7668,7 +7668,7 @@ attack-objects: references: - https://cloud.google.com/container-registry/docs/container-analysis - https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7685,7 +7685,7 @@ attack-objects: references: - https://cloud.google.com/container-registry/docs/container-analysis - https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7702,7 +7702,7 @@ attack-objects: references: - https://cloud.google.com/container-registry/docs/container-analysis - https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7719,7 +7719,7 @@ attack-objects: references: - https://cloud.google.com/container-registry/docs/container-analysis - https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr - related-score: false + related-score: '' score-category: Protect score-value: Partial tags: @@ -7736,7 +7736,7 @@ attack-objects: references: - https://cloud.google.com/container-registry/docs/container-analysis - https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr - related-score: false + related-score: '' score-category: Detect score-value: Partial tags: diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack-objects.csv b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack-objects.csv index a6e90268..182b1fc4 100644 --- a/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack-objects.csv +++ b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack-objects.csv @@ -1,543 +1,543 @@ ,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata_key -0,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566,Phishing,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,False,1 -1,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566.001,Spearphishing Attachment,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Partial,False,1 -2,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1059,Command and Scripting Interpreter,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,False,1 -3,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1598.003,Spearphishing Link,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,False,1 -4,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566.002,Spearphishing Link,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,False,1 -5,,T1565.003,Runtime Data Manipulation,['https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features'],['Encryption'],,Confidential VM and Compute Engine,technique-scores,Protect,Significant,False,1 -6,This control provides a secure alternative to storing encryption keys in the file system.,T1552,Unsecured Credentials,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -7,This control provides a secure alternative to storing encryption keys in the file system.,T1553,Subvert Trust Controls,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -8,This control provides a secure alternative to storing encryption keys in the file system.,T1588.003,Code Signing Certificates,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -9,This control provides a secure alternative to storing encryption keys in the file system.,T1588.004,Digital Certificates,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -10,This control provides a secure alternative to storing encryption keys in the file system.,T1552.004,Private Keys,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -11,This control provides a secure alternative to storing encryption keys in the file system.,T1552.001,Credentials In Files,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -12,This control provides a secure alternative to storing encryption keys in the file system.,T1588,Obtain Capabilities,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,False,1 -13,,T1040,Network Sniffing,['https://cloud.google.com/certificate-authority-service/docs'],"['Certificate Service', 'Network']",,Certificate Authority Service,technique-scores,Protect,Minimal,False,1 -14,,T1098,Account Manipulation,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,False,1 -15,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,False,1 -16,,T1078,Valid Accounts,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,False,1 -17,,T1078.004,Cloud Accounts,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,False,1 -18,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1550.001,Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Minimal,False,1 -19,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1528,Steal Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Minimal,False,1 -20,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1528,Steal Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Detect,Partial,False,1 -21,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Detect,Minimal,False,1 -22,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1078,Valid Accounts,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,False,1 -23,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1078.004,Cloud Accounts,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,False,1 -24,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1190,Exploit Public-Facing Application,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,False,1 -25,This control may provide information about software vulnerabilities in the environment. ,T1190,Exploit Public-Facing Application,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -26,This control may provide information about software vulnerabilities in the environment. ,T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -27,This control may provide information about software vulnerabilities in the environment. ,T1203,Exploitation for Client Execution,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -28,This control may provide information about software vulnerabilities in the environment. ,T1210,Exploitation of Remote Services,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -29,This control may provide information about software vulnerabilities in the environment. ,T1525,Implant Internal Image,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -30,This control may provide information about software vulnerabilities in the environment. ,T1610,Deploy Container,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -31,This control may provide information about software vulnerabilities in the environment. ,T1072,Software Deployment Tools,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Minimal,False,1 -32,This control may provide information about software vulnerabilities in the environment. ,T1211,Exploitation for Defense Evasion,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,False,1 -33,This control may provide information about software vulnerabilities in the environment. ,T1212,Exploitation for Credential Access,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Detect,Significant,False,1 -34,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1613,Container and Resource Discovery,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,False,1 -35,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1611,Escape to Host,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,False,1 -36,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1611,Escape to Host,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Detect,Partial,False,1 -37,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1610,Deploy Container,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,False,1 -38,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1053.007,Container Orchestration Job,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,False,1 -39,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1609,Container Administration Command,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,False,1 -40,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1525,Implant Internal Image,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Detect,Partial,False,1 +0,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566,Phishing,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +1,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566.001,Spearphishing Attachment,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Partial,,1 +2,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1059,Command and Scripting Interpreter,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +3,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1598.003,Spearphishing Link,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +4,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566.002,Spearphishing Link,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +5,,T1565.003,Runtime Data Manipulation,['https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features'],['Encryption'],,Confidential VM and Compute Engine,technique-scores,Protect,Significant,,1 +6,This control provides a secure alternative to storing encryption keys in the file system.,T1552,Unsecured Credentials,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +7,This control provides a secure alternative to storing encryption keys in the file system.,T1553,Subvert Trust Controls,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +8,This control provides a secure alternative to storing encryption keys in the file system.,T1588.003,Code Signing Certificates,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +9,This control provides a secure alternative to storing encryption keys in the file system.,T1588.004,Digital Certificates,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +10,This control provides a secure alternative to storing encryption keys in the file system.,T1552.004,Private Keys,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +11,This control provides a secure alternative to storing encryption keys in the file system.,T1552.001,Credentials In Files,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +12,This control provides a secure alternative to storing encryption keys in the file system.,T1588,Obtain Capabilities,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +13,,T1040,Network Sniffing,['https://cloud.google.com/certificate-authority-service/docs'],"['Certificate Service', 'Network']",,Certificate Authority Service,technique-scores,Protect,Minimal,,1 +14,,T1098,Account Manipulation,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +15,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +16,,T1078,Valid Accounts,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +17,,T1078.004,Cloud Accounts,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +18,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1550.001,Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Minimal,,1 +19,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1528,Steal Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Minimal,,1 +20,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1528,Steal Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Detect,Partial,,1 +21,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Detect,Minimal,,1 +22,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1078,Valid Accounts,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,,1 +23,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1078.004,Cloud Accounts,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,,1 +24,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1190,Exploit Public-Facing Application,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,,1 +25,This control may provide information about software vulnerabilities in the environment. ,T1190,Exploit Public-Facing Application,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +26,This control may provide information about software vulnerabilities in the environment. ,T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +27,This control may provide information about software vulnerabilities in the environment. ,T1203,Exploitation for Client Execution,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +28,This control may provide information about software vulnerabilities in the environment. ,T1210,Exploitation of Remote Services,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +29,This control may provide information about software vulnerabilities in the environment. ,T1525,Implant Internal Image,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +30,This control may provide information about software vulnerabilities in the environment. ,T1610,Deploy Container,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +31,This control may provide information about software vulnerabilities in the environment. ,T1072,Software Deployment Tools,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Minimal,,1 +32,This control may provide information about software vulnerabilities in the environment. ,T1211,Exploitation for Defense Evasion,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +33,This control may provide information about software vulnerabilities in the environment. ,T1212,Exploitation for Credential Access,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Detect,Significant,,1 +34,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1613,Container and Resource Discovery,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +35,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1611,Escape to Host,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +36,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1611,Escape to Host,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Detect,Partial,,1 +37,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1610,Deploy Container,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +38,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1053.007,Container Orchestration Job,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +39,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1609,Container Administration Command,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +40,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1525,Implant Internal Image,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Detect,Partial,,1 41,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137,Office Application Startup,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137,Office Application Startup,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 42,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1546.006,LC_LOAD_DYLIB Addition,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1546.006,LC_LOAD_DYLIB Addition,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 43,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1204.002,Malicious File,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1204.002,Malicious File,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 44,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1055.002,Portable Executable Injection,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1055.002,Portable Executable Injection,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 45,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1221,Template Injection,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1221,Template Injection,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 46,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1505.003,Web Shell,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1505.003,Web Shell,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 47,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1204.003,Malicious Image,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1204.003,Malicious Image,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 48,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1048,Exfiltration Over Alternative Protocol,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1048,Exfiltration Over Alternative Protocol,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 49,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1041,Exfiltration Over C2 Channel,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1041,Exfiltration Over C2 Channel,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 50,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1567,Exfiltration Over Web Service,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1567,Exfiltration Over Web Service,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 51,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1567.002,Exfiltration to Cloud Storage,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1567.002,Exfiltration to Cloud Storage,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 52,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1020,Automated Exfiltration,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1020,Automated Exfiltration,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 53,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1110,Brute Force,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1110,Brute Force,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 54,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1499,Endpoint Denial of Service,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1499,Endpoint Denial of Service,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 55,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1499.003,Application Exhaustion Flood,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1499.003,Application Exhaustion Flood,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 56,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 57,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1566.002,Spearphishing Link,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1566.002,Spearphishing Link,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 58,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137.006,Add-ins,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137.006,Add-ins,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 59,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). -The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137.001,Office Template Macros,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,False,1 -60,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Significant,False,1 -61,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,False,1 -62,,T1562,Impair Defenses,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,False,1 -63,,T1562.007,Disable or Modify Cloud Firewall,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,False,1 -64,,T1562.007,Disable or Modify Cloud Firewall,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Partial,False,1 -65,,T1562.008,Disable Cloud Logs,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,False,1 -66,,T1087,Account Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,False,1 -67,,T1087.004,Cloud Account,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,False,1 -68,,T1087.004,Cloud Account,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,False,1 -69,,T1613,Container and Resource Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,False,1 -70,,T1552.007,Container API,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,False,1 -71,,T1098,Account Manipulation,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,False,1 -72,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,False,1 -73,,T1078,Valid Accounts,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,False,1 -74,,T1078.004,Cloud Accounts,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,False,1 -75,,T1562.001,Disable or Modify Tools,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,False,1 -76,,T1562.002,Disable Windows Event Logging,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,False,1 -77,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1565,Data Manipulation,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,False,1 -78,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1040,Network Sniffing,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Minimal,False,1 -79,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1552,Unsecured Credentials,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Partial,False,1 -80,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1110,Brute Force,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Partial,False,1 -81,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1485,Data Destruction,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,False,1 -82,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1486,Data Encrypted for Impact,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,False,1 -83,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1491,Defacement,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,False,1 -84,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1561,Disk Wipe,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,False,1 -85,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1490,Inhibit System Recovery,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,False,1 -86,,T1098,Account Manipulation,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -87,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -88,,T1110,Brute Force,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -89,,T1110.001,Password Guessing,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -90,,T1110.002,Password Cracking,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -91,,T1078,Valid Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -92,,T1078.004,Cloud Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -93,,T1078.003,Local Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -94,,T1110.003,Password Spraying,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -95,,T1136,Create Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -96,,T1136.003,Cloud Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -97,,T1087,Account Discovery,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -98,,T1087.004,Cloud Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -99,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -100,,T1528,Steal Application Access Token,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,False,1 -101,,T1550,Use Alternate Authentication Material,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,False,1 -102,,T1550.001,Application Access Token,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,False,1 -103,,T1562,Impair Defenses,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,False,1 -104,,T1562.008,Disable Cloud Logs,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,False,1 -105,,T1556,Modify Authentication Process,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,False,1 -106,,T1087.002,Domain Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,False,1 -107,,T1098.002,Exchange Email Delegate Permissions,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -108,,T1098.003,Add Office 365 Global Administrator Role,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -109,,T1098.004,SSH Authorized Keys,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -110,,T1136.001,Local Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -111,,T1136.002,Domain Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,False,1 -112,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1552.007,Container API,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -113,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1525,Implant Internal Image,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -114,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1525,Implant Internal Image,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Detect,Partial,False,1 -115,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1609,Container Administration Command,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -116,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1610,Deploy Container,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -117,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1613,Container and Resource Discovery,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Significant,False,1 -118,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1611,Escape to Host,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -119,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078,Valid Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -120,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078.001,Default Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -121,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078.004,Cloud Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,False,1 -122,,T1566,Phishing,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,False,1 -123,,T1598,Phishing for Information,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,False,1 -124,,T1204.001,Malicious Link,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,False,1 -125,,T1598.003,Spearphishing Link,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,False,1 -126,,T1498,Network Denial of Service,['https://cloud.google.com/cdn/docs/overview'],"['Containers', 'Kubernetes', 'Logging']",,Cloud CDN,technique-scores,Protect,Partial,False,1 -127,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1048,Exfiltration Over Alternative Protocol,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,False,1 -128,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1567,Exfiltration Over Web Service,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,False,1 -129,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1567.002,Exfiltration to Cloud Storage,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,False,1 -130,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1133,External Remote Services,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Partial,False,1 -131,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1189,Drive-by Compromise,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Partial,False,1 -132,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566.001,Spearphishing Attachment,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Minimal,False,1 -133,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566,Phishing,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,False,1 -134,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566,Phishing,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Significant,False,1 -135,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1071.001,Web Protocols,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Significant,False,1 -136,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1530,Data from Cloud Storage Object,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,False,1 -137,,T1110,Brute Force,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,False,1 -138,,T1110.003,Password Spraying,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,False,1 -139,,T1078,Valid Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,False,1 -140,,T1078.004,Cloud Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,False,1 -141,,T1110.001,Password Guessing,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,False,1 -142,,T1110.002,Password Cracking,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,False,1 -143,,T1110.004,Credential Stuffing,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,False,1 -144,,T1078.002,Domain Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,False,1 -145,,T1021.004,SSH,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Detect,Minimal,False,1 -146,,T1213.003,Code Repositories,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,False,1 -147,,T1213,Data from Information Repositories,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,False,1 -148,,T1133,External Remote Services,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Minimal,False,1 -149,,T1090,Proxy,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,False,1 -150,,T1190,Exploit Public-Facing Application,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,False,1 -151,,T1498,Network Denial of Service,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,False,1 -152,,T1499,Endpoint Denial of Service,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,False,1 -153,,T1018,Remote System Discovery,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,False,1 -154,,T1046,Network Service Scanning,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,False,1 -155,,T1110,Brute Force,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,False,1 -156,,T1078,Valid Accounts,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Respond,Partial,False,1 -157,,T1052.001,Exfiltration over USB,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,False,1 -158,,T1567.002,Exfiltration to Cloud Storage,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,False,1 -159,,T1040,Network Sniffing,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Significant,False,1 -160,,T1557,Adversary-in-the-Middle,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Significant,False,1 -161,,T1565,Data Manipulation,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,False,1 -162,,T1565.002,Transmitted Data Manipulation,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,False,1 -163,,T1557.002,ARP Cache Poisoning,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,False,1 -164,,T1133,External Remote Services,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,False,1 -165,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552,Unsecured Credentials,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,False,1 -166,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.005,Cloud Instance Metadata API,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Significant,False,1 -167,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588,Obtain Capabilities,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,False,1 -168,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1553,Subvert Trust Controls,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Significant,False,1 -169,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1555,Credentials from Password Stores,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,False,1 -170,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1528,Steal Application Access Token,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,False,1 -171,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588.003,Code Signing Certificates,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,False,1 -172,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588.004,Digital Certificates,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,False,1 -173,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.001,Credentials In Files,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,False,1 -174,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.004,Private Keys,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,False,1 -175,,T1566,Phishing,['https://cloud.google.com/titan-security-key#section-3'],"['Multi-Factor Authentication', 'Identity']",,Titan Security Key,technique-scores,Protect,Significant,False,1 +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137.001,Office Template Macros,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +60,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Significant,,1 +61,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,,1 +62,,T1562,Impair Defenses,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +63,,T1562.007,Disable or Modify Cloud Firewall,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +64,,T1562.007,Disable or Modify Cloud Firewall,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Partial,,1 +65,,T1562.008,Disable Cloud Logs,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +66,,T1087,Account Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,,1 +67,,T1087.004,Cloud Account,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +68,,T1087.004,Cloud Account,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,,1 +69,,T1613,Container and Resource Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +70,,T1552.007,Container API,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +71,,T1098,Account Manipulation,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +72,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +73,,T1078,Valid Accounts,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +74,,T1078.004,Cloud Accounts,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +75,,T1562.001,Disable or Modify Tools,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +76,,T1562.002,Disable Windows Event Logging,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +77,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1565,Data Manipulation,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +78,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1040,Network Sniffing,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Minimal,,1 +79,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1552,Unsecured Credentials,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Partial,,1 +80,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1110,Brute Force,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Partial,,1 +81,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1485,Data Destruction,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +82,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1486,Data Encrypted for Impact,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +83,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1491,Defacement,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +84,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1561,Disk Wipe,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +85,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1490,Inhibit System Recovery,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +86,,T1098,Account Manipulation,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +87,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +88,,T1110,Brute Force,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +89,,T1110.001,Password Guessing,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +90,,T1110.002,Password Cracking,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +91,,T1078,Valid Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +92,,T1078.004,Cloud Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +93,,T1078.003,Local Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +94,,T1110.003,Password Spraying,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +95,,T1136,Create Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +96,,T1136.003,Cloud Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +97,,T1087,Account Discovery,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +98,,T1087.004,Cloud Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +99,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +100,,T1528,Steal Application Access Token,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +101,,T1550,Use Alternate Authentication Material,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +102,,T1550.001,Application Access Token,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +103,,T1562,Impair Defenses,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +104,,T1562.008,Disable Cloud Logs,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +105,,T1556,Modify Authentication Process,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +106,,T1087.002,Domain Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +107,,T1098.002,Exchange Email Delegate Permissions,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +108,,T1098.003,Add Office 365 Global Administrator Role,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +109,,T1098.004,SSH Authorized Keys,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +110,,T1136.001,Local Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +111,,T1136.002,Domain Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +112,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1552.007,Container API,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +113,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1525,Implant Internal Image,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +114,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1525,Implant Internal Image,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Detect,Partial,,1 +115,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1609,Container Administration Command,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +116,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1610,Deploy Container,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +117,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1613,Container and Resource Discovery,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Significant,,1 +118,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1611,Escape to Host,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +119,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078,Valid Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +120,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078.001,Default Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +121,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078.004,Cloud Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +122,,T1566,Phishing,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +123,,T1598,Phishing for Information,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +124,,T1204.001,Malicious Link,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +125,,T1598.003,Spearphishing Link,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +126,,T1498,Network Denial of Service,['https://cloud.google.com/cdn/docs/overview'],"['Containers', 'Kubernetes', 'Logging']",,Cloud CDN,technique-scores,Protect,Partial,,1 +127,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1048,Exfiltration Over Alternative Protocol,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +128,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1567,Exfiltration Over Web Service,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +129,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1567.002,Exfiltration to Cloud Storage,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +130,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1133,External Remote Services,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Partial,,1 +131,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1189,Drive-by Compromise,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Partial,,1 +132,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566.001,Spearphishing Attachment,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Minimal,,1 +133,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566,Phishing,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +134,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566,Phishing,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Significant,,1 +135,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1071.001,Web Protocols,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Significant,,1 +136,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1530,Data from Cloud Storage Object,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +137,,T1110,Brute Force,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +138,,T1110.003,Password Spraying,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +139,,T1078,Valid Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +140,,T1078.004,Cloud Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +141,,T1110.001,Password Guessing,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +142,,T1110.002,Password Cracking,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +143,,T1110.004,Credential Stuffing,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +144,,T1078.002,Domain Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +145,,T1021.004,SSH,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Detect,Minimal,,1 +146,,T1213.003,Code Repositories,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +147,,T1213,Data from Information Repositories,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +148,,T1133,External Remote Services,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Minimal,,1 +149,,T1090,Proxy,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,,1 +150,,T1190,Exploit Public-Facing Application,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,,1 +151,,T1498,Network Denial of Service,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,,1 +152,,T1499,Endpoint Denial of Service,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,,1 +153,,T1018,Remote System Discovery,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,,1 +154,,T1046,Network Service Scanning,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,,1 +155,,T1110,Brute Force,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,,1 +156,,T1078,Valid Accounts,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Respond,Partial,,1 +157,,T1052.001,Exfiltration over USB,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,,1 +158,,T1567.002,Exfiltration to Cloud Storage,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,,1 +159,,T1040,Network Sniffing,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Significant,,1 +160,,T1557,Adversary-in-the-Middle,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Significant,,1 +161,,T1565,Data Manipulation,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +162,,T1565.002,Transmitted Data Manipulation,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +163,,T1557.002,ARP Cache Poisoning,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +164,,T1133,External Remote Services,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +165,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552,Unsecured Credentials,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,,1 +166,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.005,Cloud Instance Metadata API,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Significant,,1 +167,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588,Obtain Capabilities,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +168,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1553,Subvert Trust Controls,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Significant,,1 +169,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1555,Credentials from Password Stores,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +170,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1528,Steal Application Access Token,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +171,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588.003,Code Signing Certificates,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +172,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588.004,Digital Certificates,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +173,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.001,Credentials In Files,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,,1 +174,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.004,Private Keys,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,,1 +175,,T1566,Phishing,['https://cloud.google.com/titan-security-key#section-3'],"['Multi-Factor Authentication', 'Identity']",,Titan Security Key,technique-scores,Protect,Significant,,1 176,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021.002,SMB/Windows Admin Shares,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021.002,SMB/Windows Admin Shares,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 177,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1037,Boot or Logon Initialization Scripts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1037,Boot or Logon Initialization Scripts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 178,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1053.005,Scheduled Task,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1053.005,Scheduled Task,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 179,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.005,Mshta,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.005,Mshta,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 180,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.001,Launch Agent,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.001,Launch Agent,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 181,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.004,Launch Daemon,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.004,Launch Daemon,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 182,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.001,Change Default File Association,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.001,Change Default File Association,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 183,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1547.001,Registry Run Keys / Startup Folder,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1547.001,Registry Run Keys / Startup Folder,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 184,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1547,Boot or Logon Autostart Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1547,Boot or Logon Autostart Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 185,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546,Event Triggered Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546,Event Triggered Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 186,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543,Create or Modify System Process,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543,Create or Modify System Process,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 187,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1548.002,Bypass User Account Control,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1548.002,Bypass User Account Control,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 188,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1564.001,Hidden Files and Directories,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1564.001,Hidden Files and Directories,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 189,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1564,Hide Artifacts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1564,Hide Artifacts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 190,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003.003,NTDS,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003.003,NTDS,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 191,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1078,Valid Accounts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1078,Valid Accounts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 192,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1134.005,SID-History Injection,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1134.005,SID-History Injection,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 193,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003,OS Credential Dumping,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003,OS Credential Dumping,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 194,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1548,Abuse Elevation Control Mechanism,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1548,Abuse Elevation Control Mechanism,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 195,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1584.002,DNS Server,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1584.002,DNS Server,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 196,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1562.004,Disable or Modify System Firewall,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1562.004,Disable or Modify System Firewall,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 197,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1098.001,Additional Cloud Credentials,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1098.001,Additional Cloud Credentials,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 198,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1530,Data from Cloud Storage Object,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1530,Data from Cloud Storage Object,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 199,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.002,Clear Linux or Mac System Logs,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.002,Clear Linux or Mac System Logs,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 200,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1136.001,Local Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1136.001,Local Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 201,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1098,Account Manipulation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1098,Account Manipulation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 202,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1106,Native API,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1106,Native API,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 203,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021.004,SSH,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021.004,SSH,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 204,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1578,Modify Cloud Compute Infrastructure,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1578,Modify Cloud Compute Infrastructure,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 205,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1052.001,Exfiltration over USB,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1052.001,Exfiltration over USB,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 206,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1112,Modify Registry,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1112,Modify Registry,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 207,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021,Remote Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021,Remote Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 208,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1052,Exfiltration Over Physical Medium,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1052,Exfiltration Over Physical Medium,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 209,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1053,Scheduled Task/Job,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1053,Scheduled Task/Job,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 210,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070,Indicator Removal on Host,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070,Indicator Removal on Host,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 211,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1134,Access Token Manipulation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1134,Access Token Manipulation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 212,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218,Signed Binary Proxy Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218,Signed Binary Proxy Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 213,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1584,Compromise Infrastructure,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1584,Compromise Infrastructure,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 214,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056,Input Capture,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056,Input Capture,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 215,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056.003,Web Portal Capture,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056.003,Web Portal Capture,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 216,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056.004,Credential API Hooking,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056.004,Credential API Hooking,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 217,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1071.001,Web Protocols,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1071.001,Web Protocols,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 218,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1071,Application Layer Protocol,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1071,Application Layer Protocol,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 219,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059,Command and Scripting Interpreter,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059,Command and Scripting Interpreter,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 220,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.010,Regsvr32,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.010,Regsvr32,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 221,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059.003,Windows Command Shell,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059.003,Windows Command Shell,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 222,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1082,System Information Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1082,System Information Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 223,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.003,CMSTP,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.003,CMSTP,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 224,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1018,Remote System Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1018,Remote System Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 225,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1552,Unsecured Credentials,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1552,Unsecured Credentials,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 226,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1486,Data Encrypted for Impact,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1486,Data Encrypted for Impact,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 227,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1204,User Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1204,User Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 228,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1036.005,Match Legitimate Name or Location,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1036.005,Match Legitimate Name or Location,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 229,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1027.004,Compile After Delivery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1027.004,Compile After Delivery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 230,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1127.001,MSBuild,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1127.001,MSBuild,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 231,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1127,Trusted Developer Utilities Proxy Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1127,Trusted Developer Utilities Proxy Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 232,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 233,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 234,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1036,Masquerading,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1036,Masquerading,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 235,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1055,Process Injection,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1055,Process Injection,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 236,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1210,Exploitation of Remote Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1210,Exploitation of Remote Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 237,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1037.003,Network Logon Script,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1037.003,Network Logon Script,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 238,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1212,Exploitation for Credential Access,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1212,Exploitation for Credential Access,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 239,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1505.003,Web Shell,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1505.003,Web Shell,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 240,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059.007,JavaScript,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059.007,JavaScript,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 241,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1560,Archive Collected Data,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1560,Archive Collected Data,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 242,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1203,Exploitation for Client Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1203,Exploitation for Client Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 243,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1132,Data Encoding,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1132,Data Encoding,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 244,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1132.001,Standard Encoding,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1132.001,Standard Encoding,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 245,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1195.002,Compromise Software Supply Chain,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1195.002,Compromise Software Supply Chain,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 246,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1195,Supply Chain Compromise,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1195,Supply Chain Compromise,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 247,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1072,Software Deployment Tools,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1072,Software Deployment Tools,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 248,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.007,Netsh Helper DLL,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.007,Netsh Helper DLL,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 249,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1505,Server Software Component,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1505,Server Software Component,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 250,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1574.007,Path Interception by PATH Environment Variable,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1574.007,Path Interception by PATH Environment Variable,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 251,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1574,Hijack Execution Flow,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1574,Hijack Execution Flow,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 252,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1087.004,Cloud Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1087.004,Cloud Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 253,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1087,Account Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1087,Account Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 254,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.004,File Deletion,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.004,File Deletion,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 255,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1020,Automated Exfiltration,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1020,Automated Exfiltration,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 256,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1041,Exfiltration Over C2 Channel,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1041,Exfiltration Over C2 Channel,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 257,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1011,Exfiltration Over Other Network Medium,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1011,Exfiltration Over Other Network Medium,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 258,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1027,Obfuscated Files or Information,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1027,Obfuscated Files or Information,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 259,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1484,Domain Policy Modification,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1484,Domain Policy Modification,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 260,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1136,Create Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1136,Create Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 261,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.003,Windows Service,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.003,Windows Service,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 262,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.006,Timestomp,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.006,Timestomp,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 263,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003.001,LSASS Memory,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003.001,LSASS Memory,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 264,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1137.001,Office Template Macros,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1137.001,Office Template Macros,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 265,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1137,Office Application Startup,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1137,Office Application Startup,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 266,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1057,Process Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1057,Process Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 267,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1016,System Network Configuration Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1016,System Network Configuration Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 268,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1049,System Network Connections Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1049,System Network Connections Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 269,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1033,System Owner/User Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1033,System Owner/User Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 270,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1588.002,Tool,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1588.002,Tool,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 271,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1588,Obtain Capabilities,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1588,Obtain Capabilities,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 272,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.001,Clear Windows Event Logs,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.001,Clear Windows Event Logs,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 273,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1569.002,Service Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1569.002,Service Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 274,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1569,System Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1569,System Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 275,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.008,Accessibility Features,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.008,Accessibility Features,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 276,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1048,Exfiltration Over Alternative Protocol,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1048,Exfiltration Over Alternative Protocol,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 277,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1105,Ingress Tool Transfer,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1105,Ingress Tool Transfer,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 278,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1495,Firmware Corruption,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1495,Firmware Corruption,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 279,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1497,Virtualization/Sandbox Evasion,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1497,Virtualization/Sandbox Evasion,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 280,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1202,Indirect Command Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1202,Indirect Command Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 281,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. -Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.003,Windows Management Instrumentation Event Subscription,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,False,1 -282,,T1199,Trusted Relationship,['https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview'],"['Auditing', 'Access Management']",,Access Transparency,technique-scores,Detect,Minimal,False,1 -283,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview'],"['Auditing', 'Access Management']",,Access Transparency,technique-scores,Detect,Minimal,False,1 -284,,T1542,Pre-OS Boot,['https://cloud.google.com/compute/shielded-vm/docs/shielded-vm'],['Vulnerability Management'],,Shielded VM,technique-scores,Protect,Significant,False,1 -285,,T1014,Rootkit,['https://cloud.google.com/compute/shielded-vm/docs/shielded-vm'],['Vulnerability Management'],,Shielded VM,technique-scores,Protect,Partial,False,1 -286,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1008,Fallback Channels,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -287,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1018,Remote System Discovery,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -288,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1021,Remote Services,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -289,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1041,Exfiltration Over C2 Channel,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -290,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1046,Network Service Scanning,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -291,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1048,Exfiltration Over Alternative Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -292,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1071,Application Layer Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,False,1 -293,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1090,Proxy,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -294,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1095,Non-Application Layer Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,False,1 -295,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1104,Multi-Stage Channels,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -296,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1133,External Remote Services,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -297,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1187,Forced Authentication,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,False,1 -298,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1205,Traffic Signaling,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -299,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1219,Remote Access Software,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -300,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1498,Network Denial of Service,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Minimal,False,1 -301,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1499,Endpoint Denial of Service,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -302,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1530,Data from Cloud Storage Object,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -303,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1542,Pre-OS Boot,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Minimal,False,1 -304,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1571,Non-Standard Port,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,False,1 -305,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1572,Protocol Tunneling,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -306,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1590,Gather Victim Network Information,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 -307,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1595,Active Scanning,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,False,1 +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.003,Windows Management Instrumentation Event Subscription,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +282,,T1199,Trusted Relationship,['https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview'],"['Auditing', 'Access Management']",,Access Transparency,technique-scores,Detect,Minimal,,1 +283,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview'],"['Auditing', 'Access Management']",,Access Transparency,technique-scores,Detect,Minimal,,1 +284,,T1542,Pre-OS Boot,['https://cloud.google.com/compute/shielded-vm/docs/shielded-vm'],['Vulnerability Management'],,Shielded VM,technique-scores,Protect,Significant,,1 +285,,T1014,Rootkit,['https://cloud.google.com/compute/shielded-vm/docs/shielded-vm'],['Vulnerability Management'],,Shielded VM,technique-scores,Protect,Partial,,1 +286,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1008,Fallback Channels,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +287,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1018,Remote System Discovery,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +288,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1021,Remote Services,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +289,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1041,Exfiltration Over C2 Channel,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +290,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1046,Network Service Scanning,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +291,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1048,Exfiltration Over Alternative Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +292,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1071,Application Layer Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +293,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1090,Proxy,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +294,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1095,Non-Application Layer Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +295,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1104,Multi-Stage Channels,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +296,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1133,External Remote Services,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +297,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1187,Forced Authentication,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +298,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1205,Traffic Signaling,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +299,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1219,Remote Access Software,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +300,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1498,Network Denial of Service,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Minimal,,1 +301,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1499,Endpoint Denial of Service,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +302,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1530,Data from Cloud Storage Object,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +303,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1542,Pre-OS Boot,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Minimal,,1 +304,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1571,Non-Standard Port,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +305,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1572,Protocol Tunneling,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +306,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1590,Gather Victim Network Information,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +307,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1595,Active Scanning,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 308,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -546,7 +546,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1204.003,Malicious Image,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1204.003,Malicious Image,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 309,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -555,7 +555,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1525,Implant Internal Image,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1525,Implant Internal Image,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 310,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -564,7 +564,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1133,External Remote Services,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1133,External Remote Services,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 311,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -573,7 +573,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1505.003,Web Shell,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1505.003,Web Shell,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 312,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -582,7 +582,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1105,Ingress Tool Transfer,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1105,Ingress Tool Transfer,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 313,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -591,7 +591,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1059.004,Unix Shell,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1059.004,Unix Shell,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 314,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -600,7 +600,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1071.004,DNS,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1071.004,DNS,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 315,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -609,7 +609,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1110,Brute Force,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1110,Brute Force,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 316,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -618,7 +618,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1078.004,Cloud Accounts,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1078.004,Cloud Accounts,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 317,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -627,7 +627,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562,Impair Defenses,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562,Impair Defenses,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 318,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -636,7 +636,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1567,Exfiltration Over Web Service,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1567,Exfiltration Over Web Service,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 319,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -645,7 +645,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1567.002,Exfiltration to Cloud Storage,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1567.002,Exfiltration to Cloud Storage,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 320,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -654,7 +654,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1505.001,SQL Stored Procedures,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1505.001,SQL Stored Procedures,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 321,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -663,7 +663,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1098.001,Additional Cloud Credentials,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1098.001,Additional Cloud Credentials,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 322,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -672,7 +672,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562.007,Disable or Modify Cloud Firewall,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562.007,Disable or Modify Cloud Firewall,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 323,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -681,7 +681,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1589.001,Credentials,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1589.001,Credentials,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Significant,,1 324,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -690,7 +690,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1496,Resource Hijacking,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1496,Resource Hijacking,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 325,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -699,7 +699,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1213.003,Code Repositories,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1213.003,Code Repositories,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Significant,,1 326,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -708,7 +708,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1040,Network Sniffing,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Minimal,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1040,Network Sniffing,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Minimal,,1 327,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -717,7 +717,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 328,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -726,7 +726,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1078.001,Default Accounts,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1078.001,Default Accounts,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 329,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -735,7 +735,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1542,Pre-OS Boot,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1542,Pre-OS Boot,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 330,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -744,7 +744,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1542.003,Bootkit,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1542.003,Bootkit,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 331,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -753,7 +753,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1014,Rootkit,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1014,Rootkit,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 332,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -762,7 +762,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1070,Indicator Removal on Host,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1070,Indicator Removal on Host,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 333,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -771,7 +771,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1484,Domain Policy Modification,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1484,Domain Policy Modification,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 334,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -780,7 +780,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1136.003,Cloud Account,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1136.003,Cloud Account,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 335,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -789,7 +789,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562.008,Disable Cloud Logs,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562.008,Disable Cloud Logs,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 336,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -798,7 +798,7 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1578,Modify Cloud Compute Infrastructure,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1578,Modify Cloud Compute Infrastructure,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 337,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. @@ -807,98 +807,98 @@ To improve cyber-situational awareness and detection against various threats, SC Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. -Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1530,Data from Cloud Storage Object,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Partial,False,1 -338,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1530,Data from Cloud Storage Object,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Significant,False,1 -339,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1565.001,Stored Data Manipulation,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Significant,False,1 -340,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1588.004,Digital Certificates,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Partial,False,1 -341,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1588.003,Code Signing Certificates,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Partial,False,1 -342,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/dlp/docs'],['Storage'],,Cloud Data Loss Prevention,technique-scores,Protect,Partial,False,1 -343,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1610,Deploy Container,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -344,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1053.007,Container Orchestration Job,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -345,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1612,Build Image on Host,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -346,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1554,Compromise Client Software Binary,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -347,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1525,Implant Internal Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -348,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1036.001,Invalid Code Signature,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -349,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1601,Modify System Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -350,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1204.003,Malicious Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,False,1 -351,,T1098,Account Manipulation,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -352,,T1110,Brute Force,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -353,,T1136,Create Account,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -354,,T1530,Data from Cloud Storage Object,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -355,,T1114,Email Collection,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -356,,T1133,External Remote Services,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -357,,T1556,Modify Authentication Process,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -358,,T1021,Remote Services,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -359,,T1078.002,Domain Accounts,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -360,,T1078.004,Cloud Accounts,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -361,,T1110.001,Password Guessing,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -362,,T1110.002,Password Cracking,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -363,,T1110.003,Password Spraying,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -364,,T1110.004,Credential Stuffing,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,False,1 -365,,T1528,Steal Application Access Token,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,False,1 -366,,T1555,Credentials from Password Stores,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,False,1 -367,,T1552,Unsecured Credentials,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,False,1 -368,,T1040,Network Sniffing,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Minimal,False,1 -369,,T1590,Gather Victim Network Information,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -370,,T1590.004,Network Topology,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -371,,T1590.005,IP Addresses,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -372,,T1046,Network Service Scanning,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -373,,T1135,Network Share Discovery,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -374,,T1595,Active Scanning,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -375,,T1595.001,Scanning IP Blocks,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -376,,T1098,Account Manipulation,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -377,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Partial,False,1 -378,,T1557,Adversary-in-the-Middle,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Partial,False,1 -379,,T1602,Data from Configuration Repository,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -380,,T1190,Exploit Public-Facing Application,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -381,,T1552.007,Container API,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -382,,T1018,Remote System Discovery,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,False,1 -383,,T1570,Lateral Tool Transfer,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Minimal,False,1 -384,Similar to Azure Role based access control and Azure policy ,T1087.004,Cloud Account,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -385,Similar to Azure Role based access control and Azure policy ,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Minimal,False,1 -386,Similar to Azure Role based access control and Azure policy ,T1530,Data from Cloud Storage Object,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -387,Similar to Azure Role based access control and Azure policy ,T1530,Data from Cloud Storage Object,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,False,1 -388,Similar to Azure Role based access control and Azure policy ,T1538,Cloud Service Dashboard,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -389,Similar to Azure Role based access control and Azure policy ,T1578,Modify Cloud Compute Infrastructure,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -390,Similar to Azure Role based access control and Azure policy ,T1548.002,Bypass User Account Control,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -391,Similar to Azure Role based access control and Azure policy ,T1068,Exploitation for Privilege Escalation,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -392,Similar to Azure Role based access control and Azure policy ,T1562,Impair Defenses,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -393,Similar to Azure Role based access control and Azure policy ,T1078.004,Cloud Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -394,Similar to Azure Role based access control and Azure policy ,T1078.004,Cloud Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,False,1 -395,Similar to Azure Role based access control and Azure policy ,T1562.008,Disable Cloud Logs,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,False,1 -396,Similar to Azure Role based access control and Azure policy ,T1212,Exploitation for Credential Access,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -397,Similar to Azure Role based access control and Azure policy ,T1078,Valid Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -398,Similar to Azure Role based access control and Azure policy ,T1087,Account Discovery,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -399,Similar to Azure Role based access control and Azure policy ,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -400,Similar to Azure Role based access control and Azure policy ,T1098,Account Manipulation,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -401,Similar to Azure Role based access control and Azure policy ,T1222,File and Directory Permissions Modification,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,False,1 -402,,T1078.004,Cloud Accounts,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Protect,Partial,False,1 -403,,T1110.004,Credential Stuffing,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Detect,Significant,False,1 -404,,T1136.003,Cloud Account,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Protect,Partial,False,1 -405,,T1078,Valid Accounts,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,False,1 -406,,T1537,Transfer Data to Cloud Account,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,False,1 -407,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,False,1 -408,,T1567,Exfiltration Over Web Service,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Partial,False,1 -409,,T1619,Cloud Storage Object Discovery,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Partial,False,1 -410,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1098,Account Manipulation,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,False,1 -411,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1098.001,Additional Cloud Credentials,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,False,1 -412,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1069,Permission Groups Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,False,1 -413,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1069.003,Cloud Groups,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,False,1 -414,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078,Valid Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,False,1 -415,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078,Valid Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Detect,Partial,False,1 -416,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078.004,Cloud Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,False,1 -417,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1087.004,Cloud Account,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,False,1 -418,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1087,Account Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,False,1 -419,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1613,Container and Resource Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,False,1 -420,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1068,Exploitation for Privilege Escalation,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -421,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1190,Exploit Public-Facing Application,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -422,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1203,Exploitation for Client Execution,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -423,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1210,Exploitation of Remote Services,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -424,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1211,Exploitation for Defense Evasion,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -425,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1212,Exploitation for Credential Access,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -426,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1072,Software Deployment Tools,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,False,1 -427,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1078,Valid Accounts,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,False,1 -428,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,False,1 -429,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1525,Implant Internal Image,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,False,1 -430,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1610,Deploy Container,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,False,1 -431,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1212,Exploitation for Credential Access,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Detect,Partial,False,1 +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1530,Data from Cloud Storage Object,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Partial,,1 +338,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1530,Data from Cloud Storage Object,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Significant,,1 +339,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1565.001,Stored Data Manipulation,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Significant,,1 +340,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1588.004,Digital Certificates,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Partial,,1 +341,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1588.003,Code Signing Certificates,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Partial,,1 +342,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/dlp/docs'],['Storage'],,Cloud Data Loss Prevention,technique-scores,Protect,Partial,,1 +343,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1610,Deploy Container,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +344,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1053.007,Container Orchestration Job,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +345,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1612,Build Image on Host,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +346,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1554,Compromise Client Software Binary,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +347,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1525,Implant Internal Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +348,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1036.001,Invalid Code Signature,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +349,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1601,Modify System Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +350,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1204.003,Malicious Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +351,,T1098,Account Manipulation,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +352,,T1110,Brute Force,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +353,,T1136,Create Account,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +354,,T1530,Data from Cloud Storage Object,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +355,,T1114,Email Collection,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +356,,T1133,External Remote Services,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +357,,T1556,Modify Authentication Process,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +358,,T1021,Remote Services,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +359,,T1078.002,Domain Accounts,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +360,,T1078.004,Cloud Accounts,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +361,,T1110.001,Password Guessing,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +362,,T1110.002,Password Cracking,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +363,,T1110.003,Password Spraying,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +364,,T1110.004,Credential Stuffing,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +365,,T1528,Steal Application Access Token,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,,1 +366,,T1555,Credentials from Password Stores,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,,1 +367,,T1552,Unsecured Credentials,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,,1 +368,,T1040,Network Sniffing,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Minimal,,1 +369,,T1590,Gather Victim Network Information,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +370,,T1590.004,Network Topology,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +371,,T1590.005,IP Addresses,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +372,,T1046,Network Service Scanning,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +373,,T1135,Network Share Discovery,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +374,,T1595,Active Scanning,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +375,,T1595.001,Scanning IP Blocks,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +376,,T1098,Account Manipulation,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +377,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Partial,,1 +378,,T1557,Adversary-in-the-Middle,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Partial,,1 +379,,T1602,Data from Configuration Repository,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +380,,T1190,Exploit Public-Facing Application,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +381,,T1552.007,Container API,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +382,,T1018,Remote System Discovery,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +383,,T1570,Lateral Tool Transfer,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Minimal,,1 +384,Similar to Azure Role based access control and Azure policy ,T1087.004,Cloud Account,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +385,Similar to Azure Role based access control and Azure policy ,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Minimal,,1 +386,Similar to Azure Role based access control and Azure policy ,T1530,Data from Cloud Storage Object,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +387,Similar to Azure Role based access control and Azure policy ,T1530,Data from Cloud Storage Object,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,,1 +388,Similar to Azure Role based access control and Azure policy ,T1538,Cloud Service Dashboard,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +389,Similar to Azure Role based access control and Azure policy ,T1578,Modify Cloud Compute Infrastructure,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +390,Similar to Azure Role based access control and Azure policy ,T1548.002,Bypass User Account Control,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +391,Similar to Azure Role based access control and Azure policy ,T1068,Exploitation for Privilege Escalation,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +392,Similar to Azure Role based access control and Azure policy ,T1562,Impair Defenses,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +393,Similar to Azure Role based access control and Azure policy ,T1078.004,Cloud Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +394,Similar to Azure Role based access control and Azure policy ,T1078.004,Cloud Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,,1 +395,Similar to Azure Role based access control and Azure policy ,T1562.008,Disable Cloud Logs,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,,1 +396,Similar to Azure Role based access control and Azure policy ,T1212,Exploitation for Credential Access,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +397,Similar to Azure Role based access control and Azure policy ,T1078,Valid Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +398,Similar to Azure Role based access control and Azure policy ,T1087,Account Discovery,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +399,Similar to Azure Role based access control and Azure policy ,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +400,Similar to Azure Role based access control and Azure policy ,T1098,Account Manipulation,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +401,Similar to Azure Role based access control and Azure policy ,T1222,File and Directory Permissions Modification,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +402,,T1078.004,Cloud Accounts,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Protect,Partial,,1 +403,,T1110.004,Credential Stuffing,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Detect,Significant,,1 +404,,T1136.003,Cloud Account,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Protect,Partial,,1 +405,,T1078,Valid Accounts,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,,1 +406,,T1537,Transfer Data to Cloud Account,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,,1 +407,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,,1 +408,,T1567,Exfiltration Over Web Service,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Partial,,1 +409,,T1619,Cloud Storage Object Discovery,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Partial,,1 +410,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1098,Account Manipulation,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +411,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1098.001,Additional Cloud Credentials,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +412,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1069,Permission Groups Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +413,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1069.003,Cloud Groups,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +414,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078,Valid Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +415,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078,Valid Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Detect,Partial,,1 +416,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078.004,Cloud Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +417,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1087.004,Cloud Account,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +418,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1087,Account Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +419,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1613,Container and Resource Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +420,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1068,Exploitation for Privilege Escalation,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +421,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1190,Exploit Public-Facing Application,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +422,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1203,Exploitation for Client Execution,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +423,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1210,Exploitation of Remote Services,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +424,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1211,Exploitation for Defense Evasion,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +425,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1212,Exploitation for Credential Access,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +426,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1072,Software Deployment Tools,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +427,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1078,Valid Accounts,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +428,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +429,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1525,Implant Internal Image,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +430,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1610,Deploy Container,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +431,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1212,Exploitation for Credential Access,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Detect,Partial,,1 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack_objects.csv new file mode 100644 index 00000000..244e85ab --- /dev/null +++ b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_attack_objects.csv @@ -0,0 +1,904 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata-key +0,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566,Phishing,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +1,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566.001,Spearphishing Attachment,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Partial,,1 +2,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1059,Command and Scripting Interpreter,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +3,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1598.003,Spearphishing Link,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +4,"This mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).",T1566.002,Spearphishing Link,"['https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage', 'https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information', 'https://assets.virustotal.com/vt-360-outcomes.pdf']","['Antivirus', 'Antimalware', 'Malware']",,Virus Total,technique-scores,Protect,Significant,,1 +5,,T1565.003,Runtime Data Manipulation,['https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features'],['Encryption'],,Confidential VM and Compute Engine,technique-scores,Protect,Significant,,1 +6,This control provides a secure alternative to storing encryption keys in the file system.,T1552,Unsecured Credentials,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +7,This control provides a secure alternative to storing encryption keys in the file system.,T1553,Subvert Trust Controls,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +8,This control provides a secure alternative to storing encryption keys in the file system.,T1588.003,Code Signing Certificates,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +9,This control provides a secure alternative to storing encryption keys in the file system.,T1588.004,Digital Certificates,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +10,This control provides a secure alternative to storing encryption keys in the file system.,T1552.004,Private Keys,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +11,This control provides a secure alternative to storing encryption keys in the file system.,T1552.001,Credentials In Files,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +12,This control provides a secure alternative to storing encryption keys in the file system.,T1588,Obtain Capabilities,['https://cloud.google.com/kms/docs/hsm'],"['Encryption', 'Data Security']",,Cloud Hardware Security Module (HSM),technique-scores,Protect,Partial,,1 +13,,T1040,Network Sniffing,['https://cloud.google.com/certificate-authority-service/docs'],"['Certificate Service', 'Network']",,Certificate Authority Service,technique-scores,Protect,Minimal,,1 +14,,T1098,Account Manipulation,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +15,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +16,,T1078,Valid Accounts,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +17,,T1078.004,Cloud Accounts,['https://cloud.google.com/asset-inventory/docs/overview'],"['Credentials', 'Access Management']",,Cloud Asset Inventory,technique-scores,Detect,Partial,,1 +18,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1550.001,Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Minimal,,1 +19,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1528,Steal Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Minimal,,1 +20,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1528,Steal Application Access Token,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Detect,Partial,,1 +21,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Detect,Minimal,,1 +22,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1078,Valid Accounts,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,,1 +23,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1078.004,Cloud Accounts,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,,1 +24,This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework.,T1190,Exploit Public-Facing Application,['https://cloud.google.com/iap'],"['Identity', 'Credentials']",,Identity Aware Proxy,technique-scores,Protect,Partial,,1 +25,This control may provide information about software vulnerabilities in the environment. ,T1190,Exploit Public-Facing Application,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +26,This control may provide information about software vulnerabilities in the environment. ,T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +27,This control may provide information about software vulnerabilities in the environment. ,T1203,Exploitation for Client Execution,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +28,This control may provide information about software vulnerabilities in the environment. ,T1210,Exploitation of Remote Services,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +29,This control may provide information about software vulnerabilities in the environment. ,T1525,Implant Internal Image,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +30,This control may provide information about software vulnerabilities in the environment. ,T1610,Deploy Container,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +31,This control may provide information about software vulnerabilities in the environment. ,T1072,Software Deployment Tools,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Minimal,,1 +32,This control may provide information about software vulnerabilities in the environment. ,T1211,Exploitation for Defense Evasion,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Protect,Partial,,1 +33,This control may provide information about software vulnerabilities in the environment. ,T1212,Exploitation for Credential Access,"['https://cloud.google.com/container-analysis/docs/container-analysis', 'https://cloud.google.com/container-analysis/docs/container-scanning-overview']","['Containers', 'Vulnerability Analysis', 'OS Security']",,Artifact Registry,technique-scores,Detect,Significant,,1 +34,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1613,Container and Resource Discovery,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +35,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1611,Escape to Host,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +36,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1611,Escape to Host,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Detect,Partial,,1 +37,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1610,Deploy Container,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +38,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1053.007,Container Orchestration Job,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +39,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1609,Container Administration Command,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Protect,Partial,,1 +40,This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.,T1525,Implant Internal Image,"['https://cloud.google.com/kubernetes-engine/docs/concepts/access-control', 'https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks']","['Kubernetes', 'Containers']",,Google Kubernetes Engine,technique-scores,Detect,Partial,,1 +41,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137,Office Application Startup,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +42,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1546.006,LC_LOAD_DYLIB Addition,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +43,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1204.002,Malicious File,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +44,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1055.002,Portable Executable Injection,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +45,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1221,Template Injection,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +46,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1505.003,Web Shell,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +47,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1204.003,Malicious Image,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +48,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1048,Exfiltration Over Alternative Protocol,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +49,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1041,Exfiltration Over C2 Channel,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +50,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1567,Exfiltration Over Web Service,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +51,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1567.002,Exfiltration to Cloud Storage,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +52,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1020,Automated Exfiltration,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +53,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1110,Brute Force,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +54,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1499,Endpoint Denial of Service,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +55,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1499.003,Application Exhaustion Flood,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +56,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +57,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1566.002,Spearphishing Link,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +58,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137.006,Add-ins,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +59,"This mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). +The cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.",T1137.001,Office Template Macros,"['https://cloud.google.com/intrusion-detection-system', 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']","['Cloud IDS', 'Intrusion Detection Service (IDS)', ""Palo Alto Network's Threat Signatures"", 'Analytics']",,Cloud IDS,technique-scores,Detect,Significant,,1 +60,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Significant,,1 +61,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,,1 +62,,T1562,Impair Defenses,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +63,,T1562.007,Disable or Modify Cloud Firewall,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +64,,T1562.007,Disable or Modify Cloud Firewall,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Partial,,1 +65,,T1562.008,Disable Cloud Logs,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +66,,T1087,Account Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,,1 +67,,T1087.004,Cloud Account,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +68,,T1087.004,Cloud Account,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Detect,Minimal,,1 +69,,T1613,Container and Resource Discovery,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +70,,T1552.007,Container API,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +71,,T1098,Account Manipulation,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +72,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +73,,T1078,Valid Accounts,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +74,,T1078.004,Cloud Accounts,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Minimal,,1 +75,,T1562.001,Disable or Modify Tools,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +76,,T1562.002,Disable Windows Event Logging,['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'],"['Identity', 'Access Management', 'Credentials', 'Network', 'Configuration Management']",,ResourceManager,technique-scores,Protect,Partial,,1 +77,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1565,Data Manipulation,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +78,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1040,Network Sniffing,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Minimal,,1 +79,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1552,Unsecured Credentials,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Partial,,1 +80,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1110,Brute Force,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Protect,Partial,,1 +81,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1485,Data Destruction,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +82,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1486,Data Encrypted for Impact,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +83,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1491,Defacement,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +84,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1561,Disk Wipe,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +85,This mapping was scored as significant due to the control’s notable remediation capabilities.,T1490,Inhibit System Recovery,['https://www.actifio.com/solutions/cloud/google/'],['Storage'],,Actifio Go,technique-scores,Respond,Significant,,1 +86,,T1098,Account Manipulation,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +87,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +88,,T1110,Brute Force,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +89,,T1110.001,Password Guessing,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +90,,T1110.002,Password Cracking,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +91,,T1078,Valid Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +92,,T1078.004,Cloud Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +93,,T1078.003,Local Accounts,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +94,,T1110.003,Password Spraying,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +95,,T1136,Create Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +96,,T1136.003,Cloud Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +97,,T1087,Account Discovery,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +98,,T1087.004,Cloud Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +99,,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +100,,T1528,Steal Application Access Token,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +101,,T1550,Use Alternate Authentication Material,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +102,,T1550.001,Application Access Token,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +103,,T1562,Impair Defenses,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +104,,T1562.008,Disable Cloud Logs,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +105,,T1556,Modify Authentication Process,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Minimal,,1 +106,,T1087.002,Domain Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Partial,,1 +107,,T1098.002,Exchange Email Delegate Permissions,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +108,,T1098.003,Add Office 365 Global Administrator Role,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +109,,T1098.004,SSH Authorized Keys,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +110,,T1136.001,Local Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +111,,T1136.002,Domain Account,['https://cloud.google.com/identity-platform/docs/concepts'],"['Identity', 'Multi-Factor Authentication', 'Passwords', 'Credentials', 'Access Management']",,IdentityPlatform,technique-scores,Protect,Significant,,1 +112,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1552.007,Container API,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +113,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1525,Implant Internal Image,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +114,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1525,Implant Internal Image,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Detect,Partial,,1 +115,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1609,Container Administration Command,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +116,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1610,Deploy Container,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +117,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1613,Container and Resource Discovery,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Significant,,1 +118,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1611,Escape to Host,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +119,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078,Valid Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +120,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078.001,Default Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +121,"Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.",T1078.004,Cloud Accounts,['https://cloud.google.com/anthos-config-management/ '],"['Configuration Management', 'Containers', 'Policy']",,AnthosConfigManagement,technique-scores,Protect,Partial,,1 +122,,T1566,Phishing,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +123,,T1598,Phishing for Information,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +124,,T1204.001,Malicious Link,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +125,,T1598.003,Spearphishing Link,['https://cloud.google.com/web-risk/docs/overview'],['Network'],,Web Risk,technique-scores,Protect,Partial,,1 +126,,T1498,Network Denial of Service,['https://cloud.google.com/cdn/docs/overview'],"['Containers', 'Kubernetes', 'Logging']",,Cloud CDN,technique-scores,Protect,Partial,,1 +127,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1048,Exfiltration Over Alternative Protocol,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +128,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1567,Exfiltration Over Web Service,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +129,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1567.002,Exfiltration to Cloud Storage,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +130,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1133,External Remote Services,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Partial,,1 +131,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1189,Drive-by Compromise,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Partial,,1 +132,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566.001,Spearphishing Attachment,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Minimal,,1 +133,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566,Phishing,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +134,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1566,Phishing,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Significant,,1 +135,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1071.001,Web Protocols,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Detect,Significant,,1 +136,"This solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical).",T1530,Data from Cloud Storage Object,['https://cloud.google.com/beyondcorp-enterprise/docs/overview'],"['Access Control Policies', 'Data Loss Prevention']",,BeyondCorp Enterprise,technique-scores,Protect,Significant,,1 +137,,T1110,Brute Force,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +138,,T1110.003,Password Spraying,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +139,,T1078,Valid Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +140,,T1078.004,Cloud Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +141,,T1110.001,Password Guessing,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +142,,T1110.002,Password Cracking,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +143,,T1110.004,Credential Stuffing,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Significant,,1 +144,,T1078.002,Domain Accounts,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +145,,T1021.004,SSH,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Detect,Minimal,,1 +146,,T1213.003,Code Repositories,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +147,,T1213,Data from Information Repositories,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Partial,,1 +148,,T1133,External Remote Services,['https://cloud.google.com/identity'],"['Identity', 'Multi-Factor Authentication', 'Credentials']",,Cloud Identity,technique-scores,Protect,Minimal,,1 +149,,T1090,Proxy,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,,1 +150,,T1190,Exploit Public-Facing Application,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,,1 +151,,T1498,Network Denial of Service,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,,1 +152,,T1499,Endpoint Denial of Service,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Significant,,1 +153,,T1018,Remote System Discovery,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,,1 +154,,T1046,Network Service Scanning,['https://cloud.google.com/armor'],"['Network', 'Firewall']",,Cloud Armor,technique-scores,Protect,Partial,,1 +155,,T1110,Brute Force,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,,1 +156,,T1078,Valid Accounts,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Respond,Partial,,1 +157,,T1052.001,Exfiltration over USB,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,,1 +158,,T1567.002,Exfiltration to Cloud Storage,['https://support.google.com/a/answer/1734200?hl=en'],"['Identity', 'Patch Management']",,Endpoint Management,technique-scores,Protect,Partial,,1 +159,,T1040,Network Sniffing,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Significant,,1 +160,,T1557,Adversary-in-the-Middle,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Significant,,1 +161,,T1565,Data Manipulation,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +162,,T1565.002,Transmitted Data Manipulation,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +163,,T1557.002,ARP Cache Poisoning,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +164,,T1133,External Remote Services,['https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview'],"['Network', 'Encryption']",,CloudVPN,technique-scores,Protect,Partial,,1 +165,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552,Unsecured Credentials,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,,1 +166,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.005,Cloud Instance Metadata API,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Significant,,1 +167,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588,Obtain Capabilities,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +168,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1553,Subvert Trust Controls,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Significant,,1 +169,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1555,Credentials from Password Stores,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +170,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1528,Steal Application Access Token,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +171,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588.003,Code Signing Certificates,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +172,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1588.004,Digital Certificates,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Partial,,1 +173,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.001,Credentials In Files,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,,1 +174,"Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.",T1552.004,Private Keys,['https://cloud.google.com/security-key-management'],['Credentials'],,Cloud Key Management,technique-scores,Protect,Minimal,,1 +175,,T1566,Phishing,['https://cloud.google.com/titan-security-key#section-3'],"['Multi-Factor Authentication', 'Identity']",,Titan Security Key,technique-scores,Protect,Significant,,1 +176,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021.002,SMB/Windows Admin Shares,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +177,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1037,Boot or Logon Initialization Scripts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +178,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1053.005,Scheduled Task,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +179,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.005,Mshta,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +180,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.001,Launch Agent,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +181,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.004,Launch Daemon,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +182,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.001,Change Default File Association,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +183,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1547.001,Registry Run Keys / Startup Folder,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +184,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1547,Boot or Logon Autostart Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +185,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546,Event Triggered Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +186,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543,Create or Modify System Process,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +187,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1548.002,Bypass User Account Control,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +188,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1564.001,Hidden Files and Directories,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +189,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1564,Hide Artifacts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +190,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003.003,NTDS,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +191,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1078,Valid Accounts,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +192,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1134.005,SID-History Injection,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +193,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003,OS Credential Dumping,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +194,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1548,Abuse Elevation Control Mechanism,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +195,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1584.002,DNS Server,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +196,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1562.004,Disable or Modify System Firewall,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +197,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1098.001,Additional Cloud Credentials,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +198,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1530,Data from Cloud Storage Object,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +199,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.002,Clear Linux or Mac System Logs,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +200,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1136.001,Local Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +201,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1098,Account Manipulation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +202,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1106,Native API,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +203,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021.004,SSH,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +204,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1578,Modify Cloud Compute Infrastructure,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +205,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1052.001,Exfiltration over USB,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +206,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1112,Modify Registry,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +207,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1021,Remote Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +208,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1052,Exfiltration Over Physical Medium,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +209,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1053,Scheduled Task/Job,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +210,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070,Indicator Removal on Host,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +211,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1134,Access Token Manipulation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +212,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218,Signed Binary Proxy Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +213,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1584,Compromise Infrastructure,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +214,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056,Input Capture,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +215,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056.003,Web Portal Capture,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +216,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1056.004,Credential API Hooking,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +217,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1071.001,Web Protocols,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +218,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1071,Application Layer Protocol,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +219,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059,Command and Scripting Interpreter,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +220,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.010,Regsvr32,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +221,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059.003,Windows Command Shell,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +222,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1082,System Information Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +223,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1218.003,CMSTP,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +224,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1018,Remote System Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +225,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1552,Unsecured Credentials,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +226,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1486,Data Encrypted for Impact,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +227,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1204,User Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +228,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1036.005,Match Legitimate Name or Location,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +229,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1027.004,Compile After Delivery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +230,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1127.001,MSBuild,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +231,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1127,Trusted Developer Utilities Proxy Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +232,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +233,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +234,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1036,Masquerading,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +235,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1055,Process Injection,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +236,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1210,Exploitation of Remote Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +237,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1037.003,Network Logon Script,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +238,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1212,Exploitation for Credential Access,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +239,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1505.003,Web Shell,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +240,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1059.007,JavaScript,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +241,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1560,Archive Collected Data,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +242,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1203,Exploitation for Client Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +243,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1132,Data Encoding,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +244,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1132.001,Standard Encoding,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +245,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1195.002,Compromise Software Supply Chain,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +246,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1195,Supply Chain Compromise,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +247,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1072,Software Deployment Tools,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +248,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.007,Netsh Helper DLL,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +249,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1505,Server Software Component,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +250,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1574.007,Path Interception by PATH Environment Variable,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +251,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1574,Hijack Execution Flow,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +252,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1087.004,Cloud Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +253,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1087,Account Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +254,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.004,File Deletion,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +255,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1020,Automated Exfiltration,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +256,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1041,Exfiltration Over C2 Channel,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +257,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1011,Exfiltration Over Other Network Medium,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +258,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1027,Obfuscated Files or Information,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +259,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1484,Domain Policy Modification,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +260,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1136,Create Account,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +261,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1543.003,Windows Service,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +262,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.006,Timestomp,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +263,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1003.001,LSASS Memory,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +264,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1137.001,Office Template Macros,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +265,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1137,Office Application Startup,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +266,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1057,Process Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +267,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1016,System Network Configuration Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +268,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1049,System Network Connections Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +269,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1033,System Owner/User Discovery,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +270,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1588.002,Tool,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +271,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1588,Obtain Capabilities,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +272,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1070.001,Clear Windows Event Logs,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +273,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1569.002,Service Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +274,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1569,System Services,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +275,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.008,Accessibility Features,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +276,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1048,Exfiltration Over Alternative Protocol,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +277,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1105,Ingress Tool Transfer,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +278,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1495,Firmware Corruption,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +279,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1497,Virtualization/Sandbox Evasion,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +280,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1202,Indirect Command Execution,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +281,"This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. + +Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ",T1546.003,Windows Management Instrumentation Event Subscription,"['https://cloud.google.com/chronicle/docs/overview', 'https://github.com/chronicle/detection-rules']","['SIEM', 'Chronicle', 'Threat Detection', 'Analytics']",,Chronicle,technique-scores,Detect,Minimal,,1 +282,,T1199,Trusted Relationship,['https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview'],"['Auditing', 'Access Management']",,Access Transparency,technique-scores,Detect,Minimal,,1 +283,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview'],"['Auditing', 'Access Management']",,Access Transparency,technique-scores,Detect,Minimal,,1 +284,,T1542,Pre-OS Boot,['https://cloud.google.com/compute/shielded-vm/docs/shielded-vm'],['Vulnerability Management'],,Shielded VM,technique-scores,Protect,Significant,,1 +285,,T1014,Rootkit,['https://cloud.google.com/compute/shielded-vm/docs/shielded-vm'],['Vulnerability Management'],,Shielded VM,technique-scores,Protect,Partial,,1 +286,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1008,Fallback Channels,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +287,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1018,Remote System Discovery,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +288,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1021,Remote Services,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +289,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1041,Exfiltration Over C2 Channel,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +290,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1046,Network Service Scanning,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +291,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1048,Exfiltration Over Alternative Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +292,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1071,Application Layer Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +293,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1090,Proxy,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +294,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1095,Non-Application Layer Protocol,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +295,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1104,Multi-Stage Channels,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +296,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1133,External Remote Services,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +297,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1187,Forced Authentication,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +298,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1205,Traffic Signaling,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +299,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1219,Remote Access Software,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +300,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1498,Network Denial of Service,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Minimal,,1 +301,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1499,Endpoint Denial of Service,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +302,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1530,Data from Cloud Storage Object,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +303,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1542,Pre-OS Boot,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Minimal,,1 +304,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1571,Non-Standard Port,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Significant,,1 +305,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1572,Protocol Tunneling,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +306,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1590,Gather Victim Network Information,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +307,"Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the ""Firewalls"" control, or the parent control under which its documented.",T1595,Active Scanning,['https://cloud.google.com/firewalls'],"['Firewall', 'Logging', 'Network']",,Firewalls,technique-scores,Protect,Partial,,1 +308,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1204.003,Malicious Image,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +309,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1525,Implant Internal Image,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +310,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1133,External Remote Services,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +311,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1505.003,Web Shell,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +312,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1105,Ingress Tool Transfer,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +313,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1059.004,Unix Shell,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +314,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1071.004,DNS,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +315,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1110,Brute Force,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +316,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1078.004,Cloud Accounts,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +317,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562,Impair Defenses,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +318,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1567,Exfiltration Over Web Service,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +319,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1567.002,Exfiltration to Cloud Storage,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +320,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1505.001,SQL Stored Procedures,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +321,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1098.001,Additional Cloud Credentials,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +322,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562.007,Disable or Modify Cloud Firewall,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +323,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1589.001,Credentials,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Significant,,1 +324,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1496,Resource Hijacking,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +325,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1213.003,Code Repositories,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Significant,,1 +326,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1040,Network Sniffing,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Protect,Minimal,,1 +327,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1190,Exploit Public-Facing Application,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +328,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1078.001,Default Accounts,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +329,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1542,Pre-OS Boot,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +330,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1542.003,Bootkit,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +331,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1014,Rootkit,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +332,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1070,Indicator Removal on Host,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +333,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1484,Domain Policy Modification,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +334,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1136.003,Cloud Account,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +335,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1562.008,Disable Cloud Logs,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +336,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1578,Modify Cloud Compute Infrastructure,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Significant,,1 +337,"This mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). + +SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. + +To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). + +Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. + +Reference: https://github.com/GoogleCloudPlatform/security-response-automation ",T1530,Data from Cloud Storage Object,"['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview', 'https://github.com/GoogleCloudPlatform/security-analytics']","['Analytics', 'Security Command Center', 'Vulnerability Management']",,Security Command Center,technique-scores,Detect,Partial,,1 +338,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1530,Data from Cloud Storage Object,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Significant,,1 +339,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1565.001,Stored Data Manipulation,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Significant,,1 +340,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1588.004,Digital Certificates,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Partial,,1 +341,There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.,T1588.003,Code Signing Certificates,"['https://cloud.google.com/storage/docs/encryption', 'https://cloud.google.com/storage']","['Storage', 'Data Security', 'Encryption', 'Credentials']",,Cloud Storage,technique-scores,Protect,Partial,,1 +342,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/dlp/docs'],['Storage'],,Cloud Data Loss Prevention,technique-scores,Protect,Partial,,1 +343,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1610,Deploy Container,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +344,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1053.007,Container Orchestration Job,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +345,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1612,Build Image on Host,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +346,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1554,Compromise Client Software Binary,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +347,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1525,Implant Internal Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +348,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1036.001,Invalid Code Signature,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +349,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1601,Modify System Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +350,Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.,T1204.003,Malicious Image,"['https://cloud.google.com/binary-authorization/docs/overview', 'https://cloud.google.com/binary-authorization/docs/attestations']",['Binary Authorization'],,Binary Authorization,technique-scores,Protect,Significant,,1 +351,,T1098,Account Manipulation,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +352,,T1110,Brute Force,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +353,,T1136,Create Account,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +354,,T1530,Data from Cloud Storage Object,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +355,,T1114,Email Collection,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +356,,T1133,External Remote Services,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +357,,T1556,Modify Authentication Process,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +358,,T1021,Remote Services,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +359,,T1078.002,Domain Accounts,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +360,,T1078.004,Cloud Accounts,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +361,,T1110.001,Password Guessing,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +362,,T1110.002,Password Cracking,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +363,,T1110.003,Password Spraying,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +364,,T1110.004,Credential Stuffing,['https://landing.google.com/advancedprotection/'],"['Multi-Factor Authentication', 'Phishing']",,AdvancedProtectionProgram,technique-scores,Protect,Significant,,1 +365,,T1528,Steal Application Access Token,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,,1 +366,,T1555,Credentials from Password Stores,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,,1 +367,,T1552,Unsecured Credentials,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Partial,,1 +368,,T1040,Network Sniffing,['https://cloud.google.com/secret-manager/docs/overview'],['Data Security'],,Secret Manager,technique-scores,Protect,Minimal,,1 +369,,T1590,Gather Victim Network Information,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +370,,T1590.004,Network Topology,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +371,,T1590.005,IP Addresses,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +372,,T1046,Network Service Scanning,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +373,,T1135,Network Share Discovery,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +374,,T1595,Active Scanning,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +375,,T1595.001,Scanning IP Blocks,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +376,,T1098,Account Manipulation,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +377,,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Partial,,1 +378,,T1557,Adversary-in-the-Middle,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Partial,,1 +379,,T1602,Data from Configuration Repository,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +380,,T1190,Exploit Public-Facing Application,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +381,,T1552.007,Container API,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +382,,T1018,Remote System Discovery,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Significant,,1 +383,,T1570,Lateral Tool Transfer,['https://cloud.google.com/vpc-service-controls/docs'],"['Network', 'Virtual Private Cloud']",,Virtual Private Cloud,technique-scores,Protect,Minimal,,1 +384,Similar to Azure Role based access control and Azure policy ,T1087.004,Cloud Account,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +385,Similar to Azure Role based access control and Azure policy ,T1580,Cloud Infrastructure Discovery,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Minimal,,1 +386,Similar to Azure Role based access control and Azure policy ,T1530,Data from Cloud Storage Object,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +387,Similar to Azure Role based access control and Azure policy ,T1530,Data from Cloud Storage Object,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,,1 +388,Similar to Azure Role based access control and Azure policy ,T1538,Cloud Service Dashboard,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +389,Similar to Azure Role based access control and Azure policy ,T1578,Modify Cloud Compute Infrastructure,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +390,Similar to Azure Role based access control and Azure policy ,T1548.002,Bypass User Account Control,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +391,Similar to Azure Role based access control and Azure policy ,T1068,Exploitation for Privilege Escalation,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +392,Similar to Azure Role based access control and Azure policy ,T1562,Impair Defenses,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +393,Similar to Azure Role based access control and Azure policy ,T1078.004,Cloud Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +394,Similar to Azure Role based access control and Azure policy ,T1078.004,Cloud Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,,1 +395,Similar to Azure Role based access control and Azure policy ,T1562.008,Disable Cloud Logs,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Detect,Minimal,,1 +396,Similar to Azure Role based access control and Azure policy ,T1212,Exploitation for Credential Access,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +397,Similar to Azure Role based access control and Azure policy ,T1078,Valid Accounts,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +398,Similar to Azure Role based access control and Azure policy ,T1087,Account Discovery,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +399,Similar to Azure Role based access control and Azure policy ,T1098.001,Additional Cloud Credentials,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +400,Similar to Azure Role based access control and Azure policy ,T1098,Account Manipulation,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +401,Similar to Azure Role based access control and Azure policy ,T1222,File and Directory Permissions Modification,['https://cloud.google.com/policy-intelligence'],"['Identity', 'Role Based Access Control', 'Access Management', 'Credentials']",,Policy Intelligence,technique-scores,Protect,Partial,,1 +402,,T1078.004,Cloud Accounts,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Protect,Partial,,1 +403,,T1110.004,Credential Stuffing,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Detect,Significant,,1 +404,,T1136.003,Cloud Account,['https://cloud.google.com/recaptcha-enterprise'],"['Multi-Factor Authentication', 'Identity']",,ReCAPTCHA Enterprise,technique-scores,Protect,Partial,,1 +405,,T1078,Valid Accounts,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,,1 +406,,T1537,Transfer Data to Cloud Account,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,,1 +407,,T1530,Data from Cloud Storage Object,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Significant,,1 +408,,T1567,Exfiltration Over Web Service,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Partial,,1 +409,,T1619,Cloud Storage Object Discovery,['https://cloud.google.com/vpc-service-controls/docs/overview'],"['Virtual Private Cloud', 'Access Control Policies', 'Network']",,VPC Service Controls,technique-scores,Protect,Partial,,1 +410,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1098,Account Manipulation,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +411,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1098.001,Additional Cloud Credentials,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +412,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1069,Permission Groups Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +413,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1069.003,Cloud Groups,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +414,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078,Valid Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +415,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078,Valid Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Detect,Partial,,1 +416,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1078.004,Cloud Accounts,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +417,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1087.004,Cloud Account,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Partial,,1 +418,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1087,Account Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +419,"Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.",T1613,Container and Resource Discovery,['https://cloud.google.com/iam'],"['Identity', 'Credentials', 'Access Management', 'Multi-Factor Authentication', 'Role Based Access Control']",,Identity and Access Management,technique-scores,Protect,Minimal,,1 +420,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1068,Exploitation for Privilege Escalation,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +421,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1190,Exploit Public-Facing Application,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +422,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1203,Exploitation for Client Execution,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +423,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1210,Exploitation of Remote Services,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +424,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1211,Exploitation for Defense Evasion,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +425,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1212,Exploitation for Credential Access,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +426,This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework.,T1072,Software Deployment Tools,['https://cloud.google.com/compute/docs/vm-manager'],"['Patch Management', 'Vulnerability Management', 'Configuration Management', 'Credentials']",,VMManager,technique-scores,Protect,Partial,,1 +427,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1078,Valid Accounts,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +428,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1068,Exploitation for Privilege Escalation,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +429,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1525,Implant Internal Image,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +430,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1610,Deploy Container,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Protect,Partial,,1 +431,Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.,T1212,Exploitation for Credential Access,"['https://cloud.google.com/container-registry/docs/container-analysis', 'https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr']","['Containers', 'Vulnerability Analysis']",,Container Registry,technique-scores,Detect,Partial,,1 diff --git a/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_metadata.csv new file mode 100644 index 00000000..66f1a5c7 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/security_stack_files/GCP/parsed_security_stack_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,1,10,enterprise,,ctid@mitre-engenuity.org,05/11/2022,,,GCP,,1 diff --git a/src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_attack_objects.csv new file mode 100644 index 00000000..3cd141bd --- /dev/null +++ b/src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_attack_objects.csv @@ -0,0 +1,914 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1047,Windows Management Instrumentation,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +1,,T1047,Windows Management Instrumentation,[],[],,action.hacking.vector.Command shell,related-to,3 +2,,T1047,Windows Management Instrumentation,[],[],,action.malware.vector.Direct install,related-to,3 +3,,T1053,Scheduled Task/Job,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +4,,T1053,Scheduled Task/Job,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +5,,T1053.001,Scheduled Task/Job: At (Linux),[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +6,,T1053.002,Scheduled Task/Job: At (Windows),[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +7,,T1053.003,Scheduled Task/Job: Cron,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +8,,T1053.004,Scheduled Task/Job: Launchd,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +9,,T1053.005,Scheduled Task/Job: Scheduled Task,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +10,,T1053.006,Scheduled Task/Job: Systemd Timers,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +11,,T1053.007,Scheduled Task/Job: Container Orchestration Job,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +12,,T1059,Command and Scripting Interpreter,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +13,,T1059,Command and Scripting Interpreter,[],[],,action.hacking.vector.Command shell,related-to,3 +14,,T1059.001,Command and Scripting Interpreter: PowerShell,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +15,,T1059.001,Command and Scripting Interpreter: PowerShell,[],[],,action.hacking.vector.Command shell,related-to,3 +16,,T1059.002,Command and Scripting Interpreter: AppleScript,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +17,,T1059.002,Command and Scripting Interpreter: AppleScript,[],[],,action.hacking.vector.Command shell,related-to,3 +18,,T1059.003,Command and Scripting Interpreter: Windows Command Shell,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +19,,T1059.003,Command and Scripting Interpreter: Windows Command Shell,[],[],,action.hacking.vector.Command shell,related-to,3 +20,,T1059.004,Command and Scripting Interpreter: Unix Shell,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +21,,T1059.004,Command and Scripting Interpreter: Unix Shell,[],[],,action.hacking.vector.Command shell,related-to,3 +22,,T1059.005,Command and Scripting Interpreter: Visual Basic,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +23,,T1059.005,Command and Scripting Interpreter: Visual Basic,[],[],,action.hacking.vector.Command shell,related-to,3 +24,,T1059.005,Command and Scripting Interpreter: Visual Basic,[],[],,action.malware.vector.Email attachment,related-to,3 +25,,T1059.006,Command and Scripting Interpreter: Python,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +26,,T1059.006,Command and Scripting Interpreter: Python,[],[],,action.hacking.vector.Command shell,related-to,3 +27,,T1059.007,Command and Scripting Interpreter: JavaScript,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +28,,T1059.007,Command and Scripting Interpreter: JavaScript,[],[],,action.hacking.vector.Command shell,related-to,3 +29,,T1059.007,Command and Scripting Interpreter: JavaScript,[],[],,action.malware.vector.Email attachment,related-to,3 +30,,T1059.008,Command and Scripting Interpreter: Network Device CLI,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +31,,T1059.008,Command and Scripting Interpreter: Network Device CLI,[],[],,action.hacking.vector.Command shell,related-to,3 +32,,T1072,Software Deployment Tools,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +33,,T1072,Software Deployment Tools,[],[],,action.malware.variety.Adminware,related-to,3 +34,,T1072,Software Deployment Tools,[],[],,action.malware.vector.Software update,related-to,3 +35,,T1106,Native API,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +36,,T1112,Modify Registry,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +37,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +38,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,action.hacking.variety.Unknown,related-to,3 +39,,T1127.001,Tursted Developer Utilities Proxy Execution: MSBuild,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +40,,T1127.001,Tursted Developer Utilities Proxy Execution: MSBuild,[],[],,action.hacking.variety.Unknown,related-to,3 +41,,T1129,Shared Modules,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +42,,T1137,Office Application Startup,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +43,,T1137,Office Application Startup,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +44,,T1137.001,Office Application Startup: Office Template Macros,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +45,,T1137.002,Office Application Startup: Office Test,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +46,,T1137.003,Office Application Startup: Outlook Forms,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +47,,T1137.004,Office Application Startup: Outlook Home Page,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +48,,T1137.005,Office Application Startup: Outlook Rules,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +49,,T1187,Forced Authentication,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +50,,T1187,Forced Authentication,[],[],,action.hacking.variety.MitM,related-to,3 +51,,T1202,Indirect Command Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +52,,T1216,Signed Script Proxy Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +53,,T1216.001,Signed Script Proxy Execution: PubPrn,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +54,,T1218,Signed Binary Proxy Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +55,,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +56,,T1218.002,Signed Binary Proxy Execution: Control Panel,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +57,,T1218.003,Signed Binary Proxy Execution: CMSTP,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +58,,T1218.004,Signed Binary Proxy Execution: InstallUtil,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +59,,T1218.005,Signed Binary Proxy Execution: Mshta,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +60,,T1218.007,Signed Binary Proxy Execution: Msiexec,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +61,,T1218.008,Signed Binary Proxy Execution: Odbcconf,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +62,,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +63,,T1218.010,Signed Binary Proxy Execution: Regsvr32,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +64,,T1218.011,Signed Binary Proxy Execution: Rundll32,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +65,,T1218.012,Signed Binary Proxy Execution: Verclsid,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +66,,T1220,XSL Script Processing,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +67,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +68,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +69,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +70,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.malware.variety.Backdoor,related-to,3 +71,,T1505.002,Server Software Component: Transport Agent,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +72,,T1505.002,Server Software Component: Transport Agent,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +73,,T1505.002,Server Software Component: Transport Agent,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +74,,T1505.002,Server Software Component: Transport Agent,[],[],,action.malware.variety.Backdoor,related-to,3 +75,,T1529,System Shutdown/Reboot,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +76,,T1543,Create or Modify System Process,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +77,,T1543,Create or Modify System Process,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +78,,T1543,Create or Modify System Process,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +79,,T1543,Create or Modify System Process,[],[],,action.malware.variety.Backdoor,related-to,3 +80,,T1543,Create or Modify System Process,[],[],,action.malware.variety.Rootkit,related-to,3 +81,,T1543.001,Create or Modify System Process: Launch Agent,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +82,,T1543.002,Create or Modify System Process: Systemd Service,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +83,,T1543.003,Create or Modify System Process: Windows Service,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +84,,T1543.003,Create or Modify System Process: Windows Service,[],[],,action.malware.variety.RAT,related-to,3 +85,,T1543.004,Create or Modify System Process: Launch Daemon,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +86,,T1547,Boot or Logon Autostart Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +87,,T1547,Boot or Logon Autostart Execution,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +88,,T1547,Boot or Logon Autostart Execution,[],[],,action.malware.variety.Backdoor,related-to,3 +89,,T1547,Boot or Logon Autostart Execution,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +90,,T1548,Abuse Elevation Control Mechanism,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +91,,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +92,,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +93,,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +94,,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,[],[],,action.malware.variety.Exploit misconfig,related-to,3 +95,,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +96,,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +97,,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,[],[],,action.malware.variety.Client-side attack,related-to,3 +98,,T1548.004,Abuse Elevation Control Mechanism: Elevated Execution with Prompt,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +99,,T1548.004,Abuse Elevation Control Mechanism: Elevated Execution with Prompt,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +100,,T1559,Inter-Process Communication,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +101,,T1559.001,Inter-Process Communication: Component Object Model,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +102,,T1559.002,Inter-Process Communication: Dynamic Data Exchange,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +103,,T1563,Remote Service Session Hijacking,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +104,,T1563,Remote Service Session Hijacking,[],[],,action.malware.vector.Network propagation,related-to,3 +105,,T1563.001,Remote Service Session Hijacking: SSH Hijacking,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +106,,T1563.001,Remote Service Session Hijacking: SSH Hijacking,[],[],,action.malware.vector.Network propagation,related-to,3 +107,,T1563.002,Remote Service Session Hijacking: RDP Hijacking,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +108,,T1563.002,Remote Service Session Hijacking: RDP Hijacking,[],[],,action.malware.vector.Network propagation,related-to,3 +109,,T1564,Hide Artifacts,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +110,,T1564.001,Hide Artifacts: Hidden Files and Directories,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +111,,T1564.002,Hide Artifacts: Hidden Users,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +112,,T1564.003,Hide Artifacts: Hidden Window,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +113,,T1564.004,Hide Artifacts: NTFS File Attributes,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +114,,T1564.005,Hide Artifacts: Hidden File System,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +115,,T1564.006,Hide Artifacts: Run Virtual Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +116,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +117,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.malware.variety.Trojan,related-to,3 +118,,T1569,System Services,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +119,,T1569.001,System Services: Launchctl,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +120,,T1569.002,System Services: Service Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +121,,T1569.002,System Services: Service Execution,[],[],,action.malware.vector.Direct install,related-to,3 +122,,T1578,Modify Cloud Computer Infrastructure,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +123,,T1578,Modify Cloud Computer Infrastructure,[],[],,action.hacking.vector.Hypervisor,related-to,3 +124,,T1578,Modify Cloud Computer Infrastructure,[],[],,action.hacking.vector.Inter-tenant,related-to,3 +125,,T1578.001,Modify Cloud Computer Infrastructure: Create Snapshot,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +126,,T1578.002,Modify Cloud Computer Infrastructure: Create Cloud Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +127,,T1578.003,Modify Cloud Computer Infrastructure: Delete Cloud Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +128,,T1578.004,Modify Cloud Computer Infrastructure: Revert Cloud Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +129,,T1609,Container Administration Command,[],[],,action.hacking.variety.Abuse of functionality,related-to,3 +130,,T1110,Brute Force,[],[],,action.hacking.variety.Brute force,related-to,3 +131,,T1110,Brute Force,[],[],,action.malware.variety.Brute force,related-to,3 +132,,T1110.001,Brute Force: Password Guessing,[],[],,action.hacking.variety.Brute force,related-to,3 +133,,T1110.001,Brute Force: Password Guessing,[],[],,action.malware.variety.Brute force,related-to,3 +134,,T1110.002,Brute Force: Password Cracking,[],[],,action.hacking.variety.Brute force,related-to,3 +135,,T1110.002,Brute Force: Password Cracking,[],[],,action.hacking.variety.Offline cracking,related-to,3 +136,,T1110.002,Brute Force: Password Cracking,[],[],,action.malware.variety.Brute force,related-to,3 +137,,T1110.003,Brute Force: Password Spraying,[],[],,action.hacking.variety.Brute force,related-to,3 +138,,T1110.003,Brute Force: Password Spraying,[],[],,action.malware.variety.Brute force,related-to,3 +139,,T1110.004,Brute Force: Credential Stuffing,[],[],,action.hacking.variety.Brute force,related-to,3 +140,,T1110.004,Brute Force: Credential Stuffing,[],[],,action.malware.variety.Brute force,related-to,3 +141,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.Buffer overflow,related-to,3 +142,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP Response Splitting,related-to,3 +143,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP request smuggling,related-to,3 +144,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP request splitting,related-to,3 +145,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP response smuggling,related-to,3 +146,,T1203,Exploitation for Client Execution,[],[],,action.malware.variety.Client-side attack,related-to,3 +147,,T1203,Exploitation for Client Execution,[],[],,action.malware.vector.Email attachment,related-to,3 +148,,T1600,Weaken Encryption,[],[],,action.hacking.variety.Cryptanalysis,related-to,3 +149,,T1600,Weaken Encryption,[],[],,action.malware.variety.Disable controls,related-to,3 +150,,T1498,Network Denial of Service,[],[],,action.hacking.variety.DoS,related-to,3 +151,,T1498,Network Denial of Service,[],[],,action.malware.variety.DoS,related-to,3 +152,,T1498.001,Network Denial of Service: Direct Network Flood,[],[],,action.hacking.variety.DoS,related-to,3 +153,,T1498.001,Network Denial of Service: Direct Network Flood,[],[],,action.malware.variety.DoS,related-to,3 +154,,T1498.002,Network Denial of Service: Reflection Amplification,[],[],,action.hacking.variety.DoS,related-to,3 +155,,T1498.002,Network Denial of Service: Reflection Amplification,[],[],,action.malware.variety.DoS,related-to,3 +156,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.DoS,related-to,3 +157,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.Soap array abuse,related-to,3 +158,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.XML attribute blowup,related-to,3 +159,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.XML entity expansion,related-to,3 +160,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.XML external entities,related-to,3 +161,,T1499,Endpoint Denial of Service,[],[],,action.malware.variety.DoS,related-to,3 +162,,T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,[],[],,action.hacking.variety.DoS,related-to,3 +163,,T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,[],[],,action.malware.variety.DoS,related-to,3 +164,,T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,[],[],,action.hacking.variety.DoS,related-to,3 +165,,T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,[],[],,action.malware.variety.DoS,related-to,3 +166,,T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,[],[],,action.hacking.variety.DoS,related-to,3 +167,,T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,[],[],,action.malware.variety.DoS,related-to,3 +168,,T1499.004,Endpoint Denial of Service: Application or System Exploitation,[],[],,action.hacking.variety.DoS,related-to,3 +169,,T1499.004,Endpoint Denial of Service: Application or System Exploitation,[],[],,action.malware.variety.DoS,related-to,3 +170,,T1583.005,Acquire Infrastructure: Botnet,[],[],,action.hacking.variety.DoS,related-to,3 +171,,T1583.005,Acquire Infrastructure: Botnet,[],[],,action.hacking.variety.Unknown,related-to,3 +172,,T1583.005,Acquire Infrastructure: Botnet,[],[],,value_chain.development.variety.Bot,related-to,3 +173,,T1583.005,Acquire Infrastructure: Botnet,[],[],,value_chain.distribution.variety.Botnet,related-to,3 +174,,T1584.005,Compromise Infrastructure: Botnet,[],[],,action.hacking.variety.DoS,related-to,3 +175,,T1584.005,Compromise Infrastructure: Botnet,[],[],,action.hacking.variety.Unknown,related-to,3 +176,,T1584.005,Compromise Infrastructure: Botnet,[],[],,value_chain.distribution.variety.Other,related-to,3 +177,,T1584.005,Compromise Infrastructure: Botnet,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +178,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +179,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Exploit vuln,related-to,3 +180,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Format string attack,related-to,3 +181,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Fuzz testing,related-to,3 +182,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Insecure deserialization,related-to,3 +183,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Integer overflows,related-to,3 +184,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.LDAP injection,related-to,3 +185,,T1068,Exploitation for Privilege Escalation,[],[],,action.malware.variety.Exploit misconfig,related-to,3 +186,,T1190,Exploit Public-Facing Application,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +187,,T1190,Exploit Public-Facing Application,[],[],,action.malware.variety.Exploit vuln,related-to,3 +188,,T1210,Exploitation of Remote Services,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +189,,T1210,Exploitation of Remote Services,[],[],,action.malware.variety.Exploit vuln,related-to,3 +190,,T1212,Exploitation for Credential Access,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +191,,T1212,Exploitation for Credential Access,[],[],,action.hacking.variety.Exploit vuln,related-to,3 +192,,T1212,Exploitation for Credential Access,[],[],,action.hacking.variety.Session fixation,related-to,3 +193,,T1212,Exploitation for Credential Access,[],[],,action.malware.variety.Disable controls,related-to,3 +194,,T1212,Exploitation for Credential Access,[],[],,action.malware.variety.Exploit vuln,related-to,3 +195,,T1212,Exploitation for Credential Access,[],[],,action.malware.variety.Password dumper,related-to,3 +196,,T1212,Exploitation for Credential Access,[],[],,action.malware.vector.Web application - drive-by,related-to,3 +197,,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +198,,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +199,,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,[],[],,action.malware.variety.Exploit misconfig,related-to,3 +200,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +201,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Exploit vuln,related-to,3 +202,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Unknown,related-to,3 +203,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +204,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Exploit vuln,related-to,3 +205,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Unknown,related-to,3 +206,,T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +207,,T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,[],[],,action.hacking.variety.Unknown,related-to,3 +208,,T1574.010,Hijack Execution Flow: Services File Permissions Weakness,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +209,,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,[],[],,action.hacking.variety.Exploit misconfig,related-to,3 +210,,T1574.004,Hijack Execution Flow: Dylib Hijacking,[],[],,action.hacking.variety.Exploit vuln,related-to,3 +211,,T1574.004,Hijack Execution Flow: Dylib Hijacking,[],[],,action.hacking.variety.Unknown,related-to,3 +212,,T1595.002,Active Scanning: Vulnerability Scanning,[],[],,action.hacking.variety.Exploit vuln,related-to,3 +213,,T1595.002,Active Scanning: Vulnerability Scanning,[],[],,action.malware.variety.Exploit vuln,related-to,3 +214,,T1595.002,Active Scanning: Vulnerability Scanning,[],[],,action.malware.variety.Scan network,related-to,3 +215,,T1595.002,Active Scanning: Vulnerability Scanning,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +216,,T1007,System Service Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +217,,T1012,Query Registry,[],[],,action.hacking.variety.Footprinting,related-to,3 +218,,T1057,Process Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +219,,T1069,Permission Groups Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +220,,T1069.001,Permission Groups Discovery: Local Groups,[],[],,action.hacking.variety.Footprinting,related-to,3 +221,,T1069.002,Permission Groups Discovery: Domain Groups,[],[],,action.hacking.variety.Footprinting,related-to,3 +222,,T1069.003,Permission Groups Discovery: Cloud Groups,[],[],,action.hacking.variety.Footprinting,related-to,3 +223,,T1082,System Information Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +224,,T1087,Account Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +225,,T1087.001,Account Discovery: Local Account,[],[],,action.hacking.variety.Footprinting,related-to,3 +226,,T1087.002,Account Discovery: Domain Account,[],[],,action.hacking.variety.Footprinting,related-to,3 +227,,T1087.003,Account Discovery: Email Account,[],[],,action.hacking.variety.Footprinting,related-to,3 +228,,T1087.004,Account Discovery: Cloud Account,[],[],,action.hacking.variety.Footprinting,related-to,3 +229,,T1119,Automated Collection,[],[],,action.hacking.variety.Footprinting,related-to,3 +230,,T1119,Automated Collection,[],[],,action.malware.variety.Capture stored data,related-to,3 +231,,T1120,Peripheral Device Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +232,,T1124,System Time Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +233,,T1201,Password Policy Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +234,,T1480,Execution Guardrails,[],[],,action.hacking.variety.Footprinting,related-to,3 +235,,T1480.001,Execution Guardrails: Environmental Keying,[],[],,action.hacking.variety.Footprinting,related-to,3 +236,,T1518,Software Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +237,,T1518.001,Software Discovery: Security Software Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +238,,T1526,Cloud Service Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +239,,T1538,Cloud Service Dashboard,[],[],,action.hacking.variety.Footprinting,related-to,3 +240,,T1580,Cloud Infrastructure Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +241,,T1589,Gather Victim Identity Information,[],[],,action.hacking.variety.Footprinting,related-to,3 +242,,T1589,Gather Victim Identity Information,[],[],,value_chain.targeting.variety.Personal Information,related-to,3 +243,,T1589.001,Gather Victim Identity Information: Credentials,[],[],,action.hacking.variety.Footprinting,related-to,3 +244,,T1589.001,Gather Victim Identity Information: Credentials,[],[],,value_chain.targeting.variety.Lost or stolen credentials,related-to,3 +245,,T1589.001,Gather Victim Identity Information: Credentials,[],[],,value_chain.targeting.variety.Personal Information,related-to,3 +246,,T1589.002,Gather Victim Identity Information: Email Addresses,[],[],,action.hacking.variety.Footprinting,related-to,3 +247,,T1589.002,Gather Victim Identity Information: Email Addresses,[],[],,value_chain.targeting.variety.Email addresses,related-to,3 +248,,T1589.002,Gather Victim Identity Information: Email Addresses,[],[],,value_chain.targeting.variety.Personal Information,related-to,3 +249,,T1589.003,Gather Victim Identity Information: Employee Names,[],[],,action.hacking.variety.Footprinting,related-to,3 +250,,T1589.003,Gather Victim Identity Information: Employee Names,[],[],,value_chain.targeting.variety.Personal Information,related-to,3 +251,,T1590,Gather Victim Network Information,[],[],,action.hacking.variety.Footprinting,related-to,3 +252,,T1590,Gather Victim Network Information,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +253,,T1590.001,Gather Victim Network Information: Domain Properties,[],[],,action.hacking.variety.Footprinting,related-to,3 +254,,T1590.001,Gather Victim Network Information: Domain Properties,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +255,,T1590.002,Gather Victim Network Information: DNS,[],[],,action.hacking.variety.Footprinting,related-to,3 +256,,T1590.002,Gather Victim Network Information: DNS,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +257,,T1590.003,Gather Victim Network Information: Network Trust Dependencies,[],[],,action.hacking.variety.Footprinting,related-to,3 +258,,T1590.003,Gather Victim Network Information: Network Trust Dependencies,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +259,,T1590.004,Gather Victim Network Information: Network Topology,[],[],,action.hacking.variety.Footprinting,related-to,3 +260,,T1590.004,Gather Victim Network Information: Network Topology,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +261,,T1590.005,Gather Victim Network Information: IP Addresses,[],[],,action.hacking.variety.Footprinting,related-to,3 +262,,T1590.005,Gather Victim Network Information: IP Addresses,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +263,,T1590.006,Gather Victim Network Information: Network Security Appliances,[],[],,action.hacking.variety.Footprinting,related-to,3 +264,,T1590.006,Gather Victim Network Information: Network Security Appliances,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +265,,T1591,Gather Victim Org Information,[],[],,action.hacking.variety.Footprinting,related-to,3 +266,,T1591,Gather Victim Org Information,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +267,,T1591.001,Gather Victim Org Information: Determine Physical Locations,[],[],,action.hacking.variety.Footprinting,related-to,3 +268,,T1591.001,Gather Victim Org Information: Determine Physical Locations,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +269,,T1591.002,Gather Victim Org Information: Business Relationships,[],[],,action.hacking.variety.Footprinting,related-to,3 +270,,T1591.002,Gather Victim Org Information: Business Relationships,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +271,,T1591.003,Gather Victim Org Information: Identify Business Tempo,[],[],,action.hacking.variety.Footprinting,related-to,3 +272,,T1591.003,Gather Victim Org Information: Identify Business Tempo,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +273,,T1591.004,Gather Victim Org Information: Identify Roles,[],[],,action.hacking.variety.Footprinting,related-to,3 +274,,T1591.004,Gather Victim Org Information: Identify Roles,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +275,,T1592,Gather Victim Host Information,[],[],,action.hacking.variety.Footprinting,related-to,3 +276,,T1592,Gather Victim Host Information,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +277,,T1592.001,Gather Victim Host Information: Hardware,[],[],,action.hacking.variety.Footprinting,related-to,3 +278,,T1592.001,Gather Victim Host Information: Hardware,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +279,,T1592.002,Gather Victim Host Information: Software,[],[],,action.hacking.variety.Footprinting,related-to,3 +280,,T1592.002,Gather Victim Host Information: Software,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +281,,T1592.003,Gather Victim Host Information: Firmware,[],[],,action.hacking.variety.Footprinting,related-to,3 +282,,T1592.003,Gather Victim Host Information: Firmware,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +283,,T1592.004,Gather Victim Host Information: Client Configurations,[],[],,action.hacking.variety.Footprinting,related-to,3 +284,,T1592.004,Gather Victim Host Information: Client Configurations,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +285,,T1593,Search Open Websites/Domains,[],[],,action.hacking.variety.Footprinting,related-to,3 +286,,T1593,Search Open Websites/Domains,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +287,,T1593.001,Search Open Websites/Domains: Social Media,[],[],,action.hacking.variety.Footprinting,related-to,3 +288,,T1593.001,Search Open Websites/Domains: Social Media,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +289,,T1593.002,Search Open Websites/Domains: Search Engines,[],[],,action.hacking.variety.Footprinting,related-to,3 +290,,T1593.002,Search Open Websites/Domains: Search Engines,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +291,,T1594,Search Victim-Owned Websites,[],[],,action.hacking.variety.Footprinting,related-to,3 +292,,T1594,Search Victim-Owned Websites,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +293,,T1596,Search Open Technical Databases,[],[],,action.hacking.variety.Footprinting,related-to,3 +294,,T1596,Search Open Technical Databases,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +295,,T1596.001,Search Open Technical Databases: DNS/Passive DNS,[],[],,action.hacking.variety.Footprinting,related-to,3 +296,,T1596.001,Search Open Technical Databases: DNS/Passive DNS,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +297,,T1596.002,Search Open Technical Databases: WHOIS,[],[],,action.hacking.variety.Footprinting,related-to,3 +298,,T1596.002,Search Open Technical Databases: WHOIS,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +299,,T1596.003,Search Open Technical Databases: Digital Certificates,[],[],,action.hacking.variety.Footprinting,related-to,3 +300,,T1596.003,Search Open Technical Databases: Digital Certificates,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +301,,T1596.004,Search Open Technical Databases: CDNs,[],[],,action.hacking.variety.Footprinting,related-to,3 +302,,T1596.004,Search Open Technical Databases: CDNs,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +303,,T1596.005,Search Open Technical Databases: Scan Databases,[],[],,action.hacking.variety.Footprinting,related-to,3 +304,,T1596.005,Search Open Technical Databases: Scan Databases,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +305,,T1597,Search Closed Sources,[],[],,action.hacking.variety.Footprinting,related-to,3 +306,,T1597,Search Closed Sources,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +307,,T1597.001,Search Closed Sources: Threat Intel Vendors,[],[],,action.hacking.variety.Footprinting,related-to,3 +308,,T1597.001,Search Closed Sources: Threat Intel Vendors,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +309,,T1597.002,Search Closed Sources: Purchase Technical Data,[],[],,action.hacking.variety.Footprinting,related-to,3 +310,,T1597.002,Search Closed Sources: Purchase Technical Data,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +311,,T1602,Data from Configuration Repository,[],[],,action.hacking.variety.Footprinting,related-to,3 +312,,T1602,Data from Configuration Repository,[],[],,action.malware.variety.Capture stored data,related-to,3 +313,,T1602.001,Data from Configuration Repository: SNMP (MIB Dump),[],[],,action.hacking.variety.Footprinting,related-to,3 +314,,T1602.002,Data from Configuration Repository: Network Device Configuration Dump,[],[],,action.hacking.variety.Footprinting,related-to,3 +315,,T1613,Container and Resource Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +316,,T1614,System Location Discovery,[],[],,action.hacking.variety.Footprinting,related-to,3 +317,,T1539,Steal Web Session Cookie,[],[],,action.hacking.variety.Forced browsing,related-to,3 +318,,T1539,Steal Web Session Cookie,[],[],,action.hacking.variety.MitM,related-to,3 +319,,T1539,Steal Web Session Cookie,[],[],,action.malware.variety.Capture app data,related-to,3 +320,,T1583.003,Acquire Infrastructure: Virtual Private Server,[],[],,action.hacking.variety.Forced browsing,related-to,3 +321,,T1583.003,Acquire Infrastructure: Virtual Private Server,[],[],,action.hacking.variety.Unknown,related-to,3 +322,,T1583.003,Acquire Infrastructure: Virtual Private Server,[],[],,value_chain.distribution.variety.Other,related-to,3 +323,,T1583.003,Acquire Infrastructure: Virtual Private Server,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +324,,T1583.004,Acquire Infrastructure: Server,[],[],,action.hacking.variety.Forced browsing,related-to,3 +325,,T1583.004,Acquire Infrastructure: Server,[],[],,action.hacking.variety.Unknown,related-to,3 +326,,T1583.004,Acquire Infrastructure: Server,[],[],,value_chain.distribution.variety.Other,related-to,3 +327,,T1583.004,Acquire Infrastructure: Server,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +328,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.hacking.variety.Forced browsing,related-to,3 +329,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.hacking.variety.Unknown,related-to,3 +330,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.malware.variety.C2,related-to,3 +331,,T1583.006,Acquire Infrastructure: Web Services,[],[],,value_chain.development.variety.Website,related-to,3 +332,,T1583.006,Acquire Infrastructure: Web Services,[],[],,value_chain.distribution.variety.Other,related-to,3 +333,,T1583.006,Acquire Infrastructure: Web Services,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +334,,T1185,Man in the Browser,[],[],,action.hacking.variety.HTTP Response Splitting,related-to,3 +335,,T1185,Man in the Browser,[],[],,action.hacking.variety.HTTP request smuggling,related-to,3 +336,,T1185,Man in the Browser,[],[],,action.hacking.variety.HTTP request splitting,related-to,3 +337,,T1185,Man in the Browser,[],[],,action.hacking.variety.HTTP response smuggling,related-to,3 +338,,T1185,Man in the Browser,[],[],,action.hacking.variety.MitM,related-to,3 +339,,T1185,Man in the Browser,[],[],,action.hacking.variety.Session fixation,related-to,3 +340,,T1185,Man in the Browser,[],[],,action.malware.variety.Capture app data,related-to,3 +341,,T1557,Man-in-the-Middle,[],[],,action.hacking.variety.MitM,related-to,3 +342,,T1557,Man-in-the-Middle,[],[],,action.hacking.variety.Routing detour,related-to,3 +343,,T1557.001,Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay,[],[],,action.hacking.variety.MitM,related-to,3 +344,,T1557.002,Man-in-the-Middle: ARP Cache Poisoning,[],[],,action.hacking.variety.MitM,related-to,3 +345,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.hacking.variety.Pass-the-hash,related-to,3 +346,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +347,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.malware.variety.Password dumper,related-to,3 +348,,T1001,Data Obfuscation,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +349,,T1001,Data Obfuscation,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +350,,T1001,Data Obfuscation,[],[],,action.malware.variety.Unknown,related-to,3 +351,,T1008,Fallback Channels,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +352,,T1008,Fallback Channels,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +353,,T1008,Fallback Channels,[],[],,action.malware.variety.C2,related-to,3 +354,,T1071,Application Layer Protocol,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +355,,T1071,Application Layer Protocol,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +356,,T1071,Application Layer Protocol,[],[],,action.malware.variety.C2,related-to,3 +357,,T1071,Application Layer Protocol,[],[],,action.malware.variety.Unknown,related-to,3 +358,,T1078,Valid Accounts,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +359,,T1078,Valid Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +360,,T1078,Valid Accounts,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +361,,T1090,Proxy,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +362,,T1090,Proxy,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +363,,T1090,Proxy,[],[],,action.malware.variety.C2,related-to,3 +364,,T1095,Non-Application Layer Protocol,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +365,,T1095,Non-Application Layer Protocol,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +366,,T1095,Non-Application Layer Protocol,[],[],,action.malware.variety.C2,related-to,3 +367,,T1102,Web Service,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +368,,T1102,Web Service,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +369,,T1102,Web Service,[],[],,action.malware.variety.C2,related-to,3 +370,,T1104,Multi-Stage Channels,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +371,,T1104,Multi-Stage Channels,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +372,,T1104,Multi-Stage Channels,[],[],,action.malware.variety.C2,related-to,3 +373,,T1105,Ingress Tool Transfer,[],[],,action.hacking.variety.Unknown,related-to,3 +374,,T1105,Ingress Tool Transfer,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +375,,T1105,Ingress Tool Transfer,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +376,,T1132,Data Encoding,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +377,,T1132,Data Encoding,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +378,,T1132,Data Encoding,[],[],,action.malware.variety.C2,related-to,3 +379,,T1133,External Remote Services,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +380,,T1133,External Remote Services,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +381,,T1133,External Remote Services,[],[],,action.hacking.vector.3rd party desktop,related-to,3 +382,,T1133,External Remote Services,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +383,,T1133,External Remote Services,[],[],,action.hacking.vector.Desktop sharing software,related-to,3 +384,,T1133,External Remote Services,[],[],,action.malware.variety.Backdoor,related-to,3 +385,,T1133,External Remote Services,[],[],,action.malware.variety.Exploit vuln,related-to,3 +386,,T1133,External Remote Services,[],[],,action.malware.vector.Remote injection,related-to,3 +387,,T1133,External Remote Services,[],[],,action.malware.vector.Web application,related-to,3 +388,,T1205,Traffic Signaling,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +389,,T1205,Traffic Signaling,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +390,,T1205,Traffic Signaling,[],[],,action.malware.variety.C2,related-to,3 +391,,T1505,Server Software Component,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +392,,T1505,Server Software Component,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +393,,T1505,Server Software Component,[],[],,action.malware.variety.Backdoor,related-to,3 +394,,T1505.003,Server Software Component: Web Shell,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +395,,T1505.003,Server Software Component: Web Shell,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +396,,T1505.003,Server Software Component: Web Shell,[],[],,action.malware.variety.Backdoor,related-to,3 +397,,T1525,Implant Container Image,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +398,,T1525,Implant Container Image,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +399,,T1525,Implant Container Image,[],[],,action.malware.variety.Backdoor,related-to,3 +400,,T1525,Implant Container Image,[],[],,action.malware.variety.RAT,related-to,3 +401,,T1525,Implant Container Image,[],[],,action.malware.variety.Unknown,related-to,3 +402,,T1568,Dynamic Resolution,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +403,,T1568,Dynamic Resolution,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +404,,T1568,Dynamic Resolution,[],[],,action.malware.variety.C2,related-to,3 +405,,T1568,Dynamic Resolution,[],[],,action.malware.vector.Download by malware,related-to,3 +406,,T1571,Non-Standard Port,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +407,,T1571,Non-Standard Port,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +408,,T1571,Non-Standard Port,[],[],,action.malware.variety.C2,related-to,3 +409,,T1572,Protocol Tunneling,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +410,,T1572,Protocol Tunneling,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +411,,T1572,Protocol Tunneling,[],[],,action.malware.variety.C2,related-to,3 +412,,T1573,Encrypted Channels,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +413,,T1573,Encrypted Channels,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +414,,T1573,Encrypted Channels,[],[],,action.malware.variety.C2,related-to,3 +415,,T1573.001,Encrypted Channels: Symmetric Cryptography,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +416,,T1573.001,Encrypted Channels: Symmetric Cryptography,[],[],,action.malware.variety.C2,related-to,3 +417,,T1573.002,Encrypted Channels: Asymmetric Cryptography,[],[],,action.hacking.variety.Use of backdoor or C2,related-to,3 +418,,T1573.002,Encrypted Channels: Asymmetric Cryptography,[],[],,action.malware.variety.C2,related-to,3 +419,,T1021,Remote Services,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +420,,T1021,Remote Services,[],[],,action.malware.vector.Network propagation,related-to,3 +421,,T1021.001,Remote Services: Remote Desktop Protocol,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +422,,T1021.001,Remote Services: Remote Desktop Protocol,[],[],,action.hacking.vector.Desktop sharing software,related-to,3 +423,,T1021.002,Remote Services: SMB/Windows Admin Shares,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +424,,T1021.002,Remote Services: SMB/Windows Admin Shares,[],[],,action.hacking.vector.Command shell,related-to,3 +425,,T1021.003,Remote Services: Distributed Component Object Model,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +426,,T1021.003,Remote Services: Distributed Component Object Model,[],[],,action.hacking.vector.Command shell,related-to,3 +427,,T1021.004,Remote Services: SSH,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +428,,T1021.004,Remote Services: SSH,[],[],,action.hacking.vector.Command shell,related-to,3 +429,,T1021.005,Remote Services: VNC,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +430,,T1021.005,Remote Services: VNC,[],[],,action.hacking.vector.Desktop sharing software,related-to,3 +431,,T1021.006,Remote Services: Windows Remote Management,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +432,,T1021.006,Remote Services: Windows Remote Management,[],[],,action.hacking.vector.Command shell,related-to,3 +433,,T1078.001,Valid Accounts: Default Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +434,,T1078.002,Valid Accounts: Domain Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +435,,T1078.003,Valid Accounts: Local Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +436,,T1078.004,Valid Accounts: Cloud Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +437,,T1134,Access Token Manipulation,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +438,,T1134.001,Access Token Manipulation: Token Impersonation/Theft,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +439,,T1134.002,Access Token Manipulation: Create Process with Token,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +440,,T1134.003,Access Token Manipulation: Make and Impersonate Token,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +441,,T1134.004,Access Token Manipulation: Parent PID Spoofing,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +442,,T1134.005,Access Token Manipulation: SID-History Injection,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +443,,T1550,Use Alternate Authentication Material,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +444,,T1550,Use Alternate Authentication Material,[],[],,action.malware.vector.Network propagation,related-to,3 +445,,T1550.001,Use Alternate Authentication Material: Application Access Token,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +446,,T1550.003,Use Alternate Authentication Material: Pass the Ticket,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +447,,T1550.004,Use Alternate Authentication Material: Web Session Cookies,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +448,,T1558,Steal or Forge Kerberos Tickets,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +449,,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +450,,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +451,,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +452,,T1586,Compromise Account,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +453,,T1586.001,Compromise Account: Social Media Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +454,,T1586.001,Compromise Account: Social Media Accounts,[],[],,action.social.variety.Phishing,related-to,3 +455,,T1586.001,Compromise Account: Social Media Accounts,[],[],,action.social.variety.Pretexting,related-to,3 +456,,T1586.002,Compromise Account: Email Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,3 +457,,T1611,Escape to Host,[],[],,action.hacking.variety.Virtual machine escape,related-to,3 +458,,T1213,Data from Information Repository,[],[],,action.hacking.variety.XML external entities,related-to,3 +459,,T1213,Data from Information Repository,[],[],,action.malware.variety.Capture stored data,related-to,3 +460,,T1546,Event Triggered Execution,[],[],,action.hacking.variety.XML injection,related-to,3 +461,,T1546,Event Triggered Execution,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +462,,T1546,Event Triggered Execution,[],[],,action.malware.variety.Backdoor,related-to,3 +463,,T1546,Event Triggered Execution,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +464,,T1574,Hijack Execution Flow,[],[],,action.hacking.variety.Unknown,related-to,3 +465,,T1574,Hijack Execution Flow,[],[],,action.hacking.variety.XML injection,related-to,3 +466,,T1574,Hijack Execution Flow,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +467,,T1574,Hijack Execution Flow,[],[],,action.malware.variety.Backdoor,related-to,3 +468,,T1010,Application Window Discovery,[],[],,action.hacking.variety.XPath injection,related-to,3 +469,,T1010,Application Window Discovery,[],[],,action.malware.variety.Capture stored data,related-to,3 +470,,T1111,Two-Factor Authentication Interception,[],[],,action.hacking.variety.Unknown,related-to,3 +471,,T1583,Acquire Infrastructure,[],[],,action.hacking.variety.Unknown,related-to,3 +472,,T1583,Acquire Infrastructure,[],[],,action.malware.vector.Web application - download,related-to,3 +473,,T1583.001,Acquire Infrastructure: Domains,[],[],,action.hacking.variety.Unknown,related-to,3 +474,,T1583.001,Acquire Infrastructure: Domains,[],[],,action.malware.variety.C2,related-to,3 +475,,T1583.001,Acquire Infrastructure: Domains,[],[],,value_chain.distribution.variety.Other,related-to,3 +476,,T1583.001,Acquire Infrastructure: Domains,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +477,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,action.hacking.variety.Unknown,related-to,3 +478,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,action.malware.variety.C2,related-to,3 +479,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,value_chain.distribution.variety.Other,related-to,3 +480,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +481,,T1584,Compromise Infrastructure,[],[],,action.hacking.variety.Unknown,related-to,3 +482,,T1584,Compromise Infrastructure,[],[],,action.malware.vector.Web application - download,related-to,3 +483,,T1584,Compromise Infrastructure,[],[],,value_chain.distribution.variety.Other,related-to,3 +484,,T1584,Compromise Infrastructure,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +485,,T1584.001,Compromise Infrastructure: Domains,[],[],,action.hacking.variety.Unknown,related-to,3 +486,,T1584.001,Compromise Infrastructure: Domains,[],[],,action.social.variety.Pretexting,related-to,3 +487,,T1584.001,Compromise Infrastructure: Domains,[],[],,value_chain.distribution.variety.Other,related-to,3 +488,,T1584.001,Compromise Infrastructure: Domains,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +489,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,action.hacking.variety.Unknown,related-to,3 +490,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,action.malware.variety.C2,related-to,3 +491,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,value_chain.distribution.variety.Compromised server,related-to,3 +492,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +493,,T1584.003,Compromise Infrastructure: Virtual Private Server,[],[],,action.hacking.variety.Unknown,related-to,3 +494,,T1584.003,Compromise Infrastructure: Virtual Private Server,[],[],,value_chain.distribution.variety.Compromised server,related-to,3 +495,,T1584.003,Compromise Infrastructure: Virtual Private Server,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +496,,T1584.004,Compromise Infrastructure: Server,[],[],,action.hacking.variety.Unknown,related-to,3 +497,,T1584.004,Compromise Infrastructure: Server,[],[],,value_chain.distribution.variety.Compromised server,related-to,3 +498,,T1584.004,Compromise Infrastructure: Server,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +499,,T1584.006,Compromise Infrastructure: Web Services,[],[],,action.hacking.variety.Unknown,related-to,3 +500,,T1584.006,Compromise Infrastructure: Web Services,[],[],,value_chain.distribution.variety.Other,related-to,3 +501,,T1584.006,Compromise Infrastructure: Web Services,[],[],,value_chain.non-distribution services.variety.Other,related-to,3 +502,,T1587,Develop Capabilities,[],[],,action.hacking.variety.Unknown,related-to,3 +503,,T1587,Develop Capabilities,[],[],,value_chain.development.variety.Unknown,related-to,3 +504,,T1587.001,Develop Capabilities: Malware,[],[],,action.hacking.variety.Unknown,related-to,3 +505,,T1587.001,Develop Capabilities: Malware,[],[],,action.malware.variety.Unknown,related-to,3 +506,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Bot,related-to,3 +507,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Payload,related-to,3 +508,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Ransomware,related-to,3 +509,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Trojan,related-to,3 +510,,T1587.002,Develop Capabilities: Code Signing Certificates,[],[],,action.hacking.variety.Unknown,related-to,3 +511,,T1587.002,Develop Capabilities: Code Signing Certificates,[],[],,value_chain.development.variety.Other,related-to,3 +512,,T1587.003,Develop Capabilities: Digital Certificates,[],[],,action.hacking.variety.Unknown,related-to,3 +513,,T1587.003,Develop Capabilities: Digital Certificates,[],[],,value_chain.development.variety.Other,related-to,3 +514,,T1587.004,Develop Capabilities: Exploits,[],[],,action.hacking.variety.Unknown,related-to,3 +515,,T1587.004,Develop Capabilities: Exploits,[],[],,action.malware.variety.Unknown,related-to,3 +516,,T1587.004,Develop Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit,related-to,3 +517,,T1587.004,Develop Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit Kits,related-to,3 +518,,T1588,Obtain Capabilities,[],[],,action.hacking.variety.Unknown,related-to,3 +519,,T1588,Obtain Capabilities,[],[],,value_chain.development.variety.Unknown,related-to,3 +520,,T1588.001,Obtain Capabilities: Malware,[],[],,action.hacking.variety.Unknown,related-to,3 +521,,T1588.001,Obtain Capabilities: Malware,[],[],,action.malware.variety.Unknown,related-to,3 +522,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Bot,related-to,3 +523,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Payload,related-to,3 +524,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Ransomware,related-to,3 +525,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Trojan,related-to,3 +526,,T1588.002,Obtain Capabilities: Tool,[],[],,action.hacking.variety.Unknown,related-to,3 +527,,T1588.003,Obtain Capabilities: Code Signing Certificates,[],[],,action.hacking.variety.Unknown,related-to,3 +528,,T1588.003,Obtain Capabilities: Code Signing Certificates,[],[],,value_chain.development.variety.Other,related-to,3 +529,,T1588.004,Obtain Capabilities: Digital Certificates,[],[],,action.hacking.variety.Unknown,related-to,3 +530,,T1588.004,Obtain Capabilities: Digital Certificates,[],[],,value_chain.development.variety.Other,related-to,3 +531,,T1588.005,Obtain Capabilities: Exploits,[],[],,action.hacking.variety.Unknown,related-to,3 +532,,T1588.005,Obtain Capabilities: Exploits,[],[],,action.malware.variety.Unknown,related-to,3 +533,,T1588.005,Obtain Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit,related-to,3 +534,,T1588.005,Obtain Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit Kits,related-to,3 +535,,T1588.006,Obtain Capabilities: Vulnerabilities,[],[],,action.hacking.variety.Unknown,related-to,3 +536,,T1588.006,Obtain Capabilities: Vulnerabilities,[],[],,action.malware.variety.Unknown,related-to,3 +537,,T1599,Network Boundry Bridging,[],[],,action.hacking.variety.Unknown,related-to,3 +538,,T1599.001,Network Boundry Bridging: Network Address Translation Traversal,[],[],,action.hacking.variety.Unknown,related-to,3 +539,,T1606,Forge Web Credentials,[],[],,action.hacking.variety.Unknown,related-to,3 +540,,T1606.001,Forge Web Credentials: Web Cookies,[],[],,action.hacking.variety.Unknown,related-to,3 +541,,T1606.002,Forge Web Credentials: SAML Tokens,[],[],,action.hacking.variety.Unknown,related-to,3 +542,,T1531,Account Access Removal,[],[],,action.hacking.variety.Unknown,related-to,3 +543,,T1531,Account Access Removal,[],[],,attribute.integrity.variety.Unknown,related-to,3 +544,,T1037,Boot or Logon Initialization Script,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +545,,T1037,Boot or Logon Initialization Script,[],[],,action.malware.variety.Backdoor,related-to,3 +546,,T1037,Boot or Logon Initialization Script,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +547,,T1098,Account Manipulation,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +548,,T1098,Account Manipulation,[],[],,action.malware.variety.Backdoor,related-to,3 +549,,T1098,Account Manipulation,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +550,,T1136,Create Account,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +551,,T1136,Create Account,[],[],,action.malware.variety.Modify data,related-to,3 +552,,T1136,Create Account,[],[],,attribute.integrity.variety.Created account,related-to,3 +553,,T1197,BITS Jobs,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +554,,T1197,BITS Jobs,[],[],,action.malware.variety.Export data,related-to,3 +555,,T1542,Pre-OS Boot,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +556,,T1542,Pre-OS Boot,[],[],,action.malware.variety.Rootkit,related-to,3 +557,,T1554,Compromise Client Software Binary,[],[],,action.hacking.vector.Backdoor or C2,related-to,3 +558,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Adminware,related-to,3 +559,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Backdoor,related-to,3 +560,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Trojan,related-to,3 +561,,T1219,Remote Access Software,[],[],,action.hacking.vector.Desktop sharing software,related-to,3 +562,,T1219,Remote Access Software,[],[],,action.malware.variety.Adminware,related-to,3 +563,,T1497,Virtualization/Sandbox Evasion,[],[],,action.hacking.vector.Hypervisor,related-to,3 +564,,T1497,Virtualization/Sandbox Evasion,[],[],,action.hacking.vector.Inter-tenant,related-to,3 +565,,T1497,Virtualization/Sandbox Evasion,[],[],,action.malware.variety.Disable controls,related-to,3 +566,,T1199,Trusted Relationship,[],[],,action.hacking.vector.Partner,related-to,3 +567,,T1199,Trusted Relationship,[],[],,action.malware.variety.Adware,related-to,3 +568,,T1195,Supply Chain Compromise,[],[],,action.hacking.vector.Partner,related-to,3 +569,,T1195,Supply Chain Compromise,[],[],,action.malware.vector.Software update,related-to,3 +570,,T1195.001,Supply Chain Compromise: Compromise Software Dependencies and Development Tools,[],[],,action.hacking.vector.Partner,related-to,3 +571,,T1195.002,Supply Chain Compromise: Compromise Software Supply Chain,[],[],,action.hacking.vector.Partner,related-to,3 +572,,T1195.003,Supply Chain Compromise: Compromise Hardware Supply Chain,[],[],,action.hacking.vector.Partner,related-to,3 +573,,T1200,Hardware Additions,[],[],,action.hacking.vector.Physical access,related-to,3 +574,,T1205.001,Traffic Signaling: Port Knocking,[],[],,action.malware.variety.Backdoor,related-to,3 +575,,T1205.001,Traffic Signaling: Port Knocking,[],[],,action.malware.variety.C2,related-to,3 +576,,T1001.001,Data Obfuscation: Junk Data,[],[],,action.malware.variety.C2,related-to,3 +577,,T1001.001,Data Obfuscation: Junk Data,[],[],,action.malware.variety.Unknown,related-to,3 +578,,T1071.001,Application Layer Protocol: Web Protocols,[],[],,action.malware.variety.C2,related-to,3 +579,,T1071.001,Application Layer Protocol: Web Protocols,[],[],,action.malware.variety.Unknown,related-to,3 +580,,T1071.002,Application Layer Protocol: File Transfer Protocol,[],[],,action.malware.variety.C2,related-to,3 +581,,T1071.002,Application Layer Protocol: File Transfer Protocol,[],[],,action.malware.variety.Unknown,related-to,3 +582,,T1071.003,Application Layer Protocol: Mail Protocols,[],[],,action.malware.variety.C2,related-to,3 +583,,T1071.003,Application Layer Protocol: Mail Protocols,[],[],,action.malware.variety.Unknown,related-to,3 +584,,T1071.004,Application Layer Protocol: DNS,[],[],,action.malware.variety.C2,related-to,3 +585,,T1071.004,Application Layer Protocol: DNS,[],[],,action.malware.variety.Unknown,related-to,3 +586,,T1090.001,Proxy: Internal Proxy,[],[],,action.malware.variety.C2,related-to,3 +587,,T1090.002,Proxy: External Proxy,[],[],,action.malware.variety.C2,related-to,3 +588,,T1090.003,Proxy: Multi-hop Proxy,[],[],,action.malware.variety.C2,related-to,3 +589,,T1090.004,Proxy: Domain Fronting,[],[],,action.malware.variety.C2,related-to,3 +590,,T1102.001,Web Service: Dead Drop Resolver,[],[],,action.malware.variety.C2,related-to,3 +591,,T1102.002,Web Service: Bidirectional Communication,[],[],,action.malware.variety.C2,related-to,3 +592,,T1102.003,Web Service: One-Way Communication,[],[],,action.malware.variety.C2,related-to,3 +593,,T1132.001,Data Encoding: Standard Encoding,[],[],,action.malware.variety.C2,related-to,3 +594,,T1132.002,Data Encoding: Non-Standard Encoding,[],[],,action.malware.variety.C2,related-to,3 +595,,T1568.001,Dynamic Resolution: Fast Flux DNS,[],[],,action.malware.variety.C2,related-to,3 +596,,T1568.002,Dynamic Resolution: Domain Generation Algorithms,[],[],,action.malware.variety.C2,related-to,3 +597,,T1568.003,Dynamic Resolution: DNS Calculation,[],[],,action.malware.variety.C2,related-to,3 +598,,T1056,Input Capture,[],[],,action.malware.variety.Capture app data,related-to,3 +599,,T1056.001,Input Capture: Keylogging,[],[],,action.malware.variety.Capture app data,related-to,3 +600,,T1056.002,Input Capture: GUI Input Capture,[],[],,action.malware.variety.Capture app data,related-to,3 +601,,T1056.003,Input Capture: Web Portal Capture,[],[],,action.malware.variety.Capture app data,related-to,3 +602,,T1056.004,Input Capture: Credential API Hooking,[],[],,action.malware.variety.Capture app data,related-to,3 +603,,T1056.004,Input Capture: Credential API Hooking,[],[],,action.malware.variety.Password dumper,related-to,3 +604,,T1056.004,Input Capture: Credential API Hooking,[],[],,action.malware.variety.Spyware/Keylogger,related-to,3 +605,,T1113,Screen Capture,[],[],,action.malware.variety.Capture app data,related-to,3 +606,,T1114,Email Collection,[],[],,action.malware.variety.Capture app data,related-to,3 +607,,T1114.001,Email Collection: Local Email Collection,[],[],,action.malware.variety.Capture app data,related-to,3 +608,,T1114.002,Email Collection: Remote Email Collection,[],[],,action.malware.variety.Capture app data,related-to,3 +609,,T1114.003,Email Collection: Email Forwarding Rule,[],[],,action.malware.variety.Capture app data,related-to,3 +610,,T1114.003,Email Collection: Email Forwarding Rule,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +611,,T1123,Audio Capture,[],[],,action.malware.variety.Capture app data,related-to,3 +612,,T1125,Video Capture,[],[],,action.malware.variety.Capture app data,related-to,3 +613,,T1176,Browser Extensions,[],[],,action.malware.variety.Capture app data,related-to,3 +614,,T1176,Browser Extensions,[],[],,action.malware.vector.Web application - drive-by,related-to,3 +615,,T1207,Rogue Domain Controller,[],[],,action.malware.variety.Capture app data,related-to,3 +616,,T1217,Browser Bookmark Discovery,[],[],,action.malware.variety.Capture app data,related-to,3 +617,,T1528,Steal Application Access Token,[],[],,action.malware.variety.Capture app data,related-to,3 +618,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,action.malware.variety.Capture stored data,related-to,3 +619,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,action.malware.variety.Password dumper,related-to,3 +620,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,action.malware.variety.RAM scraper,related-to,3 +621,,T1003.003,OS Credential Dumping: NTDS,[],[],,action.malware.variety.Capture stored data,related-to,3 +622,,T1003.003,OS Credential Dumping: NTDS,[],[],,action.malware.variety.Password dumper,related-to,3 +623,,T1003.006,OS Credential Dumping: DCSync,[],[],,action.malware.variety.Capture stored data,related-to,3 +624,,T1003.006,OS Credential Dumping: DCSync,[],[],,action.malware.variety.Export data,related-to,3 +625,,T1003.006,OS Credential Dumping: DCSync,[],[],,action.malware.variety.Password dumper,related-to,3 +626,,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,[],[],,action.malware.variety.Capture stored data,related-to,3 +627,,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,[],[],,action.malware.variety.Password dumper,related-to,3 +628,,T1005,Data from Local System,[],[],,action.malware.variety.Capture stored data,related-to,3 +629,,T1025,Data from Removable Media,[],[],,action.malware.variety.Capture stored data,related-to,3 +630,,T1033,System Owner/User Discovery,[],[],,action.malware.variety.Capture stored data,related-to,3 +631,,T1039,Data from Network Shared Drive,[],[],,action.malware.variety.Capture stored data,related-to,3 +632,,T1083,File and Directory Discovery,[],[],,action.malware.variety.Capture stored data,related-to,3 +633,,T1213.001,Data from Information Repositories: Confluence,[],[],,action.malware.variety.Capture stored data,related-to,3 +634,,T1213.002,Data from Information Repositories: Sharepoint,[],[],,action.malware.variety.Capture stored data,related-to,3 +635,,T1530,Data from Cloud Storage Object,[],[],,action.malware.variety.Capture stored data,related-to,3 +636,,T1496,Resource Hijacking,[],[],,action.malware.variety.Click fraud,related-to,3 +637,,T1496,Resource Hijacking,[],[],,action.malware.variety.Click fraud and cryptocurrency mining,related-to,3 +638,,T1496,Resource Hijacking,[],[],,action.malware.variety.Cryptocurrency mining,related-to,3 +639,,T1221,Template Injection,[],[],,action.malware.variety.Client-side attack,related-to,3 +640,,T1070,Indicator Removal on Host,[],[],,action.malware.variety.Destroy data,related-to,3 +641,,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,[],[],,action.malware.variety.Destroy data,related-to,3 +642,,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,[],[],,attribute.integrity.variety.Log tampering,related-to,3 +643,,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,[],[],,action.malware.variety.Destroy data,related-to,3 +644,,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,[],[],,attribute.integrity.variety.Log tampering,related-to,3 +645,,T1070.003,Indicator Removal on Host: Clear Command History,[],[],,action.malware.variety.Destroy data,related-to,3 +646,,T1070.004,Indicator Removal on Host: File Deletion,[],[],,action.malware.variety.Destroy data,related-to,3 +647,,T1070.005,Indicator Removal on Host: Network Share Connection Removal,[],[],,action.malware.variety.Destroy data,related-to,3 +648,,T1070.006,Indicator Removal on Host: Timestomp,[],[],,action.malware.variety.Destroy data,related-to,3 +649,,T1485,Data Destruction,[],[],,action.malware.variety.Destroy data,related-to,3 +650,,T1495,Firmware Corruption,[],[],,action.malware.variety.Destroy data,related-to,3 +651,,T1561,Disk Wipe,[],[],,action.malware.variety.Destroy data,related-to,3 +652,,T1561.001,Disk Wipe: Disk Content Wipe,[],[],,action.malware.variety.Destroy data,related-to,3 +653,,T1561.002,Disk Wipe: Disk Structure Wipe,[],[],,action.malware.variety.Destroy data,related-to,3 +654,,T1006,Direct Volume Access,[],[],,action.malware.variety.Disable controls,related-to,3 +655,,T1027,Obfuscated Files or Information,[],[],,action.malware.variety.Disable controls,related-to,3 +656,,T1027.001,Obfuscated Files or Information: Binary Padding,[],[],,action.malware.variety.Disable controls,related-to,3 +657,,T1027.002,Obfuscated Files or Information: Software Packaging,[],[],,action.malware.variety.Disable controls,related-to,3 +658,,T1027.003,Obfuscated Files or Information: Steganography,[],[],,action.malware.variety.Disable controls,related-to,3 +659,,T1027.004,Obfuscated Files or Information: Compile After Dilevery,[],[],,action.malware.variety.Disable controls,related-to,3 +660,,T1027.005,Obfuscated Files or Information: Indicator Removal from Tools,[],[],,action.malware.variety.Disable controls,related-to,3 +661,,T1036,Masquerading,[],[],,action.malware.variety.Disable controls,related-to,3 +662,,T1036,Masquerading,[],[],,action.malware.vector.Email attachment,related-to,3 +663,,T1036.001,Masquerading: Invalid Code Signature,[],[],,action.malware.variety.Disable controls,related-to,3 +664,,T1036.002,Masquerading: Right-to-Left Override,[],[],,action.malware.variety.Disable controls,related-to,3 +665,,T1036.002,Masquerading: Right-to-Left Override,[],[],,action.social.variety.Forgery,related-to,3 +666,,T1036.002,Masquerading: Right-to-Left Override,[],[],,action.social.variety.Phishing,related-to,3 +667,,T1036.003,Masquerading: Rename System Utilities,[],[],,action.malware.variety.Disable controls,related-to,3 +668,,T1036.003,Masquerading: Rename System Utilities,[],[],,action.malware.variety.Rootkit,related-to,3 +669,,T1036.004,Masquerading: Masquerade Task or Service,[],[],,action.malware.variety.Disable controls,related-to,3 +670,,T1036.005,Masquerading: Match Legitimate Name or Location,[],[],,action.malware.variety.Disable controls,related-to,3 +671,,T1036.006,Masquerading: Space after Filename,[],[],,action.malware.variety.Disable controls,related-to,3 +672,,T1222,File and Directory Permissions Modification,[],[],,action.malware.variety.Disable controls,related-to,3 +673,,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,[],[],,action.malware.variety.Disable controls,related-to,3 +674,,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,[],[],,action.malware.variety.Disable controls,related-to,3 +675,,T1490,Inhibit System Recovery,[],[],,action.malware.variety.Disable controls,related-to,3 +676,,T1490,Inhibit System Recovery,[],[],,action.malware.variety.Ransomware,related-to,3 +677,,T1497.001,Virtualization/Sandbox Evasion: System Checks,[],[],,action.malware.variety.Disable controls,related-to,3 +678,,T1497.002,Virtualization/Sandbox Evasion: User Activity Based Checks,[],[],,action.malware.variety.Disable controls,related-to,3 +679,,T1497.003,Virtualization/Sandbox Evasion: Time Based Evasion,[],[],,action.malware.variety.Disable controls,related-to,3 +680,,T1553,Subvert Trust Contols,[],[],,action.malware.variety.Disable controls,related-to,3 +681,,T1553.001,Subvert Trust Contols: Gatekeeper Bypass,[],[],,action.malware.variety.Disable controls,related-to,3 +682,,T1553.002,Subvert Trust Contols: Code Signing,[],[],,action.malware.variety.Disable controls,related-to,3 +683,,T1553.003,Subvert Trust Contols: SIP and Trust Provider Hijacking,[],[],,action.malware.variety.Disable controls,related-to,3 +684,,T1553.004,Subvert Trust Contols: Install Root Certificate,[],[],,action.malware.variety.Disable controls,related-to,3 +685,,T1553.005,Subvert Trust Contols: Mark-of-the-Web Bypass,[],[],,action.malware.variety.Disable controls,related-to,3 +686,,T1553.006,Subvert Trust Contols: Code Signing Policy Modification,[],[],,action.malware.variety.Disable controls,related-to,3 +687,,T1562,Impair Defenses,[],[],,action.malware.variety.Disable controls,related-to,3 +688,,T1562,Impair Defenses,[],[],,action.malware.variety.Modify data,related-to,3 +689,,T1562.001,Impair Defenses: Disable or Modify Tools,[],[],,action.malware.variety.Disable controls,related-to,3 +690,,T1562.002,Impair Defenses: Disable Windows Event Logging,[],[],,action.malware.variety.Disable controls,related-to,3 +691,,T1562.003,Impair Defenses: Impair Command History Logging,[],[],,action.malware.variety.Disable controls,related-to,3 +692,,T1562.004,Impair Defenses: Disable or Modify System Firewall,[],[],,action.malware.variety.Disable controls,related-to,3 +693,,T1562.006,Impair Defenses: Indicator Blocking,[],[],,action.malware.variety.Disable controls,related-to,3 +694,,T1562.007,Impair Defenses: Disable or Modify Cloud Firewall,[],[],,action.malware.variety.Disable controls,related-to,3 +695,,T1562.008,Impair Defenses: Disable Cloud Logs,[],[],,action.malware.variety.Disable controls,related-to,3 +696,,T1574.012,Hijack Execution Flow: COR_PROFILER,[],[],,action.malware.variety.Disable controls,related-to,3 +697,,T1600.001,Weaken Encryption: Reduce Key Space,[],[],,action.malware.variety.Disable controls,related-to,3 +698,,T1600.002,Weaken Encryption: Disable Crypto Hardware,[],[],,action.malware.variety.Disable controls,related-to,3 +699,,T1601,Modify System Image,[],[],,action.malware.variety.Disable controls,related-to,3 +700,,T1601.001,Modify System Image: Patch System Image,[],[],,action.malware.variety.Disable controls,related-to,3 +701,,T1601.002,Modify System Image: Downgrade System Image,[],[],,action.malware.variety.Disable controls,related-to,3 +702,,T1489,Service Stop,[],[],,action.malware.variety.DoS,related-to,3 +703,,T1211,Exploitation for Defense Evasion,[],[],,action.malware.variety.Exploit vuln,related-to,3 +704,,T1011,Exfiltration Over Other Network Medium,[],[],,action.malware.variety.Export data,related-to,3 +705,,T1011.001,Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth,[],[],,action.malware.variety.Export data,related-to,3 +706,,T1020,Automated Exfiltration,[],[],,action.malware.variety.Export data,related-to,3 +707,,T1020.001,Automated Exfiltration: Traffic Duplication,[],[],,action.malware.variety.Export data,related-to,3 +708,,T1029,Scheduled Transfer,[],[],,action.malware.variety.Export data,related-to,3 +709,,T1030,Data Transfer Size Limits,[],[],,action.malware.variety.Export data,related-to,3 +710,,T1041,Exfiltration Over C2 Channels,[],[],,action.malware.variety.Export data,related-to,3 +711,,T1048,Exfiltration Over Alternative Protocol,[],[],,action.malware.variety.Export data,related-to,3 +712,,T1048.001,Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,action.malware.variety.Export data,related-to,3 +713,,T1048.002,Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,action.malware.variety.Export data,related-to,3 +714,,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol,[],[],,action.malware.variety.Export data,related-to,3 +715,,T1052,Exfiltration Over Physical Medium,[],[],,action.malware.variety.Export data,related-to,3 +716,,T1052.001,Exfiltration Over Physical Medium: Exfiltration over USB,[],[],,action.malware.variety.Export data,related-to,3 +717,,T1074,Data Staged,[],[],,action.malware.variety.Export data,related-to,3 +718,,T1074.001,Data Staged: Local Data Staging,[],[],,action.malware.variety.Export data,related-to,3 +719,,T1074.002,Data Staged: Remote Data Staging,[],[],,action.malware.variety.Export data,related-to,3 +720,,T1537,Transfer Data to Cloud Account,[],[],,action.malware.variety.Export data,related-to,3 +721,,T1560,Archive Collected Data,[],[],,action.malware.variety.Export data,related-to,3 +722,,T1560.001,Archive Collected Data: Archive via Utility,[],[],,action.malware.variety.Export data,related-to,3 +723,,T1560.002,Archive Collected Data: Archive via Library,[],[],,action.malware.variety.Export data,related-to,3 +724,,T1560.003,Archive Collected Data: Archive via Custom Method,[],[],,action.malware.variety.Export data,related-to,3 +725,,T1567,Exfiltration Over Web Service,[],[],,action.malware.variety.Export data,related-to,3 +726,,T1567.001,Exfiltration Over Web Service: Exfiltration to Code Repository,[],[],,action.malware.variety.Export data,related-to,3 +727,,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,[],[],,action.malware.variety.Export data,related-to,3 +728,,T1003.007,OS Credential Dumping: Proc Filesystem,[],[],,action.malware.variety.In-memory,related-to,3 +729,,T1003.007,OS Credential Dumping: Proc Filesystem,[],[],,action.malware.variety.Password dumper,related-to,3 +730,,T1055,Process Injection,[],[],,action.malware.variety.In-memory,related-to,3 +731,,T1055.001,Process Injection: Dynamic-link Library Injection,[],[],,action.malware.variety.In-memory,related-to,3 +732,,T1055.002,Process Injection: Portable Executable Injection,[],[],,action.malware.variety.In-memory,related-to,3 +733,,T1055.003,Process Injection: Thread Execution Hijacking,[],[],,action.malware.variety.In-memory,related-to,3 +734,,T1055.004,Process Injection: Asynchronous Procedure Call,[],[],,action.malware.variety.In-memory,related-to,3 +735,,T1055.005,Process Injection: Thread Local Storage,[],[],,action.malware.variety.In-memory,related-to,3 +736,,T1055.008,Process Injection: Ptrace System Calls,[],[],,action.malware.variety.In-memory,related-to,3 +737,,T1055.009,Process Injection: Proc Memory,[],[],,action.malware.variety.In-memory,related-to,3 +738,,T1055.011,Process Injection: Extra Window Memory Injection,[],[],,action.malware.variety.In-memory,related-to,3 +739,,T1055.012,Process Injection: Process Hollowing,[],[],,action.malware.variety.In-memory,related-to,3 +740,,T1055.013,Process Injection: Process Doppelganging,[],[],,action.malware.variety.In-memory,related-to,3 +741,,T1055.014,Process Injection: VDSO Hijacking,[],[],,action.malware.variety.In-memory,related-to,3 +742,,T1115,Clipboard Data,[],[],,action.malware.variety.In-memory,related-to,3 +743,,T1040,Network Sniffing,[],[],,action.malware.variety.Packet sniffer,related-to,3 +744,,T1040,Network Sniffing,[],[],,action.malware.variety.Scan network,related-to,3 +745,,T1003,OS Credential Dumping,[],[],,action.malware.variety.Password dumper,related-to,3 +746,,T1003.001,OS Credential Dumping: LSASS Memory,[],[],,action.malware.variety.Password dumper,related-to,3 +747,,T1003.001,OS Credential Dumping: LSASS Memory,[],[],,action.malware.variety.RAM scraper,related-to,3 +748,,T1003.004,OS Credential Dumping: LSA Secrets,[],[],,action.malware.variety.Password dumper,related-to,3 +749,,T1003.004,OS Credential Dumping: LSA Secrets,[],[],,action.malware.variety.RAM scraper,related-to,3 +750,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,action.malware.variety.Password dumper,related-to,3 +751,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,action.malware.variety.RAM scraper,related-to,3 +752,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,action.malware.vector.Email link,related-to,3 +753,,T1552.001,Unsecured Credentials: Credentials in Files,[],[],,action.malware.variety.Password dumper,related-to,3 +754,,T1552.002,Unsecured Credentials: Credentials in Registry,[],[],,action.malware.variety.Password dumper,related-to,3 +755,,T1552.003,Unsecured Credentials: Bash History,[],[],,action.malware.variety.Password dumper,related-to,3 +756,,T1552.004,Unsecured Credentials: Private Keys,[],[],,action.malware.variety.Password dumper,related-to,3 +757,,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,[],[],,action.malware.variety.Password dumper,related-to,3 +758,,T1552.006,Unsecured Credentials: Group Policy Preferences,[],[],,action.malware.variety.Password dumper,related-to,3 +759,,T1555,Credentials from Password Stores,[],[],,action.malware.variety.Password dumper,related-to,3 +760,,T1555.001,Credentials from Password Stores: Keychain,[],[],,action.malware.variety.Password dumper,related-to,3 +761,,T1555.002,Credentials from Password Stores: Securityd Memory,[],[],,action.malware.variety.Password dumper,related-to,3 +762,,T1555.002,Credentials from Password Stores: Securityd Memory,[],[],,action.malware.variety.RAM scraper,related-to,3 +763,,T1555.003,Credentials from Password Stores: Credentials from Web Browser,[],[],,action.malware.variety.Password dumper,related-to,3 +764,,T1555.004,Credentials from Password Stores: Windows Credential Manager,[],[],,action.malware.variety.Password dumper,related-to,3 +765,,T1555.005,Credentials from Password Stores: Password Managers,[],[],,action.malware.variety.Password dumper,related-to,3 +766,,T1486,Data Encrypted for Impact,[],[],,action.malware.variety.Ransomware,related-to,3 +767,,T1014,Rootkit,[],[],,action.malware.variety.Rootkit,related-to,3 +768,,T1542.001,Pre-OS Boot: System Firmware,[],[],,action.malware.variety.Rootkit,related-to,3 +769,,T1542.002,Pre-OS Boot: Component Firmware,[],[],,action.malware.variety.Rootkit,related-to,3 +770,,T1542.003,Pre-OS Boot: Bootkit,[],[],,action.malware.variety.Rootkit,related-to,3 +771,,T1542.004,Pre-OS Boot: ROMMONkit,[],[],,action.malware.variety.Rootkit,related-to,3 +772,,T1542.005,Pre-OS Boot: TFTP Boot,[],[],,action.malware.variety.Rootkit,related-to,3 +773,,T1016,System Network Configuration Discovery,[],[],,action.malware.variety.Scan network,related-to,3 +774,,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,[],[],,action.malware.variety.Scan network,related-to,3 +775,,T1018,Remote System Discovery,[],[],,action.malware.variety.Scan network,related-to,3 +776,,T1046,Network Service Scanning,[],[],,action.malware.variety.Scan network,related-to,3 +777,,T1049,System Network Connections Discovery,[],[],,action.malware.variety.Scan network,related-to,3 +778,,T1135,Network Share Discovery,[],[],,action.malware.variety.Scan network,related-to,3 +779,,T1482,Domain Trust Discovery,[],[],,action.malware.variety.Scan network,related-to,3 +780,,T1595,Active Scanning,[],[],,action.malware.variety.Scan network,related-to,3 +781,,T1595,Active Scanning,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +782,,T1595.001,Active Scanning: Scanning IP Blocks,[],[],,action.malware.variety.Scan network,related-to,3 +783,,T1595.001,Active Scanning: Scanning IP Blocks,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +784,,T1204.003,User Execution: Malicious Image,[],[],,action.malware.variety.Trojan,related-to,3 +785,,T1204.003,User Execution: Malicious Image,[],[],,action.malware.variety.Unknown,related-to,3 +786,,T1204.003,User Execution: Malicious Image,[],[],,action.social.variety.Phishing,related-to,3 +787,,T1204.003,User Execution: Malicious Image,[],[],,action.social.variety.Pretexting,related-to,3 +788,,T1080,Taint Shared Content,[],[],,action.malware.variety.Unknown,related-to,3 +789,,T1080,Taint Shared Content,[],[],,action.malware.variety.Worm,related-to,3 +790,,T1091,Replication Through Removable Media,[],[],,action.malware.variety.Worm,related-to,3 +791,,T1091,Replication Through Removable Media,[],[],,action.malware.vector.Removable media,related-to,3 +792,,T1001.002,Data Obfuscation: Steganography,[],[],,action.malware.variety.Unknown,related-to,3 +793,,T1001.003,Data Obfuscation: Protocol Impersonation,[],[],,action.malware.variety.Unknown,related-to,3 +794,,T1140,Deobfuscate/Decode Files or Information,[],[],,action.malware.variety.Unknown,related-to,3 +795,,T1204,User Execution,[],[],,action.malware.variety.Unknown,related-to,3 +796,,T1204,User Execution,[],[],,action.social.variety.Phishing,related-to,3 +797,,T1204.001,User Execution: Malicious Link,[],[],,action.malware.variety.Unknown,related-to,3 +798,,T1204.001,User Execution: Malicious Link,[],[],,action.malware.vector.Email link,related-to,3 +799,,T1204.001,User Execution: Malicious Link,[],[],,action.social.variety.Phishing,related-to,3 +800,,T1204.002,User Execution: Malicious File,[],[],,action.malware.variety.Unknown,related-to,3 +801,,T1204.002,User Execution: Malicious File,[],[],,action.malware.vector.Email attachment,related-to,3 +802,,T1204.002,User Execution: Malicious File,[],[],,action.social.variety.Phishing,related-to,3 +803,,T1608,Stage Capabilities,[],[],,action.malware.variety.Unknown,related-to,3 +804,,T1608,Stage Capabilities,[],[],,value_chain.distribution.variety.Unknown,related-to,3 +805,,T1608.001,Stage Capabilities: Upload Malware,[],[],,action.malware.variety.Unknown,related-to,3 +806,,T1608.001,Stage Capabilities: Upload Malware,[],[],,value_chain.distribution.variety.Website,related-to,3 +807,,T1608.002,Stage Capabilities: Upload Tools,[],[],,action.malware.variety.Unknown,related-to,3 +808,,T1608.002,Stage Capabilities: Upload Tools,[],[],,value_chain.distribution.variety.Website,related-to,3 +809,,T1608.003,Stage Capabilities: Install Digital Certificate,[],[],,action.malware.variety.Unknown,related-to,3 +810,,T1608.003,Stage Capabilities: Install Digital Certificate,[],[],,value_chain.distribution.variety.Other,related-to,3 +811,,T1608.004,Stage Capabilities: Drive-by Target,[],[],,action.malware.variety.Unknown,related-to,3 +812,,T1608.004,Stage Capabilities: Drive-by Target,[],[],,value_chain.distribution.variety.Website,related-to,3 +813,,T1608.005,Stage Capabilities: Link Target,[],[],,action.malware.variety.Unknown,related-to,3 +814,,T1610,Deploy Container,[],[],,action.malware.variety.Unknown,related-to,3 +815,,T1612,Build Image on Host,[],[],,action.malware.variety.Unknown,related-to,3 +816,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.malware.vector.Email attachment,related-to,3 +817,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.social.variety.Phishing,related-to,3 +818,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.social.vector.Email,related-to,3 +819,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,action.malware.vector.Email attachment,related-to,3 +820,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,action.social.variety.Phishing,related-to,3 +821,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,action.social.variety.Pretexting,related-to,3 +822,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +823,,T1556.002,Phishing: Spearphishing Link,[],[],,action.malware.vector.Email link,related-to,3 +824,,T1556.002,Phishing: Spearphishing Link,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +825,,T1556.002,Phishing: Spearphishing Link,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +826,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,action.malware.vector.Email link,related-to,3 +827,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,action.social.variety.Phishing,related-to,3 +828,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,action.social.variety.Pretexting,related-to,3 +829,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +830,,T1566,Phishing,[],[],,action.malware.vector.Instant messaging,related-to,3 +831,,T1566,Phishing,[],[],,action.social.variety.Phishing,related-to,3 +832,,T1570,Lateral Tool Transfer,[],[],,action.malware.vector.Network propagation,related-to,3 +833,,T1092,Communication Through Removable Media,[],[],,action.malware.vector.Removable media,related-to,3 +834,,T1189,Drive-by Compromise,[],[],,action.malware.vector.Web application - drive-by,related-to,3 +835,,T1566.002,Phishing: Spearphishing Link,[],[],,action.social.variety.Phishing,related-to,3 +836,,T1566.002,Phishing: Spearphishing Link,[],[],,action.social.vector.Email,related-to,3 +837,,T1566.003,Phishing: Spearphishing via Service,[],[],,action.social.variety.Phishing,related-to,3 +838,,T1566.003,Phishing: Spearphishing via Service,[],[],,action.social.vector.Email,related-to,3 +839,,T1598,Phishing for Information,[],[],,action.social.variety.Phishing,related-to,3 +840,,T1598,Phishing for Information,[],[],,action.social.variety.Pretexting,related-to,3 +841,,T1598,Phishing for Information,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +842,,T1598.001,Phishing for Information: Spearphishing Service,[],[],,action.social.variety.Phishing,related-to,3 +843,,T1598.001,Phishing for Information: Spearphishing Service,[],[],,action.social.variety.Pretexting,related-to,3 +844,,T1598.001,Phishing for Information: Spearphishing Service,[],[],,value_chain.targeting.variety.Organizational Information,related-to,3 +845,,T1534,Internal Spearphishing,[],[],,action.social.variety.Pretexting,related-to,3 +846,,T1534,Internal Spearphishing,[],[],,attribute.integrity.variety.Misrepresentation,related-to,3 +847,,T1585,Establish Accounts,[],[],,action.social.variety.Pretexting,related-to,3 +848,,T1585,Establish Accounts,[],[],,value_chain.development.variety.Persona,related-to,3 +849,,T1585.001,Establish Accounts: Social Media Accounts,[],[],,action.social.variety.Pretexting,related-to,3 +850,,T1585.001,Establish Accounts: Social Media Accounts,[],[],,value_chain.development.variety.Persona,related-to,3 +851,,T1585.002,Establish Accounts: Email Account,[],[],,action.social.variety.Pretexting,related-to,3 +852,,T1585.002,Establish Accounts: Email Account,[],[],,value_chain.development.variety.Persona,related-to,3 +853,,T1546.001,Event Triggered Execution: Change Default File Association,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +854,,T1546.002,Event Triggered Execution Screensaver,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +855,,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +856,,T1546.004,Event Triggered Execution: Unix Shell Configuration Modification,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +857,,T1546.005,Event Triggered Execution: Trap,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +858,,T1546.006,Event Triggered Execution: LC_LOAD_DYLIB Addition,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +859,,T1546.007,Event Triggered Execution: Netsh Helper DLL,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +860,,T1546.008,Event Triggered Execution: Accessibility Features,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +861,,T1546.009,Event Triggered Execution: AppCert DLLs,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +862,,T1546.010,Event Triggered Execution: AppInit DLLs,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +863,,T1546.011,Event Triggered Execution: Application Shimming,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +864,,T1546.012,Event Triggered Execution: Image File Execution Options Injection,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +865,,T1546.013,Event Triggered Execution: PowerShell Profile,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +866,,T1546.014,Event Triggered Execution: Emond,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +867,,T1546.015,Event Triggered Execution: Component Object Model Hijacking,[],[],,attribute.integrity.variety.Alter behavior,related-to,3 +868,,T1136.001,Create Account: Local Account,[],[],,attribute.integrity.variety.Created account,related-to,3 +869,,T1136.002,Create Account: Domain Account,[],[],,attribute.integrity.variety.Created account,related-to,3 +870,,T1136.003,Create Account: Cloud Account,[],[],,attribute.integrity.variety.Created account,related-to,3 +871,,T1491,Defacement,[],[],,attribute.integrity.variety.Defacement,related-to,3 +872,,T1491.001,Defacement: Internal Defacement,[],[],,attribute.integrity.variety.Defacement,related-to,3 +873,,T1491.002,Defacement: External Defacement,[],[],,attribute.integrity.variety.Defacement,related-to,3 +874,,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +875,,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +876,,T1037.003,Boot or Logon Initialization Scripts: Network Logon Script,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +877,,T1037.004,Boot or Logon Initialization Scripts: RC Scripts,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +878,,T1037.005,Boot or Logon Initialization Scripts: Startup Items,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +879,,T1484,Domain Policy Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +880,,T1484.001,Domain Policy Modification: Group Policy Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +881,,T1484.002,Domain Policy Modification: Domain Trust Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +882,,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +883,,T1547.002,Boot or Logon Autostart Execution: Authentication Package,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +884,,T1547.003,Boot or Logon Autostart Execution: Time Providers,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +885,,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +886,,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +887,,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +888,,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +889,,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +890,,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +891,,T1547.010,Boot or Logon Autostart Execution: Port Monitors,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +892,,T1547.011,Boot or Logon Autostart Execution: Plist Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +893,,T1547.012,Boot or Logon Autostart Execution: Print Processors,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +894,,T1547.013,Boot or Logon Autostart Execution: XDG Autostart Entries,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +895,,T1556,Modify Authentication Process,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +896,,T1556,Modify Authentication Process,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +897,,T1556.001,Modify Authentication Process: Domain Controller Authentication,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +898,,T1556.001,Modify Authentication Process: Domain Controller Authentication,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +899,,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +900,,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +901,,T1556.004,Modify Authentication Process: Network Device Authentication,[],[],,attribute.integrity.variety.Modify configuration,related-to,3 +902,,T1556.004,Modify Authentication Process: Network Device Authentication,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +903,,T1565,Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,3 +904,,T1565.001,Data Manipulation: Stored Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,3 +905,,T1565.002,Data Manipulation: Transmitted Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,3 +906,,T1565.003,Data Manipulation: Runtime Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,3 +907,,T1098.001,Account Manipulation: Additional Cloud Credentials,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +908,,T1098.002,Account Manipulation: Exchange Email Delegate Permissions,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +909,,T1098.003,Account Manipulation: Add Office 365 Global Administrator Role,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +910,,T1098.004,Account Manipulation: SSH Authorized Keys,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +911,,T1547.014,Boot or Logon Autostart Execution: Active Setup,[],[],,attribute.integrity.variety.Modify privileges,related-to,3 +912,,T1535,Unused/Unsupported Cloud Regions,[],[],,attribute.integrity.variety.Repurpose,related-to,3 diff --git a/src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_metadata.csv new file mode 100644 index 00000000..7bc420c9 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/veris_files/1.3.5/parsed_veris_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,1.9,9.0,enterprise,,,02/03/21,10/27/21,,VERIS Framework,1.3.5,3 diff --git a/src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_attack_objects.csv b/src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_attack_objects.csv new file mode 100644 index 00000000..9b9b0718 --- /dev/null +++ b/src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_attack_objects.csv @@ -0,0 +1,1093 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1047,Windows Management Instrumentation,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +1,,T1047,Windows Management Instrumentation,[],[],,action.hacking.vector.Command shell,related-to,2 +2,,T1047,Windows Management Instrumentation,[],[],,action.malware.vector.Direct install,related-to,2 +3,,T1053,Scheduled Task/Job,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +4,,T1053,Scheduled Task/Job,[],[],,action.hacking.variety.Backdoor,related-to,2 +5,,T1053,Scheduled Task/Job,[],[],,action.hacking.vector.Backdoor,related-to,2 +6,,T1053.002,Scheduled Task/Job: At,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +7,,T1053.003,Scheduled Task/Job: Cron,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +8,,T1053.005,Scheduled Task/Job: Scheduled Task,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +9,,T1053.006,Scheduled Task/Job: Systemd Timers,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +10,,T1053.007,Scheduled Task/Job: Container Orchestration Job,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +11,,T1059,Command and Scripting Interpreter,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +12,,T1059,Command and Scripting Interpreter,[],[],,action.hacking.variety.OS commanding,related-to,2 +13,,T1059,Command and Scripting Interpreter,[],[],,action.hacking.vector.Command shell,related-to,2 +14,,T1059.001,Command and Scripting Interpreter: PowerShell,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +15,,T1059.001,Command and Scripting Interpreter: PowerShell,[],[],,action.hacking.vector.Command shell,related-to,2 +16,,T1059.002,Command and Scripting Interpreter: AppleScript,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +17,,T1059.002,Command and Scripting Interpreter: AppleScript,[],[],,action.hacking.variety.OS commanding,related-to,2 +18,,T1059.002,Command and Scripting Interpreter: AppleScript,[],[],,action.hacking.vector.Command shell,related-to,2 +19,,T1059.003,Command and Scripting Interpreter: Windows Command Shell,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +20,,T1059.003,Command and Scripting Interpreter: Windows Command Shell,[],[],,action.hacking.variety.OS commanding,related-to,2 +21,,T1059.003,Command and Scripting Interpreter: Windows Command Shell,[],[],,action.hacking.vector.Command shell,related-to,2 +22,,T1059.004,Command and Scripting Interpreter: Unix Shell,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +23,,T1059.004,Command and Scripting Interpreter: Unix Shell,[],[],,action.hacking.variety.OS commanding,related-to,2 +24,,T1059.004,Command and Scripting Interpreter: Unix Shell,[],[],,action.hacking.vector.Command shell,related-to,2 +25,,T1059.005,Command and Scripting Interpreter: Visual Basic,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +26,,T1059.005,Command and Scripting Interpreter: Visual Basic,[],[],,action.hacking.vector.Command shell,related-to,2 +27,,T1059.005,Command and Scripting Interpreter: Visual Basic,[],[],,action.malware.vector.Email attachment,related-to,2 +28,,T1059.006,Command and Scripting Interpreter: Python,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +29,,T1059.006,Command and Scripting Interpreter: Python,[],[],,action.hacking.vector.Command shell,related-to,2 +30,,T1059.007,Command and Scripting Interpreter: JavaScript,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +31,,T1059.007,Command and Scripting Interpreter: JavaScript,[],[],,action.hacking.vector.Command shell,related-to,2 +32,,T1059.007,Command and Scripting Interpreter: JavaScript,[],[],,action.malware.vector.Email attachment,related-to,2 +33,,T1059.008,Command and Scripting Interpreter: Network Device CLI,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +34,,T1059.008,Command and Scripting Interpreter: Network Device CLI,[],[],,action.hacking.vector.Command shell,related-to,2 +35,,T1072,Software Deployment Tools,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +36,,T1072,Software Deployment Tools,[],[],,action.malware.variety.Adminware,related-to,2 +37,,T1072,Software Deployment Tools,[],[],,action.malware.vector.Software update,related-to,2 +38,,T1072,Software Deployment Tools,[],[],,attribute.integrity.variety.Software installation,related-to,2 +39,,T1106,Native API,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +40,,T1112,Modify Registry,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +41,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +42,,T1127,Trusted Developer Utilities Proxy Execution,[],[],,action.hacking.variety.Unknown,related-to,2 +43,,T1127.001,Tursted Developer Utilities Proxy Execution: MSBuild,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +44,,T1127.001,Tursted Developer Utilities Proxy Execution: MSBuild,[],[],,action.hacking.variety.Unknown,related-to,2 +45,,T1129,Shared Modules,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +46,,T1137,Office Application Startup,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +47,,T1137.001,Office Application Startup: Office Template Macros,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +48,,T1137.002,Office Application Startup: Office Test,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +49,,T1137.003,Office Application Startup: Outlook Forms,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +50,,T1137.004,Office Application Startup: Outlook Home Page,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +51,,T1137.005,Office Application Startup: Outlook Rules,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +52,,T1187,Forced Authentication,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +53,,T1187,Forced Authentication,[],[],,action.hacking.variety.MitM,related-to,2 +54,,T1187,Forced Authentication,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +55,,T1202,Indirect Command Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +56,,T1216,Signed Script Proxy Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +57,,T1216.001,Signed Script Proxy Execution: PubPrn,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +58,,T1218,Signed Binary Proxy Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +59,,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +60,,T1218.002,Signed Binary Proxy Execution: Control Panel,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +61,,T1218.003,Signed Binary Proxy Execution: CMSTP,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +62,,T1218.004,Signed Binary Proxy Execution: InstallUtil,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +63,,T1218.005,Signed Binary Proxy Execution: Mshta,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +64,,T1218.007,Signed Binary Proxy Execution: Msiexec,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +65,,T1218.008,Signed Binary Proxy Execution: Odbcconf,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +66,,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +67,,T1218.010,Signed Binary Proxy Execution: Regsvr32,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +68,,T1218.011,Signed Binary Proxy Execution: Rundll32,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +69,,T1218.012,Signed Binary Proxy Execution: Verclsid,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +70,,T1218.013,System Binary Proxy Execution: Mavinject,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +71,,T1218.014,System Binary Proxy Execution: MMC,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +72,,T1220,XSL Script Processing,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +73,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +74,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.malware.variety.Backdoor,related-to,2 +75,,T1505.001,Server Software Component: SQL Stored Procedures,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +76,,T1505.002,Server Software Component: Transport Agent,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +77,,T1505.002,Server Software Component: Transport Agent,[],[],,action.malware.variety.Backdoor,related-to,2 +78,,T1505.002,Server Software Component: Transport Agent,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +79,,T1529,System Shutdown/Reboot,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +80,,T1529,System Shutdown/Reboot,[],[],,attribute.availability.variety.Interruption,related-to,2 +81,,T1543,Create or Modify System Process,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +82,,T1543,Create or Modify System Process,[],[],,action.hacking.variety.Backdoor,related-to,2 +83,,T1543,Create or Modify System Process,[],[],,action.hacking.vector.Backdoor,related-to,2 +84,,T1543,Create or Modify System Process,[],[],,action.malware.variety.Backdoor,related-to,2 +85,,T1543,Create or Modify System Process,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +86,,T1543,Create or Modify System Process,[],[],,action.malware.variety.Rootkit,related-to,2 +87,,T1543,Create or Modify System Process,[],[],,attribute.integrity.variety.Software installation,related-to,2 +88,,T1543.001,Create or Modify System Process: Launch Agent,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +89,,T1543.001,Create or Modify System Process: Launch Agent,[],[],,attribute.integrity.variety.Software installation,related-to,2 +90,,T1543.002,Create or Modify System Process: Systemd Service,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +91,,T1543.002,Create or Modify System Process: Systemd Service,[],[],,attribute.integrity.variety.Software installation,related-to,2 +92,,T1543.003,Create or Modify System Process: Windows Service,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +93,,T1543.003,Create or Modify System Process: Windows Service,[],[],,action.malware.variety.RAT,related-to,2 +94,,T1543.003,Create or Modify System Process: Windows Service,[],[],,attribute.integrity.variety.Software installation,related-to,2 +95,,T1543.004,Create or Modify System Process: Launch Daemon,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +96,,T1543.004,Create or Modify System Process: Launch Daemon,[],[],,attribute.integrity.variety.Software installation,related-to,2 +97,,T1547,Boot or Logon Autostart Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +98,,T1547,Boot or Logon Autostart Execution,[],[],,action.hacking.variety.Backdoor,related-to,2 +99,,T1547,Boot or Logon Autostart Execution,[],[],,action.hacking.vector.Backdoor,related-to,2 +100,,T1547,Boot or Logon Autostart Execution,[],[],,action.malware.variety.Backdoor,related-to,2 +101,,T1547,Boot or Logon Autostart Execution,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +102,,T1547,Boot or Logon Autostart Execution,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +103,,T1548,Abuse Elevation Control Mechanism,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +104,,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +105,,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +106,,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +107,,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,[],[],,action.malware.variety.Exploit misconfig,related-to,2 +108,,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +109,,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +110,,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,[],[],,action.malware.variety.Client-side attack,related-to,2 +111,,T1548.004,Abuse Elevation Control Mechanism: Elevated Execution with Prompt,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +112,,T1548.004,Abuse Elevation Control Mechanism: Elevated Execution with Prompt,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +113,,T1559,Inter-Process Communication,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +114,,T1559.001,Inter-Process Communication: Component Object Model,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +115,,T1559.002,Inter-Process Communication: Dynamic Data Exchange,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +116,,T1563,Remote Service Session Hijacking,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +117,,T1563,Remote Service Session Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +118,,T1563,Remote Service Session Hijacking,[],[],,action.malware.vector.Network propagation,related-to,2 +119,,T1563.001,Remote Service Session Hijacking: SSH Hijacking,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +120,,T1563.001,Remote Service Session Hijacking: SSH Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +121,,T1563.001,Remote Service Session Hijacking: SSH Hijacking,[],[],,action.malware.vector.Network propagation,related-to,2 +122,,T1563.002,Remote Service Session Hijacking: RDP Hijacking,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +123,,T1563.002,Remote Service Session Hijacking: RDP Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +124,,T1563.002,Remote Service Session Hijacking: RDP Hijacking,[],[],,action.malware.vector.Network propagation,related-to,2 +125,,T1564,Hide Artifacts,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +126,,T1564,Hide Artifacts,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +127,,T1564,Hide Artifacts,[],[],,action.malware.variety.Evade Defenses,related-to,2 +128,,T1564,Hide Artifacts,[],[],,action.social.variety.Evade Defenses,related-to,2 +129,,T1564.001,Hide Artifacts: Hidden Files and Directories,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +130,,T1564.001,Hide Artifacts: Hidden Files and Directories,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +131,,T1564.001,Hide Artifacts: Hidden Files and Directories,[],[],,action.malware.variety.Evade Defenses,related-to,2 +132,,T1564.001,Hide Artifacts: Hidden Files and Directories,[],[],,action.social.variety.Evade Defenses,related-to,2 +133,,T1564.002,Hide Artifacts: Hidden Users,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +134,,T1564.002,Hide Artifacts: Hidden Users,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +135,,T1564.002,Hide Artifacts: Hidden Users,[],[],,action.malware.variety.Evade Defenses,related-to,2 +136,,T1564.002,Hide Artifacts: Hidden Users,[],[],,action.social.variety.Evade Defenses,related-to,2 +137,,T1564.003,Hide Artifacts: Hidden Window,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +138,,T1564.003,Hide Artifacts: Hidden Window,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +139,,T1564.003,Hide Artifacts: Hidden Window,[],[],,action.malware.variety.Evade Defenses,related-to,2 +140,,T1564.003,Hide Artifacts: Hidden Window,[],[],,action.social.variety.Evade Defenses,related-to,2 +141,,T1564.004,Hide Artifacts: NTFS File Attributes,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +142,,T1564.004,Hide Artifacts: NTFS File Attributes,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +143,,T1564.004,Hide Artifacts: NTFS File Attributes,[],[],,action.malware.variety.Evade Defenses,related-to,2 +144,,T1564.004,Hide Artifacts: NTFS File Attributes,[],[],,action.social.variety.Evade Defenses,related-to,2 +145,,T1564.005,Hide Artifacts: Hidden File System,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +146,,T1564.005,Hide Artifacts: Hidden File System,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +147,,T1564.005,Hide Artifacts: Hidden File System,[],[],,action.malware.variety.Evade Defenses,related-to,2 +148,,T1564.005,Hide Artifacts: Hidden File System,[],[],,action.social.variety.Evade Defenses,related-to,2 +149,,T1564.006,Hide Artifacts: Run Virtual Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +150,,T1564.006,Hide Artifacts: Run Virtual Instance,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +151,,T1564.006,Hide Artifacts: Run Virtual Instance,[],[],,action.malware.variety.Evade Defenses,related-to,2 +152,,T1564.006,Hide Artifacts: Run Virtual Instance,[],[],,action.social.variety.Evade Defenses,related-to,2 +153,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +154,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +155,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.malware.variety.Evade Defenses,related-to,2 +156,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.malware.variety.Trojan,related-to,2 +157,,T1564.007,Hide Artifacts: VBA Stomping,[],[],,action.social.variety.Evade Defenses,related-to,2 +158,,T1569,System Services,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +159,,T1569.001,System Services: Launchctl,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +160,,T1569.002,System Services: Service Execution,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +161,,T1569.002,System Services: Service Execution,[],[],,action.malware.vector.Direct install,related-to,2 +162,,T1578,Modify Cloud Computer Infrastructure,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +163,,T1578,Modify Cloud Computer Infrastructure,[],[],,action.hacking.vector.Hypervisor,related-to,2 +164,,T1578,Modify Cloud Computer Infrastructure,[],[],,action.hacking.vector.Inter-tenant,related-to,2 +165,,T1578.001,Modify Cloud Computer Infrastructure: Create Snapshot,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +166,,T1578.002,Modify Cloud Computer Infrastructure: Create Cloud Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +167,,T1578.003,Modify Cloud Computer Infrastructure: Delete Cloud Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +168,,T1578.004,Modify Cloud Computer Infrastructure: Revert Cloud Instance,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +169,,T1609,Container Administration Command,[],[],,action.hacking.variety.Abuse of functionality,related-to,2 +170,,T1098,Account Manipulation,[],[],,action.hacking.variety.Backdoor,related-to,2 +171,,T1098,Account Manipulation,[],[],,action.hacking.vector.Backdoor,related-to,2 +172,,T1098,Account Manipulation,[],[],,action.malware.variety.Backdoor,related-to,2 +173,,T1098,Account Manipulation,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +174,,T1098,Account Manipulation,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +175,,T1037,Boot or Logon Initialization Scripts,[],[],,action.hacking.variety.Backdoor,related-to,2 +176,,T1037,Boot or Logon Initialization Scripts,[],[],,action.hacking.vector.Backdoor,related-to,2 +177,,T1037,Boot or Logon Initialization Scripts,[],[],,action.malware.variety.Backdoor,related-to,2 +178,,T1037,Boot or Logon Initialization Scripts,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +179,,T1037,Boot or Logon Initialization Scripts,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +180,,T1554,Compromise Client Software Binary,[],[],,action.hacking.variety.Backdoor,related-to,2 +181,,T1554,Compromise Client Software Binary,[],[],,action.hacking.vector.Backdoor,related-to,2 +182,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Adminware,related-to,2 +183,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Backdoor,related-to,2 +184,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +185,,T1554,Compromise Client Software Binary,[],[],,action.malware.variety.Trojan,related-to,2 +186,,T1136,Create Accounts,[],[],,action.hacking.variety.Backdoor,related-to,2 +187,,T1136,Create Accounts,[],[],,action.hacking.vector.Backdoor,related-to,2 +188,,T1136,Create Accounts,[],[],,action.malware.variety.Modify data,related-to,2 +189,,T1136,Create Accounts,[],[],,attribute.integrity.variety.Created account,related-to,2 +190,,T1546,Event Triggered Execution,[],[],,action.hacking.variety.Backdoor,related-to,2 +191,,T1546,Event Triggered Execution,[],[],,action.hacking.variety.XML injection,related-to,2 +192,,T1546,Event Triggered Execution,[],[],,action.hacking.vector.Backdoor,related-to,2 +193,,T1546,Event Triggered Execution,[],[],,action.malware.variety.Backdoor,related-to,2 +194,,T1546,Event Triggered Execution,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +195,,T1546,Event Triggered Execution,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +196,,T1133,External Remote Services,[],[],,action.hacking.variety.Backdoor,related-to,2 +197,,T1133,External Remote Services,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +198,,T1133,External Remote Services,[],[],,action.hacking.vector.3rd party desktop,related-to,2 +199,,T1133,External Remote Services,[],[],,action.hacking.vector.Backdoor,related-to,2 +200,,T1133,External Remote Services,[],[],,action.hacking.vector.Desktop sharing software,related-to,2 +201,,T1133,External Remote Services,[],[],,action.hacking.vector.VPN,related-to,2 +202,,T1133,External Remote Services,[],[],,action.malware.variety.Backdoor,related-to,2 +203,,T1133,External Remote Services,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +204,,T1133,External Remote Services,[],[],,action.malware.vector.Remote injection,related-to,2 +205,,T1133,External Remote Services,[],[],,action.malware.vector.Web application,related-to,2 +206,,T1525,Implant Internal Image,[],[],,action.hacking.variety.Backdoor,related-to,2 +207,,T1525,Implant Internal Image,[],[],,action.hacking.vector.Backdoor,related-to,2 +208,,T1525,Implant Internal Image,[],[],,action.malware.variety.Backdoor,related-to,2 +209,,T1525,Implant Internal Image,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +210,,T1525,Implant Internal Image,[],[],,action.malware.variety.RAT,related-to,2 +211,,T1525,Implant Internal Image,[],[],,action.malware.variety.Unknown,related-to,2 +212,,T1556,Modify Authentication Process,[],[],,action.hacking.variety.Backdoor,related-to,2 +213,,T1556,Modify Authentication Process,[],[],,action.hacking.vector.Backdoor,related-to,2 +214,,T1556,Modify Authentication Process,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +215,,T1556,Modify Authentication Process,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +216,,T1078,Valid Accounts,[],[],,action.hacking.variety.Backdoor,related-to,2 +217,,T1078,Valid Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +218,,T1078,Valid Accounts,[],[],,action.hacking.vector.Backdoor,related-to,2 +219,,T1110,Brute Force,[],[],,action.hacking.variety.Brute force,related-to,2 +220,,T1110,Brute Force,[],[],,action.malware.variety.Brute force,related-to,2 +221,,T1110.001,Brute Force: Password Guessing,[],[],,action.hacking.variety.Brute force,related-to,2 +222,,T1110.001,Brute Force: Password Guessing,[],[],,action.malware.variety.Brute force,related-to,2 +223,,T1110.002,Brute Force: Password Cracking,[],[],,action.hacking.variety.Brute force,related-to,2 +224,,T1110.002,Brute Force: Password Cracking,[],[],,action.hacking.variety.Offline cracking,related-to,2 +225,,T1110.002,Brute Force: Password Cracking,[],[],,action.malware.variety.Brute force,related-to,2 +226,,T1110.003,Brute Force: Password Spraying,[],[],,action.hacking.variety.Brute force,related-to,2 +227,,T1110.003,Brute Force: Password Spraying,[],[],,action.malware.variety.Brute force,related-to,2 +228,,T1110.004,Brute Force: Credential Stuffing,[],[],,action.hacking.variety.Brute force,related-to,2 +229,,T1110.004,Brute Force: Credential Stuffing,[],[],,action.malware.variety.Brute force,related-to,2 +230,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.Buffer overflow,related-to,2 +231,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP request smuggling,related-to,2 +232,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP request splitting,related-to,2 +233,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP response smuggling,related-to,2 +234,,T1203,Exploitation for Client Execution,[],[],,action.hacking.variety.HTTP response splitting,related-to,2 +235,,T1203,Exploitation for Client Execution,[],[],,action.malware.variety.Client-side attack,related-to,2 +236,,T1203,Exploitation for Client Execution,[],[],,action.malware.vector.Email attachment,related-to,2 +237,,T1557.002,Adversary-in-the-Middle: ARP Cache Poisoning,[],[],,action.hacking.variety.Cache poisoning,related-to,2 +238,,T1557.002,Adversary-in-the-Middle: ARP Cache Poisoning,[],[],,action.hacking.variety.MitM,related-to,2 +239,,T1557.002,Adversary-in-the-Middle: ARP Cache Poisoning,[],[],,action.malware.variety.MitM,related-to,2 +240,,T1600,Weaken Encryption,[],[],,action.hacking.variety.Cryptanalysis,related-to,2 +241,,T1600,Weaken Encryption,[],[],,action.malware.variety.Disable controls,related-to,2 +242,,T1562,Impair Defenses,[],[],,action.hacking.variety.Disable controls,related-to,2 +243,,T1562,Impair Defenses,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +244,,T1562,Impair Defenses,[],[],,action.malware.variety.Disable controls,related-to,2 +245,,T1562,Impair Defenses,[],[],,action.malware.variety.Evade Defenses,related-to,2 +246,,T1562,Impair Defenses,[],[],,action.malware.variety.Modify data,related-to,2 +247,,T1562,Impair Defenses,[],[],,action.social.variety.Evade Defenses,related-to,2 +248,,T1562.001,Disable or Modify Tools,[],[],,action.hacking.variety.Disable controls,related-to,2 +249,,T1562.001,Disable or Modify Tools,[],[],,action.malware.variety.Disable controls,related-to,2 +250,,T1562.002,Disable Windows Event Logging,[],[],,action.hacking.variety.Disable controls,related-to,2 +251,,T1562.002,Disable Windows Event Logging,[],[],,action.malware.variety.Disable controls,related-to,2 +252,,T1562.003,Impair Command History Logging,[],[],,action.hacking.variety.Disable controls,related-to,2 +253,,T1562.003,Impair Command History Logging,[],[],,action.malware.variety.Disable controls,related-to,2 +254,,T1562.004,Disable or Modify System Firewall,[],[],,action.hacking.variety.Disable controls,related-to,2 +255,,T1562.004,Disable or Modify System Firewall,[],[],,action.malware.variety.Disable controls,related-to,2 +256,,T1562.007,Disable or Modify Cloud Firewall,[],[],,action.hacking.variety.Disable controls,related-to,2 +257,,T1562.007,Disable or Modify Cloud Firewall,[],[],,action.malware.variety.Disable controls,related-to,2 +258,,T1562.008,Disable Cloud Logs,[],[],,action.hacking.variety.Disable controls,related-to,2 +259,,T1562.008,Disable Cloud Logs,[],[],,action.malware.variety.Disable controls,related-to,2 +260,,T1489,Service Stop,[],[],,action.hacking.variety.Disable controls,related-to,2 +261,,T1489,Service Stop,[],[],,action.malware.variety.DoS,related-to,2 +262,,T1489,Service Stop,[],[],,attribute.availability.variety.Interruption,related-to,2 +263,,T1498,Network Denial of Service,[],[],,action.hacking.variety.DoS,related-to,2 +264,,T1498,Network Denial of Service,[],[],,action.malware.variety.DoS,related-to,2 +265,,T1498,Network Denial of Service,[],[],,attribute.availability.variety.Degradation,related-to,2 +266,,T1498,Network Denial of Service,[],[],,attribute.availability.variety.Loss,related-to,2 +267,,T1498.001,Network Denial of Service: Direct Network Flood,[],[],,action.hacking.variety.DoS,related-to,2 +268,,T1498.001,Network Denial of Service: Direct Network Flood,[],[],,action.malware.variety.DoS,related-to,2 +269,,T1498.001,Network Denial of Service: Direct Network Flood,[],[],,attribute.availability.variety.Degradation,related-to,2 +270,,T1498.001,Network Denial of Service: Direct Network Flood,[],[],,attribute.availability.variety.Loss,related-to,2 +271,,T1498.002,Network Denial of Service: Reflection Amplification,[],[],,action.hacking.variety.DoS,related-to,2 +272,,T1498.002,Network Denial of Service: Reflection Amplification,[],[],,action.malware.variety.DoS,related-to,2 +273,,T1498.002,Network Denial of Service: Reflection Amplification,[],[],,attribute.availability.variety.Degradation,related-to,2 +274,,T1498.002,Network Denial of Service: Reflection Amplification,[],[],,attribute.availability.variety.Loss,related-to,2 +275,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.DoS,related-to,2 +276,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.Soap array abuse,related-to,2 +277,,T1499,Endpoint Denial of Service,[],[],,action.hacking.variety.XML external entities,related-to,2 +278,,T1499,Endpoint Denial of Service,[],[],,action.malware.variety.DoS,related-to,2 +279,,T1499,Endpoint Denial of Service,[],[],,attribute.availability.variety.Degradation,related-to,2 +280,,T1499,Endpoint Denial of Service,[],[],,attribute.availability.variety.Loss,related-to,2 +281,,T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,[],[],,action.hacking.variety.DoS,related-to,2 +282,,T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,[],[],,action.malware.variety.DoS,related-to,2 +283,,T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,[],[],,attribute.availability.variety.Degradation,related-to,2 +284,,T1499.001,Endpoint Denial of Service: OS Exhaustion Flood,[],[],,attribute.availability.variety.Loss,related-to,2 +285,,T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,[],[],,action.hacking.variety.DoS,related-to,2 +286,,T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,[],[],,action.malware.variety.DoS,related-to,2 +287,,T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,[],[],,attribute.availability.variety.Degradation,related-to,2 +288,,T1499.002,Endpoint Denial of Service: Service Exhaustion Flood,[],[],,attribute.availability.variety.Loss,related-to,2 +289,,T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,[],[],,action.hacking.variety.DoS,related-to,2 +290,,T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,[],[],,action.malware.variety.DoS,related-to,2 +291,,T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,[],[],,attribute.availability.variety.Degradation,related-to,2 +292,,T1499.003,Endpoint Denial of Service: Application Exhaustion Flood,[],[],,attribute.availability.variety.Loss,related-to,2 +293,,T1499.004,Endpoint Denial of Service: Application or System Exploitation,[],[],,action.hacking.variety.DoS,related-to,2 +294,,T1499.004,Endpoint Denial of Service: Application or System Exploitation,[],[],,action.malware.variety.DoS,related-to,2 +295,,T1499.004,Endpoint Denial of Service: Application or System Exploitation,[],[],,attribute.availability.variety.Degradation,related-to,2 +296,,T1499.004,Endpoint Denial of Service: Application or System Exploitation,[],[],,attribute.availability.variety.Loss,related-to,2 +297,,T1583.005,Acquire Infrastructure: Botnet,[],[],,action.hacking.variety.DoS,related-to,2 +298,,T1583.005,Acquire Infrastructure: Botnet,[],[],,action.hacking.variety.Unknown,related-to,2 +299,,T1583.005,Acquire Infrastructure: Botnet,[],[],,value_chain.development.variety.Bot,related-to,2 +300,,T1584.005,Compromise Infrastructure: Botnet,[],[],,action.hacking.variety.DoS,related-to,2 +301,,T1584.005,Compromise Infrastructure: Botnet,[],[],,action.hacking.variety.Unknown,related-to,2 +302,,T1622,Debugger Evasion,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +303,,T1622,Debugger Evasion,[],[],,action.malware.variety.Evade Defenses,related-to,2 +304,,T1622,Debugger Evasion,[],[],,action.social.variety.Evade Defenses,related-to,2 +305,,T1211,Exploitation for Defense Evasion,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +306,,T1211,Exploitation for Defense Evasion,[],[],,action.malware.variety.Evade Defenses,related-to,2 +307,,T1211,Exploitation for Defense Evasion,[],[],,action.social.variety.Evade Defenses,related-to,2 +308,,T1036,Masquerading,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +309,,T1036,Masquerading,[],[],,action.malware.variety.Disable controls,related-to,2 +310,,T1036,Masquerading,[],[],,action.malware.variety.Evade Defenses,related-to,2 +311,,T1036,Masquerading,[],[],,action.malware.vector.Email attachment,related-to,2 +312,,T1036,Masquerading,[],[],,action.social.variety.Evade Defenses,related-to,2 +313,,T1014,Rootkit,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +314,,T1014,Rootkit,[],[],,action.malware.variety.Evade Defenses,related-to,2 +315,,T1014,Rootkit,[],[],,action.malware.variety.Rootkit,related-to,2 +316,,T1014,Rootkit,[],[],,action.social.variety.Evade Defenses,related-to,2 +317,,T1553,Subvert Trust Controls,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +318,,T1553,Subvert Trust Controls,[],[],,action.malware.variety.Disable controls,related-to,2 +319,,T1553,Subvert Trust Controls,[],[],,action.malware.variety.Evade Defenses,related-to,2 +320,,T1553,Subvert Trust Controls,[],[],,action.social.variety.Evade Defenses,related-to,2 +321,,T1001,Data Obfuscation,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +322,,T1001,Data Obfuscation,[],[],,action.malware.variety.Unknown,related-to,2 +323,,T1001.001,Data Obfuscation: Junk Data,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +324,,T1001.001,Data Obfuscation: Junk Data,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +325,,T1001.001,Data Obfuscation: Junk Data,[],[],,action.malware.variety.C2,related-to,2 +326,,T1001.001,Data Obfuscation: Junk Data,[],[],,action.malware.variety.Unknown,related-to,2 +327,,T1001.002,Data Obfuscation: Steganography,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +328,,T1001.002,Data Obfuscation: Steganography,[],[],,action.malware.variety.Unknown,related-to,2 +329,,T1001.003,Data Obfuscation: Protocol Impersonation,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +330,,T1001.003,Data Obfuscation: Protocol Impersonation,[],[],,action.malware.variety.Unknown,related-to,2 +331,,T1071,Application Layer Protocol,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +332,,T1071,Application Layer Protocol,[],[],,action.hacking.vector.Other network service,related-to,2 +333,,T1071,Application Layer Protocol,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +334,,T1071,Application Layer Protocol,[],[],,action.malware.variety.C2,related-to,2 +335,,T1071,Application Layer Protocol,[],[],,action.malware.variety.Unknown,related-to,2 +336,,T1132,Data Encoding,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +337,,T1132,Data Encoding,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +338,,T1132,Data Encoding,[],[],,action.malware.variety.C2,related-to,2 +339,,T1132.001,Data Encoding: Standard Encoding,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +340,,T1132.001,Data Encoding: Standard Encoding,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +341,,T1132.001,Data Encoding: Standard Encoding,[],[],,action.malware.variety.C2,related-to,2 +342,,T1132.002,Data Encoding: Non-Standard Encoding,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +343,,T1132.002,Data Encoding: Non-Standard Encoding,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +344,,T1132.002,Data Encoding: Non-Standard Encoding,[],[],,action.malware.variety.C2,related-to,2 +345,,T1568,Dynamic Resolution,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +346,,T1568,Dynamic Resolution,[],[],,action.hacking.vector.Other network service,related-to,2 +347,,T1568,Dynamic Resolution,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +348,,T1568,Dynamic Resolution,[],[],,action.malware.variety.C2,related-to,2 +349,,T1568,Dynamic Resolution,[],[],,action.malware.vector.Download by malware,related-to,2 +350,,T1568.001,Dynamic Resolution: Fast Flux DSN,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +351,,T1568.001,Dynamic Resolution: Fast Flux DSN,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +352,,T1568.001,Dynamic Resolution: Fast Flux DSN,[],[],,action.malware.variety.C2,related-to,2 +353,,T1568.002,Dynamic Resolution: Domain Generation Algorithms,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +354,,T1568.002,Dynamic Resolution: Domain Generation Algorithms,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +355,,T1568.002,Dynamic Resolution: Domain Generation Algorithms,[],[],,action.malware.variety.C2,related-to,2 +356,,T1568.003,Dynamic Resolution: DNS Calculation,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +357,,T1568.003,Dynamic Resolution: DNS Calculation,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +358,,T1568.003,Dynamic Resolution: DNS Calculation,[],[],,action.malware.variety.C2,related-to,2 +359,,T1573,Encrypted Channels,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +360,,T1573,Encrypted Channels,[],[],,action.hacking.vector.Other network service,related-to,2 +361,,T1573,Encrypted Channels,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +362,,T1573,Encrypted Channels,[],[],,action.malware.variety.C2,related-to,2 +363,,T1573.002,Encrypted Channels: Asymmetric Cryptography,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +364,,T1573.002,Encrypted Channels: Asymmetric Cryptography,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +365,,T1573.002,Encrypted Channels: Asymmetric Cryptography,[],[],,action.malware.variety.C2,related-to,2 +366,,T1573.001,Encrypted Channels: Symmetric Cryptography,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +367,,T1573.001,Encrypted Channels: Symmetric Cryptography,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +368,,T1573.001,Encrypted Channels: Symmetric Cryptography,[],[],,action.malware.variety.C2,related-to,2 +369,,T1008,Fallback Channels,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +370,,T1008,Fallback Channels,[],[],,action.hacking.vector.Other network service,related-to,2 +371,,T1008,Fallback Channels,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +372,,T1008,Fallback Channels,[],[],,action.malware.variety.C2,related-to,2 +373,,T1104,Multi-Stage Channels,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +374,,T1104,Multi-Stage Channels,[],[],,action.hacking.vector.Other network service,related-to,2 +375,,T1104,Multi-Stage Channels,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +376,,T1104,Multi-Stage Channels,[],[],,action.malware.variety.C2,related-to,2 +377,,T1572,Protocol Tunneling,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +378,,T1572,Protocol Tunneling,[],[],,action.hacking.vector.Other network service,related-to,2 +379,,T1572,Protocol Tunneling,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +380,,T1572,Protocol Tunneling,[],[],,action.malware.variety.C2,related-to,2 +381,,T1090,Proxy,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +382,,T1090,Proxy,[],[],,action.hacking.vector.Other network service,related-to,2 +383,,T1090,Proxy,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +384,,T1090,Proxy,[],[],,action.malware.variety.C2,related-to,2 +385,,T1205,Traffic Signaling,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +386,,T1205,Traffic Signaling,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +387,,T1205,Traffic Signaling,[],[],,action.malware.variety.C2,related-to,2 +388,,T1205.001,Traffic Signaling: Port Knocking,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +389,,T1205.001,Traffic Signaling: Port Knocking,[],[],,action.malware.variety.Backdoor,related-to,2 +390,,T1205.001,Traffic Signaling: Port Knocking,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +391,,T1205.001,Traffic Signaling: Port Knocking,[],[],,action.malware.variety.C2,related-to,2 +392,,T1205.002,Traffic Signaling: Socket Filters,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +393,,T1102,Web Service,[],[],,action.hacking.variety.Evade Defenses,related-to,2 +394,,T1102,Web Service,[],[],,action.hacking.vector.Other network service,related-to,2 +395,,T1102,Web Service,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +396,,T1102,Web Service,[],[],,action.malware.variety.C2,related-to,2 +397,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +398,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Exploit vuln,related-to,2 +399,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Format string attack,related-to,2 +400,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Fuzz testing,related-to,2 +401,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Insecure deserialization,related-to,2 +402,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.Integer overflows,related-to,2 +403,,T1068,Exploitation for Privilege Escalation,[],[],,action.hacking.variety.LDAP injection,related-to,2 +404,,T1068,Exploitation for Privilege Escalation,[],[],,action.malware.variety.Exploit misconfig,related-to,2 +405,,T1190,Exploit Public-Facing Application,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +406,,T1190,Exploit Public-Facing Application,[],[],,action.hacking.variety.SQLi,related-to,2 +407,,T1212,Exploitation for Credential Access,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +408,,T1212,Exploitation for Credential Access,[],[],,action.hacking.variety.Exploit vuln,related-to,2 +409,,T1212,Exploitation for Credential Access,[],[],,action.hacking.variety.Session fixation,related-to,2 +410,,T1212,Exploitation for Credential Access,[],[],,action.malware.variety.Disable controls,related-to,2 +411,,T1212,Exploitation for Credential Access,[],[],,action.malware.variety.Password dumper,related-to,2 +412,,T1212,Exploitation for Credential Access,[],[],,action.malware.vector.Web application - drive-by,related-to,2 +413,,T1212,Exploitation for Credential Access,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +414,,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +415,,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +416,,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,[],[],,action.malware.variety.Exploit misconfig,related-to,2 +417,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +418,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Exploit vuln,related-to,2 +419,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +420,,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,[],[],,action.hacking.variety.Unknown,related-to,2 +421,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +422,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Exploit vuln,related-to,2 +423,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Hijack,related-to,2 +424,,T1574.002,Hijack Execution Flow: DLL Side-Loading,[],[],,action.hacking.variety.Unknown,related-to,2 +425,,T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +426,,T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,[],[],,action.hacking.variety.Hijack,related-to,2 +427,,T1574.005,Hijack Execution Flow: Executable Installer File Permissions Weakness,[],[],,action.hacking.variety.Unknown,related-to,2 +428,,T1574.010,Hijack Execution Flow: Services File Permissions Weakness,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +429,,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,[],[],,action.hacking.variety.Exploit misconfig,related-to,2 +430,,T1574.004,Hijack Execution Flow: Dylib Hijacking,[],[],,action.hacking.variety.Exploit vuln,related-to,2 +431,,T1574.004,Hijack Execution Flow: Dylib Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +432,,T1574.004,Hijack Execution Flow: Dylib Hijacking,[],[],,action.hacking.variety.Unknown,related-to,2 +433,,T1595.002,Active Scanning: Vulnerability Scanning,[],[],,action.hacking.variety.Exploit vuln,related-to,2 +434,,T1595.002,Active Scanning: Vulnerability Scanning,[],[],,action.malware.variety.Scan network,related-to,2 +435,,T1539,Steal Web Session Cookie,[],[],,action.hacking.variety.Forced browsing,related-to,2 +436,,T1539,Steal Web Session Cookie,[],[],,action.hacking.variety.MitM,related-to,2 +437,,T1539,Steal Web Session Cookie,[],[],,action.hacking.variety.Session replay,related-to,2 +438,,T1539,Steal Web Session Cookie,[],[],,action.malware.variety.Capture app data,related-to,2 +439,,T1583.003,Acquire Infrastructure: Virtual Private Server,[],[],,action.hacking.variety.Forced browsing,related-to,2 +440,,T1583.003,Acquire Infrastructure: Virtual Private Server,[],[],,action.hacking.variety.Unknown,related-to,2 +441,,T1583.004,Acquire Infrastructure: Server,[],[],,action.hacking.variety.Forced browsing,related-to,2 +442,,T1583.004,Acquire Infrastructure: Server,[],[],,action.hacking.variety.Unknown,related-to,2 +443,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.hacking.variety.Forced browsing,related-to,2 +444,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.hacking.variety.Unknown,related-to,2 +445,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +446,,T1583.006,Acquire Infrastructure: Web Services,[],[],,action.malware.variety.C2,related-to,2 +447,,T1583.006,Acquire Infrastructure: Web Services,[],[],,value_chain.development.variety.Website,related-to,2 +448,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.HTTP request smuggling,related-to,2 +449,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.HTTP request splitting,related-to,2 +450,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.HTTP response smuggling,related-to,2 +451,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.HTTP response splitting,related-to,2 +452,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +453,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.MitM,related-to,2 +454,,T1185,Browser Session Hijacking,[],[],,action.hacking.variety.Session fixation,related-to,2 +455,,T1185,Browser Session Hijacking,[],[],,action.malware.variety.Capture app data,related-to,2 +456,,T1496,Resource Hijacking,[],[],,action.hacking.variety.Hijack,related-to,2 +457,,T1496,Resource Hijacking,[],[],,action.malware.variety.Click fraud,related-to,2 +458,,T1496,Resource Hijacking,[],[],,action.malware.variety.Click fraud and cryptocurrency mining,related-to,2 +459,,T1496,Resource Hijacking,[],[],,action.malware.variety.Cryptocurrency mining,related-to,2 +460,,T1496,Resource Hijacking,[],[],,attribute.availability.variety.Degradation,related-to,2 +461,,T1574,Hijack Execution Flow,[],[],,action.hacking.variety.Hijack,related-to,2 +462,,T1574,Hijack Execution Flow,[],[],,action.hacking.variety.Unknown,related-to,2 +463,,T1574,Hijack Execution Flow,[],[],,action.hacking.variety.XML injection,related-to,2 +464,,T1557,Man-in-the-Middle,[],[],,action.hacking.variety.MitM,related-to,2 +465,,T1557,Man-in-the-Middle,[],[],,action.hacking.variety.Routing detour,related-to,2 +466,,T1557,Man-in-the-Middle,[],[],,action.malware.variety.MitM,related-to,2 +467,,T1557,Man-in-the-Middle,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +468,,T1557.001,Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay,[],[],,action.hacking.variety.MitM,related-to,2 +469,,T1557.001,Man-in-the-Middle: LLMNR/NBT-NS Poisoning and Relay,[],[],,action.malware.variety.MitM,related-to,2 +470,,T1027,Obfuscated Files or Information,[],[],,action.hacking.variety.Null byte injection,related-to,2 +471,,T1027,Obfuscated Files or Information,[],[],,action.malware.variety.Disable controls,related-to,2 +472,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.hacking.variety.Pass-the-hash,related-to,2 +473,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +474,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.malware.variety.Pass-the-hash,related-to,2 +475,,T1550.002,Use Alternate Authentication Material: Pass the Hash,[],[],,action.malware.variety.Password dumper,related-to,2 +476,,T1082,System Information Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +477,,T1082,System Information Discovery,[],[],,action.malware.variety.Profile host,related-to,2 +478,,T1033,System Owner/User Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +479,,T1033,System Owner/User Discovery,[],[],,action.malware.variety.Capture stored data,related-to,2 +480,,T1033,System Owner/User Discovery,[],[],,action.malware.variety.Profile host,related-to,2 +481,,T1007,System Service Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +482,,T1007,System Service Discovery,[],[],,action.malware.variety.Profile host,related-to,2 +483,,T1012,Query Registry,[],[],,action.hacking.variety.Profile host,related-to,2 +484,,T1012,Query Registry,[],[],,action.malware.variety.Profile host,related-to,2 +485,,T1083,File and Directory Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +486,,T1083,File and Directory Discovery,[],[],,action.malware.variety.Capture stored data,related-to,2 +487,,T1083,File and Directory Discovery,[],[],,action.malware.variety.Profile host,related-to,2 +488,,T1057,Process Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +489,,T1120,Peripheral Device Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +490,,T1124,System Time Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +491,,T1201,Password Policy Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +492,,T1119,Automated Collection,[],[],,action.hacking.variety.Profile host,related-to,2 +493,,T1119,Automated Collection,[],[],,action.hacking.variety.Scan network,related-to,2 +494,,T1119,Automated Collection,[],[],,action.malware.variety.Capture stored data,related-to,2 +495,,T1119,Automated Collection,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +496,,T1480,Execution Guardrails,[],[],,action.hacking.variety.Profile host,related-to,2 +497,,T1480,Execution Guardrails,[],[],,action.hacking.variety.Scan network,related-to,2 +498,,T1480.001,Execution Guardrails: Environmental Keying,[],[],,action.hacking.variety.Profile host,related-to,2 +499,,T1480.001,Execution Guardrails: Environmental Keying,[],[],,action.hacking.variety.Scan network,related-to,2 +500,,T1518,Software Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +501,,T1518.001,Software Discovery: Security Software Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +502,,T1087,Account Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +503,,T1087.001,Account Discovery: Local Account,[],[],,action.hacking.variety.Profile host,related-to,2 +504,,T1069,Permission Groups Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +505,,T1069.001,Permission Groups Discovery: Local Groups,[],[],,action.hacking.variety.Profile host,related-to,2 +506,,T1614,System Location Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +507,,T1614.001,System Location Discovery: System Language Discovery,[],[],,action.hacking.variety.Profile host,related-to,2 +508,,T1046,Network Service Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +509,,T1046,Network Service Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +510,,T1135,Network Share Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +511,,T1135,Network Share Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +512,,T1040, Network Sniffing,[],[],,action.hacking.variety.Scan network,related-to,2 +513,,T1040, Network Sniffing,[],[],,action.malware.variety.Packet sniffer,related-to,2 +514,,T1040, Network Sniffing,[],[],,action.malware.variety.Scan network,related-to,2 +515,,T1040, Network Sniffing,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +516,,T1018,Remote System Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +517,,T1018,Remote System Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +518,,T1049,System Network Connections Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +519,,T1049,System Network Connections Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +520,,T1589,Gather Victim Identity Information,[],[],,action.hacking.variety.Scan network,related-to,2 +521,,T1589.001,Gather Victim Identity Information: Credentials,[],[],,action.hacking.variety.Scan network,related-to,2 +522,,T1589.002,Gather Victim Identity Information: Email Addresses,[],[],,action.hacking.variety.Scan network,related-to,2 +523,,T1589.003,Gather Victim Identity Information: Employee Names,[],[],,action.hacking.variety.Scan network,related-to,2 +524,,T1590,Gather Victim Network Information,[],[],,action.hacking.variety.Scan network,related-to,2 +525,,T1590.001,Gather Victim Network Information: Domain Properties,[],[],,action.hacking.variety.Scan network,related-to,2 +526,,T1590.002,Gather Victim Network Information: DNS,[],[],,action.hacking.variety.Scan network,related-to,2 +527,,T1590.003,Gather Victim Network Information: Network Trust Dependencies,[],[],,action.hacking.variety.Scan network,related-to,2 +528,,T1590.004,Gather Victim Network Information: Network Topology,[],[],,action.hacking.variety.Scan network,related-to,2 +529,,T1590.005,Gather Victim Network Information: IP Addresses,[],[],,action.hacking.variety.Scan network,related-to,2 +530,,T1590.006,Gather Victim Network Information: Network Security Appliances,[],[],,action.hacking.variety.Scan network,related-to,2 +531,,T1592,Gather Victim Host Information,[],[],,action.hacking.variety.Scan network,related-to,2 +532,,T1592.001,Gather Victim Host Information: Hardware,[],[],,action.hacking.variety.Scan network,related-to,2 +533,,T1592.002,Gather Victim Host Information: Software,[],[],,action.hacking.variety.Scan network,related-to,2 +534,,T1592.003,Gather Victim Host Information: Firmware,[],[],,action.hacking.variety.Scan network,related-to,2 +535,,T1592.004,Gather Victim Host Information: Client Configurations,[],[],,action.hacking.variety.Scan network,related-to,2 +536,,T1613,Container and Resource Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +537,,T1602,Data from Configuration Repository,[],[],,action.hacking.variety.Scan network,related-to,2 +538,,T1602,Data from Configuration Repository,[],[],,action.malware.variety.Capture stored data,related-to,2 +539,,T1602,Data from Configuration Repository,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +540,,T1602.001,Data from Configuration Repository: SNMP (MIB Dump),[],[],,action.hacking.variety.Scan network,related-to,2 +541,,T1602.001,Data from Configuration Repository: SNMP (MIB Dump),[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +542,,T1602.002,Data from Configuration Repository: Network Device Configuration Dump,[],[],,action.hacking.variety.Scan network,related-to,2 +543,,T1602.002,Data from Configuration Repository: Network Device Configuration Dump,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +544,,T1526,Cloud Service Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +545,,T1580,Cloud Infrastructure Discovery,[],[],,action.hacking.variety.Scan network,related-to,2 +546,,T1606,Forge Web Credentials,[],[],,action.hacking.variety.Session prediction,related-to,2 +547,,T1606,Forge Web Credentials,[],[],,action.hacking.variety.Unknown,related-to,2 +548,,T1606.001,Forge Web Credentials: Web Cookies,[],[],,action.hacking.variety.Session prediction,related-to,2 +549,,T1606.001,Forge Web Credentials: Web Cookies,[],[],,action.hacking.variety.Unknown,related-to,2 +550,,T1550.004,Use Alternate Authentication Material:Web Session Cookie,[],[],,action.hacking.variety.Session replay,related-to,2 +551,,T1550.004,Use Alternate Authentication Material:Web Session Cookie,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +552,,T1021,Remote Services,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +553,,T1021,Remote Services,[],[],,action.malware.vector.Network propagation,related-to,2 +554,,T1021.001,Remote Services: Remote Desktop Protocol,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +555,,T1021.001,Remote Services: Remote Desktop Protocol,[],[],,action.hacking.vector.Desktop sharing software,related-to,2 +556,,T1021.002,Remote Services: SMB/Windows Admin Shares,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +557,,T1021.002,Remote Services: SMB/Windows Admin Shares,[],[],,action.hacking.vector.Command shell,related-to,2 +558,,T1021.003,Remote Services: Distributed Component Object Model,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +559,,T1021.003,Remote Services: Distributed Component Object Model,[],[],,action.hacking.vector.Command shell,related-to,2 +560,,T1021.004,Remote Services: SSH,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +561,,T1021.004,Remote Services: SSH,[],[],,action.hacking.vector.Command shell,related-to,2 +562,,T1021.005,Remote Services: VNC,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +563,,T1021.005,Remote Services: VNC,[],[],,action.hacking.vector.Desktop sharing software,related-to,2 +564,,T1021.006,Remote Services: Windows Remote Management,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +565,,T1021.006,Remote Services: Windows Remote Management,[],[],,action.hacking.vector.Command shell,related-to,2 +566,,T1078.001,Valid Accounts: Default Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +567,,T1078.002,Valid Accounts: Domain Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +568,,T1078.003,Valid Accounts: Local Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +569,,T1078.004,Valid Accounts: Cloud Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +570,,T1134,Access Token Manipulation,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +571,,T1134.001,Access Token Manipulation: Token Impersonation/Theft,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +572,,T1134.002,Access Token Manipulation: Create Process with Token,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +573,,T1134.003,Access Token Manipulation: Make and Impersonate Token,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +574,,T1134.004,Access Token Manipulation: Parent PID Spoofing,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +575,,T1134.005,Access Token Manipulation: SID-History Injection,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +576,,T1550,Use Alternate Authentication Material,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +577,,T1550,Use Alternate Authentication Material,[],[],,action.malware.variety.Pass-the-hash,related-to,2 +578,,T1550,Use Alternate Authentication Material,[],[],,action.malware.vector.Network propagation,related-to,2 +579,,T1550.001,Use Alternate Authentication Material: Application Access Token,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +580,,T1550.003,Use Alternate Authentication Material: Pass the Ticket,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +581,,T1558,Steal or Forge Kerberos Tickets,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +582,,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +583,,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +584,,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +585,,T1586,Compromise Account,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +586,,T1586.001,Compromise Account: Social Media Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +587,,T1586.001,Compromise Account: Social Media Accounts,[],[],,action.social.variety.Phishing,related-to,2 +588,,T1586.001,Compromise Account: Social Media Accounts,[],[],,action.social.variety.Pretexting,related-to,2 +589,,T1586.002,Compromise Account: Email Accounts,[],[],,action.hacking.variety.Use of stolen creds,related-to,2 +590,,T1611,Escape to Host,[],[],,action.hacking.variety.Virtual machine escape,related-to,2 +591,,T1213,Data from Information Repository,[],[],,action.hacking.variety.XML external entities,related-to,2 +592,,T1213,Data from Information Repository,[],[],,action.malware.variety.Capture stored data,related-to,2 +593,,T1213,Data from Information Repository,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +594,,T1010,Application Window Discovery,[],[],,action.hacking.variety.XPath injection,related-to,2 +595,,T1010,Application Window Discovery,[],[],,action.malware.variety.Capture stored data,related-to,2 +596,,T1105,Ingress Tool Transfer,[],[],,action.hacking.variety.Unknown,related-to,2 +597,,T1105,Ingress Tool Transfer,[],[],,action.hacking.vector.Other network service,related-to,2 +598,,T1111,Two-Factor Authentication Interception,[],[],,action.hacking.variety.Unknown,related-to,2 +599,,T1583,Acquire Infrastructure,[],[],,action.hacking.variety.Unknown,related-to,2 +600,,T1583,Acquire Infrastructure,[],[],,action.malware.vector.Web application - download,related-to,2 +601,,T1583.001,Acquire Infrastructure: Domains,[],[],,action.hacking.variety.Unknown,related-to,2 +602,,T1583.001,Acquire Infrastructure: Domains,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +603,,T1583.001,Acquire Infrastructure: Domains,[],[],,action.malware.variety.C2,related-to,2 +604,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,action.hacking.variety.Unknown,related-to,2 +605,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +606,,T1583.002,Acquire Infrastructure: DNS Server,[],[],,action.malware.variety.C2,related-to,2 +607,,T1584,Compromise Infrastructure,[],[],,action.hacking.variety.Unknown,related-to,2 +608,,T1584,Compromise Infrastructure,[],[],,action.malware.vector.Web application - download,related-to,2 +609,,T1584.001,Compromise Infrastructure: Domains,[],[],,action.hacking.variety.Unknown,related-to,2 +610,,T1584.001,Compromise Infrastructure: Domains,[],[],,action.social.variety.Pretexting,related-to,2 +611,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,action.hacking.variety.Unknown,related-to,2 +612,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +613,,T1584.002,Compromise Infrastructure: DNS Server,[],[],,action.malware.variety.C2,related-to,2 +614,,T1584.003,Compromise Infrastructure: Virtual Private Server,[],[],,action.hacking.variety.Unknown,related-to,2 +615,,T1584.004,Compromise Infrastructure: Server,[],[],,action.hacking.variety.Unknown,related-to,2 +616,,T1584.006,Compromise Infrastructure: Web Services,[],[],,action.hacking.variety.Unknown,related-to,2 +617,,T1587,Develop Capabilities,[],[],,action.hacking.variety.Unknown,related-to,2 +618,,T1587,Develop Capabilities,[],[],,value_chain.development.variety.Unknown,related-to,2 +619,,T1587.001,Develop Capabilities: Malware,[],[],,action.hacking.variety.Unknown,related-to,2 +620,,T1587.001,Develop Capabilities: Malware,[],[],,action.malware.variety.Unknown,related-to,2 +621,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Bot,related-to,2 +622,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Payload,related-to,2 +623,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Ransomware,related-to,2 +624,,T1587.001,Develop Capabilities: Malware,[],[],,value_chain.development.variety.Trojan,related-to,2 +625,,T1587.002,Develop Capabilities: Code Signing Certificates,[],[],,action.hacking.variety.Unknown,related-to,2 +626,,T1587.002,Develop Capabilities: Code Signing Certificates,[],[],,value_chain.development.variety.Other,related-to,2 +627,,T1587.003,Develop Capabilities: Digital Certificates,[],[],,action.hacking.variety.Unknown,related-to,2 +628,,T1587.003,Develop Capabilities: Digital Certificates,[],[],,value_chain.development.variety.Other,related-to,2 +629,,T1587.004,Develop Capabilities: Exploits,[],[],,action.hacking.variety.Unknown,related-to,2 +630,,T1587.004,Develop Capabilities: Exploits,[],[],,action.malware.variety.Unknown,related-to,2 +631,,T1587.004,Develop Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit,related-to,2 +632,,T1587.004,Develop Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit Kits,related-to,2 +633,,T1588,Obtain Capabilities,[],[],,action.hacking.variety.Unknown,related-to,2 +634,,T1588,Obtain Capabilities,[],[],,value_chain.development.variety.Unknown,related-to,2 +635,,T1588.001,Obtain Capabilities: Malware,[],[],,action.hacking.variety.Unknown,related-to,2 +636,,T1588.001,Obtain Capabilities: Malware,[],[],,action.malware.variety.Unknown,related-to,2 +637,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Bot,related-to,2 +638,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Payload,related-to,2 +639,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Ransomware,related-to,2 +640,,T1588.001,Obtain Capabilities: Malware,[],[],,value_chain.development.variety.Trojan,related-to,2 +641,,T1588.002,Obtain Capabilities: Tool,[],[],,action.hacking.variety.Unknown,related-to,2 +642,,T1588.003,Obtain Capabilities: Code Signing Certificates,[],[],,action.hacking.variety.Unknown,related-to,2 +643,,T1588.003,Obtain Capabilities: Code Signing Certificates,[],[],,value_chain.development.variety.Other,related-to,2 +644,,T1588.004,Obtain Capabilities: Digital Certificates,[],[],,action.hacking.variety.Unknown,related-to,2 +645,,T1588.004,Obtain Capabilities: Digital Certificates,[],[],,value_chain.development.variety.Other,related-to,2 +646,,T1588.005,Obtain Capabilities: Exploits,[],[],,action.hacking.variety.Unknown,related-to,2 +647,,T1588.005,Obtain Capabilities: Exploits,[],[],,action.malware.variety.Unknown,related-to,2 +648,,T1588.005,Obtain Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit,related-to,2 +649,,T1588.005,Obtain Capabilities: Exploits,[],[],,value_chain.development.variety.Exploit Kits,related-to,2 +650,,T1588.006,Obtain Capabilities: Vulnerabilities,[],[],,action.hacking.variety.Unknown,related-to,2 +651,,T1588.006,Obtain Capabilities: Vulnerabilities,[],[],,action.malware.variety.Unknown,related-to,2 +652,,T1599,Network Boundry Bridging,[],[],,action.hacking.variety.Unknown,related-to,2 +653,,T1599.001,Network Boundry Bridging: Network Address Translation Traversal,[],[],,action.hacking.variety.Unknown,related-to,2 +654,,T1606.002,Forge Web Credentials: SAML Tokens,[],[],,action.hacking.variety.Unknown,related-to,2 +655,,T1531,Account Access Removal,[],[],,action.hacking.variety.Unknown,related-to,2 +656,,T1531,Account Access Removal,[],[],,attribute.availability.variety.Destruction,related-to,2 +657,,T1531,Account Access Removal,[],[],,attribute.availability.variety.Interruption,related-to,2 +658,,T1531,Account Access Removal,[],[],,attribute.integrity.variety.Unknown,related-to,2 +659,,T1219,Remote Access Software,[],[],,action.hacking.vector.Desktop sharing software,related-to,2 +660,,T1219,Remote Access Software,[],[],,action.malware.variety.Adminware,related-to,2 +661,,T1497,Virtualization/Sandbox Evasion,[],[],,action.hacking.vector.Hypervisor,related-to,2 +662,,T1497,Virtualization/Sandbox Evasion,[],[],,action.hacking.vector.Inter-tenant,related-to,2 +663,,T1497,Virtualization/Sandbox Evasion,[],[],,action.malware.variety.Disable controls,related-to,2 +664,,T1199,Trusted Relationship,[],[],,action.hacking.vector.Partner,related-to,2 +665,,T1199,Trusted Relationship,[],[],,action.malware.variety.Adware,related-to,2 +666,,T1199,Trusted Relationship,[],[],,action.malware.vector.Partner,related-to,2 +667,,T1199,Trusted Relationship,[],[],,action.social.vector.Partner,related-to,2 +668,,T1195,Supply Chain Compromise,[],[],,action.hacking.vector.Partner,related-to,2 +669,,T1195,Supply Chain Compromise,[],[],,action.malware.vector.Partner,related-to,2 +670,,T1195,Supply Chain Compromise,[],[],,action.malware.vector.Software update,related-to,2 +671,,T1195.001,Supply Chain Compromise: Compromise Software Dependencies and Development Tools,[],[],,action.hacking.vector.Partner,related-to,2 +672,,T1195.001,Supply Chain Compromise: Compromise Software Dependencies and Development Tools,[],[],,action.social.vector.Software,related-to,2 +673,,T1195.002,Supply Chain Compromise: Compromise Software Supply Chain,[],[],,action.hacking.vector.Partner,related-to,2 +674,,T1195.002,Supply Chain Compromise: Compromise Software Supply Chain,[],[],,action.social.vector.Software,related-to,2 +675,,T1195.003,Supply Chain Compromise: Compromise Hardware Supply Chain,[],[],,action.hacking.vector.Partner,related-to,2 +676,,T1195.003,Supply Chain Compromise: Compromise Hardware Supply Chain,[],[],,action.social.vector.Partner,related-to,2 +677,,T1200,Hardware Additions,[],[],,action.hacking.vector.Physical access,related-to,2 +678,,T1056.003,Input Capture: Web Portal Capture,[],[],,action.hacking.vector.Web application,related-to,2 +679,,T1056.003,Input Capture: Web Portal Capture,[],[],,action.malware.variety.Capture app data,related-to,2 +680,,T1056.003,Input Capture: Web Portal Capture,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +681,,T1095,Non-Application Layer Protocol,[],[],,action.hacking.vector.Other network service,related-to,2 +682,,T1095,Non-Application Layer Protocol,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +683,,T1095,Non-Application Layer Protocol,[],[],,action.malware.variety.C2,related-to,2 +684,,T1571,Non-Standard Port,[],[],,action.hacking.vector.Other network service,related-to,2 +685,,T1571,Non-Standard Port,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +686,,T1571,Non-Standard Port,[],[],,action.malware.variety.C2,related-to,2 +687,,T1505,Server Software Component,[],[],,action.malware.variety.Backdoor,related-to,2 +688,,T1505,Server Software Component,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +689,,T1505.003,Server Software Component: Web Shell,[],[],,action.malware.variety.Backdoor,related-to,2 +690,,T1505.003,Server Software Component: Web Shell,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +691,,T1071.001,Application Layer Protocol: Web Protocols,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +692,,T1071.001,Application Layer Protocol: Web Protocols,[],[],,action.malware.variety.C2,related-to,2 +693,,T1071.001,Application Layer Protocol: Web Protocols,[],[],,action.malware.variety.Unknown,related-to,2 +694,,T1071.002,Application Layer Protocol: File Transfer Protocol,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +695,,T1071.002,Application Layer Protocol: File Transfer Protocol,[],[],,action.malware.variety.C2,related-to,2 +696,,T1071.002,Application Layer Protocol: File Transfer Protocol,[],[],,action.malware.variety.Unknown,related-to,2 +697,,T1071.003,Application Layer Protocol: Mail Protocols,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +698,,T1071.003,Application Layer Protocol: Mail Protocols,[],[],,action.malware.variety.C2,related-to,2 +699,,T1071.003,Application Layer Protocol: Mail Protocols,[],[],,action.malware.variety.Unknown,related-to,2 +700,,T1071.004,Application Layer Protocol: DNS,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +701,,T1071.004,Application Layer Protocol: DNS,[],[],,action.malware.variety.C2,related-to,2 +702,,T1071.004,Application Layer Protocol: DNS,[],[],,action.malware.variety.Unknown,related-to,2 +703,,T1090.001,Proxy: Internal Proxy,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +704,,T1090.001,Proxy: Internal Proxy,[],[],,action.malware.variety.C2,related-to,2 +705,,T1090.002,Proxy: External Proxy,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +706,,T1090.002,Proxy: External Proxy,[],[],,action.malware.variety.C2,related-to,2 +707,,T1090.003,Proxy: Multi-hop Proxy,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +708,,T1090.003,Proxy: Multi-hop Proxy,[],[],,action.malware.variety.C2,related-to,2 +709,,T1090.004,Proxy: Domain Fronting,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +710,,T1090.004,Proxy: Domain Fronting,[],[],,action.malware.variety.C2,related-to,2 +711,,T1102.001,Web Service: Dead Drop Resolver,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +712,,T1102.001,Web Service: Dead Drop Resolver,[],[],,action.malware.variety.C2,related-to,2 +713,,T1102.002,Web Service: Bidirectional Communication,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +714,,T1102.002,Web Service: Bidirectional Communication,[],[],,action.malware.variety.C2,related-to,2 +715,,T1102.003,Web Service: One-Way Communication,[],[],,action.malware.variety.Backdoor or C2,related-to,2 +716,,T1102.003,Web Service: One-Way Communication,[],[],,action.malware.variety.C2,related-to,2 +717,,T1056,Input Capture,[],[],,action.malware.variety.Capture app data,related-to,2 +718,,T1056,Input Capture,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +719,,T1056.001,Input Capture: Keylogging,[],[],,action.malware.variety.Capture app data,related-to,2 +720,,T1056.001,Input Capture: Keylogging,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +721,,T1056.002,Input Capture: GUI Input Capture,[],[],,action.malware.variety.Capture app data,related-to,2 +722,,T1056.002,Input Capture: GUI Input Capture,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +723,,T1056.004,Input Capture: Credential API Hooking,[],[],,action.malware.variety.Capture app data,related-to,2 +724,,T1056.004,Input Capture: Credential API Hooking,[],[],,action.malware.variety.Password dumper,related-to,2 +725,,T1056.004,Input Capture: Credential API Hooking,[],[],,action.malware.variety.Spyware/Keylogger,related-to,2 +726,,T1056.004,Input Capture: Credential API Hooking,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +727,,T1113,Screen Capture,[],[],,action.malware.variety.Capture app data,related-to,2 +728,,T1113,Screen Capture,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +729,,T1114,Email Collection,[],[],,action.malware.variety.Capture app data,related-to,2 +730,,T1114,Email Collection,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +731,,T1114.001,Email Collection: Local Email Collection,[],[],,action.malware.variety.Capture app data,related-to,2 +732,,T1114.001,Email Collection: Local Email Collection,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +733,,T1114.002,Email Collection: Remote Email Collection,[],[],,action.malware.variety.Capture app data,related-to,2 +734,,T1114.002,Email Collection: Remote Email Collection,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +735,,T1114.003,Email Collection: Email Forwarding Rule,[],[],,action.malware.variety.Capture app data,related-to,2 +736,,T1114.003,Email Collection: Email Forwarding Rule,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +737,,T1114.003,Email Collection: Email Forwarding Rule,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +738,,T1123,Audio Capture,[],[],,action.malware.variety.Capture app data,related-to,2 +739,,T1123,Audio Capture,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +740,,T1125,Video Capture,[],[],,action.malware.variety.Capture app data,related-to,2 +741,,T1125,Video Capture,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +742,,T1176,Browser Extensions,[],[],,action.malware.variety.Capture app data,related-to,2 +743,,T1176,Browser Extensions,[],[],,action.malware.vector.Web application - drive-by,related-to,2 +744,,T1207,Rogue Domain Controller,[],[],,action.malware.variety.Capture app data,related-to,2 +745,,T1217,Browser Bookmark Discovery,[],[],,action.malware.variety.Capture app data,related-to,2 +746,,T1528,Steal Application Access Token,[],[],,action.malware.variety.Capture app data,related-to,2 +747,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,action.malware.variety.Capture stored data,related-to,2 +748,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,action.malware.variety.Password dumper,related-to,2 +749,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,action.malware.variety.RAM scraper,related-to,2 +750,,T1003.002,OS Credential Dumping: Security Account Manager,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +751,,T1003.003,OS Credential Dumping: NTDS,[],[],,action.malware.variety.Capture stored data,related-to,2 +752,,T1003.003,OS Credential Dumping: NTDS,[],[],,action.malware.variety.Password dumper,related-to,2 +753,,T1003.003,OS Credential Dumping: NTDS,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +754,,T1003.006,OS Credential Dumping: DCSync,[],[],,action.malware.variety.Capture stored data,related-to,2 +755,,T1003.006,OS Credential Dumping: DCSync,[],[],,action.malware.variety.Export data,related-to,2 +756,,T1003.006,OS Credential Dumping: DCSync,[],[],,action.malware.variety.Password dumper,related-to,2 +757,,T1003.006,OS Credential Dumping: DCSync,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +758,,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,[],[],,action.malware.variety.Capture stored data,related-to,2 +759,,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,[],[],,action.malware.variety.Password dumper,related-to,2 +760,,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +761,,T1005,Data from Local System,[],[],,action.malware.variety.Capture stored data,related-to,2 +762,,T1005,Data from Local System,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +763,,T1025,Data from Removable Media,[],[],,action.malware.variety.Capture stored data,related-to,2 +764,,T1025,Data from Removable Media,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +765,,T1039,Data from Network Shared Drive,[],[],,action.malware.variety.Capture stored data,related-to,2 +766,,T1039,Data from Network Shared Drive,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +767,,T1213.001,Data from Information Repositories: Confluence,[],[],,action.malware.variety.Capture stored data,related-to,2 +768,,T1213.001,Data from Information Repositories: Confluence,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +769,,T1213.002,Data from Information Repositories: Sharepoint,[],[],,action.malware.variety.Capture stored data,related-to,2 +770,,T1213.002,Data from Information Repositories: Sharepoint,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +771,,T1530,Data from Cloud Storage,[],[],,action.malware.variety.Capture stored data,related-to,2 +772,,T1530,Data from Cloud Storage,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +773,,T1221,Template Injection,[],[],,action.malware.variety.Client-side attack,related-to,2 +774,,T1070,Indicator Removal on Host,[],[],,action.malware.variety.Destroy data,related-to,2 +775,,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,[],[],,action.malware.variety.Destroy data,related-to,2 +776,,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,[],[],,attribute.integrity.variety.Log tampering,related-to,2 +777,,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,[],[],,action.malware.variety.Destroy data,related-to,2 +778,,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,[],[],,attribute.integrity.variety.Log tampering,related-to,2 +779,,T1070.003,Indicator Removal on Host: Clear Command History,[],[],,action.malware.variety.Destroy data,related-to,2 +780,,T1070.004,Indicator Removal on Host: File Deletion,[],[],,action.malware.variety.Destroy data,related-to,2 +781,,T1070.005,Indicator Removal on Host: Network Share Connection Removal,[],[],,action.malware.variety.Destroy data,related-to,2 +782,,T1070.006,Indicator Removal on Host: Timestomp,[],[],,action.malware.variety.Destroy data,related-to,2 +783,,T1485,Data Destruction,[],[],,action.malware.variety.Destroy data,related-to,2 +784,,T1485,Data Destruction,[],[],,attribute.availability.variety.Destruction,related-to,2 +785,,T1485,Data Destruction,[],[],,attribute.availability.variety.Interruption,related-to,2 +786,,T1495,Firmware Corruption,[],[],,action.malware.variety.Destroy data,related-to,2 +787,,T1495,Firmware Corruption,[],[],,attribute.availability.variety.Destruction,related-to,2 +788,,T1495,Firmware Corruption,[],[],,attribute.availability.variety.Interruption,related-to,2 +789,,T1495,Firmware Corruption,[],[],,attribute.availability.variety.Loss,related-to,2 +790,,T1561,Disk Wipe,[],[],,action.malware.variety.Destroy data,related-to,2 +791,,T1561,Disk Wipe,[],[],,attribute.availability.variety.Destruction,related-to,2 +792,,T1561,Disk Wipe,[],[],,attribute.availability.variety.Interruption,related-to,2 +793,,T1561,Disk Wipe,[],[],,attribute.availability.variety.Loss,related-to,2 +794,,T1561.001,Disk Wipe: Disk Content Wipe,[],[],,action.malware.variety.Destroy data,related-to,2 +795,,T1561.001,Disk Wipe: Disk Content Wipe,[],[],,attribute.availability.variety.Destruction,related-to,2 +796,,T1561.001,Disk Wipe: Disk Content Wipe,[],[],,attribute.availability.variety.Loss,related-to,2 +797,,T1561.002,Disk Wipe: Disk Structure Wipe,[],[],,action.malware.variety.Destroy data,related-to,2 +798,,T1561.002,Disk Wipe: Disk Structure Wipe,[],[],,attribute.availability.variety.Destruction,related-to,2 +799,,T1561.002,Disk Wipe: Disk Structure Wipe,[],[],,attribute.availability.variety.Interruption,related-to,2 +800,,T1561.002,Disk Wipe: Disk Structure Wipe,[],[],,attribute.availability.variety.Loss,related-to,2 +801,,T1006,Direct Volume Access,[],[],,action.malware.variety.Disable controls,related-to,2 +802,,T1027.001,Obfuscated Files or Information: Binary Padding,[],[],,action.malware.variety.Disable controls,related-to,2 +803,,T1027.002,Obfuscated Files or Information: Software Packaging,[],[],,action.malware.variety.Disable controls,related-to,2 +804,,T1027.003,Obfuscated Files or Information: Steganography,[],[],,action.malware.variety.Disable controls,related-to,2 +805,,T1027.004,Obfuscated Files or Information: Compile After Dilevery,[],[],,action.malware.variety.Disable controls,related-to,2 +806,,T1027.005,Obfuscated Files or Information: Indicator Removal from Tools,[],[],,action.malware.variety.Disable controls,related-to,2 +807,,T1036.001,Masquerading: Invalid Code Signature,[],[],,action.malware.variety.Disable controls,related-to,2 +808,,T1036.002,Masquerading: Right-to-Left Override,[],[],,action.malware.variety.Disable controls,related-to,2 +809,,T1036.002,Masquerading: Right-to-Left Override,[],[],,action.social.variety.Forgery,related-to,2 +810,,T1036.002,Masquerading: Right-to-Left Override,[],[],,action.social.variety.Phishing,related-to,2 +811,,T1036.003,Masquerading: Rename System Utilities,[],[],,action.malware.variety.Disable controls,related-to,2 +812,,T1036.003,Masquerading: Rename System Utilities,[],[],,action.malware.variety.Rootkit,related-to,2 +813,,T1036.004,Masquerading: Masquerade Task or Service,[],[],,action.malware.variety.Disable controls,related-to,2 +814,,T1036.005,Masquerading: Match Legitimate Name or Location,[],[],,action.malware.variety.Disable controls,related-to,2 +815,,T1036.006,Masquerading: Space after Filename,[],[],,action.malware.variety.Disable controls,related-to,2 +816,,T1222,File and Directory Permissions Modification,[],[],,action.malware.variety.Disable controls,related-to,2 +817,,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,[],[],,action.malware.variety.Disable controls,related-to,2 +818,,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,[],[],,action.malware.variety.Disable controls,related-to,2 +819,,T1490,Inhibit System Recovery,[],[],,action.malware.variety.Disable controls,related-to,2 +820,,T1490,Inhibit System Recovery,[],[],,action.malware.variety.Ransomware,related-to,2 +821,,T1490,Inhibit System Recovery,[],[],,attribute.availability.variety.Loss,related-to,2 +822,,T1497.001,Virtualization/Sandbox Evasion: System Checks,[],[],,action.malware.variety.Disable controls,related-to,2 +823,,T1497.002,Virtualization/Sandbox Evasion: User Activity Based Checks,[],[],,action.malware.variety.Disable controls,related-to,2 +824,,T1497.003,Virtualization/Sandbox Evasion: Time Based Evasion,[],[],,action.malware.variety.Disable controls,related-to,2 +825,,T1553.001,Subvert Trust Contols: Gatekeeper Bypass,[],[],,action.malware.variety.Disable controls,related-to,2 +826,,T1553.002,Subvert Trust Contols: Code Signing,[],[],,action.malware.variety.Disable controls,related-to,2 +827,,T1553.003,Subvert Trust Contols: SIP and Trust Provider Hijacking,[],[],,action.malware.variety.Disable controls,related-to,2 +828,,T1553.004,Subvert Trust Contols: Install Root Certificate,[],[],,action.malware.variety.Disable controls,related-to,2 +829,,T1553.005,Subvert Trust Contols: Mark-of-the-Web Bypass,[],[],,action.malware.variety.Disable controls,related-to,2 +830,,T1553.006,Subvert Trust Contols: Code Signing Policy Modification,[],[],,action.malware.variety.Disable controls,related-to,2 +831,,T1562.006,Impair Defenses: Indicator Blocking,[],[],,action.malware.variety.Disable controls,related-to,2 +832,,T1574.012,Hijack Execution Flow: COR_PROFILER,[],[],,action.malware.variety.Disable controls,related-to,2 +833,,T1600.001,Weaken Encryption: Reduce Key Space,[],[],,action.malware.variety.Disable controls,related-to,2 +834,,T1600.002,Weaken Encryption: Disable Crypto Hardware,[],[],,action.malware.variety.Disable controls,related-to,2 +835,,T1601,Modify System Image,[],[],,action.malware.variety.Disable controls,related-to,2 +836,,T1601,Modify System Image,[],[],,attribute.integrity.variety.Software installation,related-to,2 +837,,T1601.001,Modify System Image: Patch System Image,[],[],,action.malware.variety.Disable controls,related-to,2 +838,,T1601.001,Modify System Image: Patch System Image,[],[],,attribute.integrity.variety.Software installation,related-to,2 +839,,T1601.002,Modify System Image: Downgrade System Image,[],[],,action.malware.variety.Disable controls,related-to,2 +840,,T1610,Deploy Container,[],[],,action.malware.variety.Downloader,related-to,2 +841,,T1610,Deploy Container,[],[],,action.malware.variety.Unknown,related-to,2 +842,,T1204,User Execution,[],[],,action.malware.variety.Downloader,related-to,2 +843,,T1204,User Execution,[],[],,action.malware.variety.Unknown,related-to,2 +844,,T1204,User Execution,[],[],,action.social.variety.Phishing,related-to,2 +845,,T1204,User Execution,[],[],,action.social.vector.Email,related-to,2 +846,,T1204,User Execution,[],[],,action.social.vector.Social media,related-to,2 +847,,T1204.001,User Execution: Malicious Link,[],[],,action.malware.variety.Downloader,related-to,2 +848,,T1204.001,User Execution: Malicious Link,[],[],,action.malware.variety.Unknown,related-to,2 +849,,T1204.001,User Execution: Malicious Link,[],[],,action.malware.vector.Email link,related-to,2 +850,,T1204.001,User Execution: Malicious Link,[],[],,action.social.variety.Phishing,related-to,2 +851,,T1204.001,User Execution: Malicious Link,[],[],,action.social.vector.Email,related-to,2 +852,,T1204.001,User Execution: Malicious Link,[],[],,action.social.vector.Social media,related-to,2 +853,,T1204.002,User Execution: Malicious File,[],[],,action.malware.variety.Downloader,related-to,2 +854,,T1204.002,User Execution: Malicious File,[],[],,action.malware.variety.Unknown,related-to,2 +855,,T1204.002,User Execution: Malicious File,[],[],,action.malware.vector.Email attachment,related-to,2 +856,,T1204.002,User Execution: Malicious File,[],[],,action.social.variety.Phishing,related-to,2 +857,,T1204.002,User Execution: Malicious File,[],[],,action.social.vector.Email,related-to,2 +858,,T1204.002,User Execution: Malicious File,[],[],,action.social.vector.Social media,related-to,2 +859,,T1204.003,User Execution: Malicious Image,[],[],,action.malware.variety.Downloader,related-to,2 +860,,T1204.003,User Execution: Malicious Image,[],[],,action.malware.variety.Trojan,related-to,2 +861,,T1204.003,User Execution: Malicious Image,[],[],,action.malware.variety.Unknown,related-to,2 +862,,T1204.003,User Execution: Malicious Image,[],[],,action.social.variety.Phishing,related-to,2 +863,,T1204.003,User Execution: Malicious Image,[],[],,action.social.variety.Pretexting,related-to,2 +864,,T1204.003,User Execution: Malicious Image,[],[],,action.social.vector.Email,related-to,2 +865,,T1204.003,User Execution: Malicious Image,[],[],,action.social.vector.Social media,related-to,2 +866,,T1011,Exfiltration Over Other Network Medium,[],[],,action.malware.variety.Export data,related-to,2 +867,,T1011,Exfiltration Over Other Network Medium,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +868,,T1011.001,Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth,[],[],,action.malware.variety.Export data,related-to,2 +869,,T1011.001,Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +870,,T1020,Automated Exfiltration,[],[],,action.malware.variety.Export data,related-to,2 +871,,T1020,Automated Exfiltration,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +872,,T1020.001,Automated Exfiltration: Traffic Duplication,[],[],,action.malware.variety.Export data,related-to,2 +873,,T1020.001,Automated Exfiltration: Traffic Duplication,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +874,,T1029,Scheduled Transfer,[],[],,action.malware.variety.Export data,related-to,2 +875,,T1029,Scheduled Transfer,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +876,,T1030,Data Transfer Size Limits,[],[],,action.malware.variety.Export data,related-to,2 +877,,T1030,Data Transfer Size Limits,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +878,,T1041,Exfiltration Over C2 Channels,[],[],,action.malware.variety.Export data,related-to,2 +879,,T1041,Exfiltration Over C2 Channels,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +880,,T1048,Exfiltration Over Alternative Protocol,[],[],,action.malware.variety.Export data,related-to,2 +881,,T1048,Exfiltration Over Alternative Protocol,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +882,,T1048.001,Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,action.malware.variety.Export data,related-to,2 +883,,T1048.001,Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +884,,T1048.002,Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,action.malware.variety.Export data,related-to,2 +885,,T1048.002,Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +886,,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol,[],[],,action.malware.variety.Export data,related-to,2 +887,,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protcol,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +888,,T1052,Exfiltration Over Physical Medium,[],[],,action.malware.variety.Export data,related-to,2 +889,,T1052,Exfiltration Over Physical Medium,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +890,,T1052.001,Exfiltration Over Physical Medium: Exfiltration over USB,[],[],,action.malware.variety.Export data,related-to,2 +891,,T1052.001,Exfiltration Over Physical Medium: Exfiltration over USB,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +892,,T1074,Data Staged,[],[],,action.malware.variety.Export data,related-to,2 +893,,T1074.001,Data Staged: Local Data Staging,[],[],,action.malware.variety.Export data,related-to,2 +894,,T1074.002,Data Staged: Remote Data Staging,[],[],,action.malware.variety.Export data,related-to,2 +895,,T1197,BITS Jobs,[],[],,action.malware.variety.Export data,related-to,2 +896,,T1537,Transfer Data to Cloud Account,[],[],,action.malware.variety.Export data,related-to,2 +897,,T1537,Transfer Data to Cloud Account,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +898,,T1560,Archive Collected Data,[],[],,action.malware.variety.Export data,related-to,2 +899,,T1560.001,Archive Collected Data: Archive via Utility,[],[],,action.malware.variety.Export data,related-to,2 +900,,T1560.002,Archive Collected Data: Archive via Library,[],[],,action.malware.variety.Export data,related-to,2 +901,,T1560.003,Archive Collected Data: Archive via Custom Method,[],[],,action.malware.variety.Export data,related-to,2 +902,,T1567,Exfiltration Over Web Service,[],[],,action.malware.variety.Export data,related-to,2 +903,,T1567,Exfiltration Over Web Service,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +904,,T1567.001,Exfiltration Over Web Service: Exfiltration to Code Repository,[],[],,action.malware.variety.Export data,related-to,2 +905,,T1567.001,Exfiltration Over Web Service: Exfiltration to Code Repository,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +906,,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,[],[],,action.malware.variety.Export data,related-to,2 +907,,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +908,,T1003.007,OS Credential Dumping: Proc Filesystem,[],[],,action.malware.variety.In-memory,related-to,2 +909,,T1003.007,OS Credential Dumping: Proc Filesystem,[],[],,action.malware.variety.Password dumper,related-to,2 +910,,T1003.007,OS Credential Dumping: Proc Filesystem,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +911,,T1055,Process Injection,[],[],,action.malware.variety.In-memory,related-to,2 +912,,T1055.001,Process Injection: Dynamic-link Library Injection,[],[],,action.malware.variety.In-memory,related-to,2 +913,,T1055.002,Process Injection: Portable Executable Injection,[],[],,action.malware.variety.In-memory,related-to,2 +914,,T1055.003,Process Injection: Thread Execution Hijacking,[],[],,action.malware.variety.In-memory,related-to,2 +915,,T1055.004,Process Injection: Asynchronous Procedure Call,[],[],,action.malware.variety.In-memory,related-to,2 +916,,T1055.005,Process Injection: Thread Local Storage,[],[],,action.malware.variety.In-memory,related-to,2 +917,,T1055.008,Process Injection: Ptrace System Calls,[],[],,action.malware.variety.In-memory,related-to,2 +918,,T1055.009,Process Injection: Proc Memory,[],[],,action.malware.variety.In-memory,related-to,2 +919,,T1055.011,Process Injection: Extra Window Memory Injection,[],[],,action.malware.variety.In-memory,related-to,2 +920,,T1055.012,Process Injection: Process Hollowing,[],[],,action.malware.variety.In-memory,related-to,2 +921,,T1055.013,Process Injection: Process Doppelganging,[],[],,action.malware.variety.In-memory,related-to,2 +922,,T1055.014,Process Injection: VDSO Hijacking,[],[],,action.malware.variety.In-memory,related-to,2 +923,,T1115,Clipboard Data,[],[],,action.malware.variety.In-memory,related-to,2 +924,,T1115,Clipboard Data,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +925,,T1557.003,DHCP Spoofing,[],[],,action.malware.variety.MitM,related-to,2 +926,,T1003,OS Credential Dumping,[],[],,action.malware.variety.Password dumper,related-to,2 +927,,T1003,OS Credential Dumping,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +928,,T1003.001,OS Credential Dumping: LSASS Memory,[],[],,action.malware.variety.Password dumper,related-to,2 +929,,T1003.001,OS Credential Dumping: LSASS Memory,[],[],,action.malware.variety.RAM scraper,related-to,2 +930,,T1003.001,OS Credential Dumping: LSASS Memory,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +931,,T1003.004,OS Credential Dumping: LSA Secrets,[],[],,action.malware.variety.Password dumper,related-to,2 +932,,T1003.004,OS Credential Dumping: LSA Secrets,[],[],,action.malware.variety.RAM scraper,related-to,2 +933,,T1003.004,OS Credential Dumping: LSA Secrets,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +934,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,action.malware.variety.Password dumper,related-to,2 +935,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,action.malware.variety.RAM scraper,related-to,2 +936,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,action.malware.vector.Email link,related-to,2 +937,,T1003.005,OS Credential Dumping: Cached Domain Credentials,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +938,,T1552.001,Unsecured Credentials: Credentials in Files,[],[],,action.malware.variety.Password dumper,related-to,2 +939,,T1552.001,Unsecured Credentials: Credentials in Files,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +940,,T1552.002,Unsecured Credentials: Credentials in Registry,[],[],,action.malware.variety.Password dumper,related-to,2 +941,,T1552.002,Unsecured Credentials: Credentials in Registry,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +942,,T1552.003,Unsecured Credentials: Bash History,[],[],,action.malware.variety.Password dumper,related-to,2 +943,,T1552.003,Unsecured Credentials: Bash History,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +944,,T1552.004,Unsecured Credentials: Private Keys,[],[],,action.malware.variety.Password dumper,related-to,2 +945,,T1552.004,Unsecured Credentials: Private Keys,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +946,,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,[],[],,action.malware.variety.Password dumper,related-to,2 +947,,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +948,,T1552.006,Unsecured Credentials: Group Policy Preferences,[],[],,action.malware.variety.Password dumper,related-to,2 +949,,T1552.006,Unsecured Credentials: Group Policy Preferences,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +950,,T1555,Credentials from Password Stores,[],[],,action.malware.variety.Password dumper,related-to,2 +951,,T1555,Credentials from Password Stores,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +952,,T1555.001,Credentials from Password Stores: Keychain,[],[],,action.malware.variety.Password dumper,related-to,2 +953,,T1555.001,Credentials from Password Stores: Keychain,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +954,,T1555.002,Credentials from Password Stores: Securityd Memory,[],[],,action.malware.variety.Password dumper,related-to,2 +955,,T1555.002,Credentials from Password Stores: Securityd Memory,[],[],,action.malware.variety.RAM scraper,related-to,2 +956,,T1555.002,Credentials from Password Stores: Securityd Memory,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +957,,T1555.003,Credentials from Password Stores: Credentials from Web Browser,[],[],,action.malware.variety.Password dumper,related-to,2 +958,,T1555.003,Credentials from Password Stores: Credentials from Web Browser,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +959,,T1555.004,Credentials from Password Stores: Windows Credential Manager,[],[],,action.malware.variety.Password dumper,related-to,2 +960,,T1555.004,Credentials from Password Stores: Windows Credential Manager,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +961,,T1555.005,Credentials from Password Stores: Password Managers,[],[],,action.malware.variety.Password dumper,related-to,2 +962,,T1555.005,Credentials from Password Stores: Password Managers,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +963,,T1486,Data Encrypted for Impact,[],[],,action.malware.variety.Ransomware,related-to,2 +964,,T1486,Data Encrypted for Impact,[],[],,attribute.availability.variety.Interruption,related-to,2 +965,,T1486,Data Encrypted for Impact,[],[],,attribute.availability.variety.Obscuration,related-to,2 +966,,T1542,Pre-OS Boot,[],[],,action.malware.variety.Rootkit,related-to,2 +967,,T1542.001,Pre-OS Boot: System Firmware,[],[],,action.malware.variety.Rootkit,related-to,2 +968,,T1542.002,Pre-OS Boot: Component Firmware,[],[],,action.malware.variety.Rootkit,related-to,2 +969,,T1542.003,Pre-OS Boot: Bootkit,[],[],,action.malware.variety.Rootkit,related-to,2 +970,,T1542.004,Pre-OS Boot: ROMMONkit,[],[],,action.malware.variety.Rootkit,related-to,2 +971,,T1542.005,Pre-OS Boot: TFTP Boot,[],[],,action.malware.variety.Rootkit,related-to,2 +972,,T1016,System Network Configuration Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +973,,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +974,,T1482,Domain Trust Discovery,[],[],,action.malware.variety.Scan network,related-to,2 +975,,T1595,Active Scanning,[],[],,action.malware.variety.Scan network,related-to,2 +976,,T1595.001,Active Scanning: Scanning IP Blocks,[],[],,action.malware.variety.Scan network,related-to,2 +977,,T1080,Taint Shared Content,[],[],,action.malware.variety.Unknown,related-to,2 +978,,T1080,Taint Shared Content,[],[],,action.malware.variety.Worm,related-to,2 +979,,T1080,Taint Shared Content,[],[],,attribute.integrity.variety.Software installation,related-to,2 +980,,T1091,Replication Through Removable Media,[],[],,action.malware.variety.Worm,related-to,2 +981,,T1091,Replication Through Removable Media,[],[],,action.malware.vector.Removable media,related-to,2 +982,,T1091,Replication Through Removable Media,[],[],,action.social.vector.Removable media,related-to,2 +983,,T1140,Deobfuscate/Decode Files or Information,[],[],,action.malware.variety.Unknown,related-to,2 +984,,T1608,Stage Capabilities,[],[],,action.malware.variety.Unknown,related-to,2 +985,,T1608.001,Stage Capabilities: Upload Malware,[],[],,action.malware.variety.Unknown,related-to,2 +986,,T1608.002,Stage Capabilities: Upload Tools,[],[],,action.malware.variety.Unknown,related-to,2 +987,,T1608.003,Stage Capabilities: Install Digital Certificate,[],[],,action.malware.variety.Unknown,related-to,2 +988,,T1608.004,Stage Capabilities: Drive-by Target,[],[],,action.malware.variety.Unknown,related-to,2 +989,,T1608.005,Stage Capabilities: Link Target,[],[],,action.malware.variety.Unknown,related-to,2 +990,,T1612,Build Image on Host,[],[],,action.malware.variety.Unknown,related-to,2 +991,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.malware.vector.Email,related-to,2 +992,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.malware.vector.Email attachment,related-to,2 +993,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.social.variety.Phishing,related-to,2 +994,,T1566.001,Phishing: Spearphishing Attachment,[],[],,action.social.vector.Email,related-to,2 +995,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,action.malware.vector.Email attachment,related-to,2 +996,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,action.social.variety.Phishing,related-to,2 +997,,T1598.002,Phishing for Information: Spearphishing Attachment,[],[],,action.social.variety.Pretexting,related-to,2 +998,,T1556.002,Phishing: Spearphishing Link,[],[],,action.malware.vector.Email link,related-to,2 +999,,T1556.002,Phishing: Spearphishing Link,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1000,,T1556.002,Phishing: Spearphishing Link,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1001,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,action.malware.vector.Email link,related-to,2 +1002,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,action.social.variety.Phishing,related-to,2 +1003,,T1598.003,Phishing for Information: Spearphishing Link,[],[],,action.social.variety.Pretexting,related-to,2 +1004,,T1566,Phishing,[],[],,action.malware.vector.Instant messaging,related-to,2 +1005,,T1566,Phishing,[],[],,action.social.variety.Phishing,related-to,2 +1006,,T1566,Phishing,[],[],,action.social.vector.Email,related-to,2 +1007,,T1570,Lateral Tool Transfer,[],[],,action.malware.vector.Network propagation,related-to,2 +1008,,T1092,Communication Through Removable Media,[],[],,action.malware.vector.Removable media,related-to,2 +1009,,T1189,Drive-by Compromise,[],[],,action.malware.vector.Web application - drive-by,related-to,2 +1010,,T1189,Drive-by Compromise,[],[],,action.social.vector.Web application,related-to,2 +1011,,T1566.002,Phishing: Spearphishing Link,[],[],,action.social.variety.Phishing,related-to,2 +1012,,T1566.002,Phishing: Spearphishing Link,[],[],,action.social.vector.Email,related-to,2 +1013,,T1566.002,Phishing: Spearphishing Link,[],[],,action.social.vector.Web application,related-to,2 +1014,,T1566.003,Phishing: Spearphishing via Service,[],[],,action.social.variety.Phishing,related-to,2 +1015,,T1566.003,Phishing: Spearphishing via Service,[],[],,action.social.vector.Email,related-to,2 +1016,,T1598,Phishing for Information,[],[],,action.social.variety.Phishing,related-to,2 +1017,,T1598,Phishing for Information,[],[],,action.social.variety.Pretexting,related-to,2 +1018,,T1598.001,Phishing for Information: Spearphishing Service,[],[],,action.social.variety.Phishing,related-to,2 +1019,,T1598.001,Phishing for Information: Spearphishing Service,[],[],,action.social.variety.Pretexting,related-to,2 +1020,,T1534,Internal Spearphishing,[],[],,action.social.variety.Pretexting,related-to,2 +1021,,T1534,Internal Spearphishing,[],[],,attribute.integrity.variety.Misrepresentation,related-to,2 +1022,,T1585,Establish Accounts,[],[],,action.social.variety.Pretexting,related-to,2 +1023,,T1585,Establish Accounts,[],[],,value_chain.development.variety.Persona,related-to,2 +1024,,T1585.001,Establish Accounts: Social Media Accounts,[],[],,action.social.variety.Pretexting,related-to,2 +1025,,T1585.001,Establish Accounts: Social Media Accounts,[],[],,value_chain.development.variety.Persona,related-to,2 +1026,,T1585.002,Establish Accounts: Email Account,[],[],,action.social.variety.Pretexting,related-to,2 +1027,,T1585.002,Establish Accounts: Email Account,[],[],,value_chain.development.variety.Persona,related-to,2 +1028,,T1546.001,Event Triggered Execution: Change Default File Association,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1029,,T1546.002,Event Triggered Execution Screensaver,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1030,,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1031,,T1546.004,Event Triggered Execution: Unix Shell Configuration Modification,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1032,,T1546.005,Event Triggered Execution: Trap,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1033,,T1546.006,Event Triggered Execution: LC_LOAD_DYLIB Addition,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1034,,T1546.007,Event Triggered Execution: Netsh Helper DLL,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1035,,T1546.008,Event Triggered Execution: Accessibility Features,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1036,,T1546.009,Event Triggered Execution: AppCert DLLs,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1037,,T1546.010,Event Triggered Execution: AppInit DLLs,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1038,,T1546.011,Event Triggered Execution: Application Shimming,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1039,,T1546.012,Event Triggered Execution: Image File Execution Options Injection,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1040,,T1546.013,Event Triggered Execution: PowerShell Profile,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1041,,T1546.014,Event Triggered Execution: Emond,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1042,,T1546.015,Event Triggered Execution: Component Object Model Hijacking,[],[],,attribute.integrity.variety.Alter behavior,related-to,2 +1043,,T1136.001,Create Account: Local Account,[],[],,attribute.integrity.variety.Created account,related-to,2 +1044,,T1136.002,Create Account: Domain Account,[],[],,attribute.integrity.variety.Created account,related-to,2 +1045,,T1136.003,Create Account: Cloud Account,[],[],,attribute.integrity.variety.Created account,related-to,2 +1046,,T1491,Defacement,[],[],,attribute.availability.variety.Obscuration,related-to,2 +1047,,T1491,Defacement,[],[],,attribute.integrity.variety.Defacement,related-to,2 +1048,,T1491.001,Defacement: Internal Defacement,[],[],,attribute.availability.variety.Obscuration,related-to,2 +1049,,T1491.001,Defacement: Internal Defacement,[],[],,attribute.integrity.variety.Defacement,related-to,2 +1050,,T1491.002,Defacement: External Defacement,[],[],,attribute.availability.variety.Obscuration,related-to,2 +1051,,T1491.002,Defacement: External Defacement,[],[],,attribute.integrity.variety.Defacement,related-to,2 +1052,,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1053,,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1054,,T1037.003,Boot or Logon Initialization Scripts: Network Logon Script,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1055,,T1037.004,Boot or Logon Initialization Scripts: RC Scripts,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1056,,T1037.005,Boot or Logon Initialization Scripts: Startup Items,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1057,,T1484,Domain Policy Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1058,,T1484.001,Domain Policy Modification: Group Policy Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1059,,T1484.002,Domain Policy Modification: Domain Trust Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1060,,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1061,,T1547.002,Boot or Logon Autostart Execution: Authentication Package,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1062,,T1547.003,Boot or Logon Autostart Execution: Time Providers,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1063,,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1064,,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1065,,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1066,,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1067,,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1068,,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1069,,T1547.010,Boot or Logon Autostart Execution: Port Monitors,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1070,,T1547.012,Boot or Logon Autostart Execution: Print Processors,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1071,,T1547.013,Boot or Logon Autostart Execution: XDG Autostart Entries,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1072,,T1556.001,Modify Authentication Process: Domain Controller Authentication,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1073,,T1556.001,Modify Authentication Process: Domain Controller Authentication,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1074,,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1075,,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1076,,T1556.004,Modify Authentication Process: Network Device Authentication,[],[],,attribute.integrity.variety.Modify configuration,related-to,2 +1077,,T1556.004,Modify Authentication Process: Network Device Authentication,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1078,,T1565,Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,2 +1079,,T1565.001,Data Manipulation: Stored Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,2 +1080,,T1565.002,Data Manipulation: Transmitted Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,2 +1081,,T1565.003,Data Manipulation: Runtime Data Manipulation,[],[],,attribute.integrity.variety.Modify data,related-to,2 +1082,,T1098.001,Account Manipulation: Additional Cloud Credentials,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1083,,T1098.002,Account Manipulation: Exchange Email Delegate Permissions,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1084,,T1098.003,Account Manipulation: Add Office 365 Global Administrator Role,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1085,,T1098.004,Account Manipulation: SSH Authorized Keys,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1086,,T1547.014,Boot or Logon Autostart Execution: Active Setup,[],[],,attribute.integrity.variety.Modify privileges,related-to,2 +1087,,T1535,Unused/Unsupported Cloud Regions,[],[],,attribute.integrity.variety.Repurpose,related-to,2 +1088,,T1546.016,Event Triggered Execution: Installer Packages,[],[],,attribute.integrity.variety.Software installation,related-to,2 +1089,,T1213.003,Code Repositories,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +1090,,T1552,Unsecured Credentials,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 +1091,,T1552.007,Unsecured Credentials: Container API,[],[],,"attribute.confidentiality."""".data_disclosure",related-to,2 diff --git a/src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_metadata.csv b/src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_metadata.csv new file mode 100644 index 00000000..3185491e --- /dev/null +++ b/src/mappings_explorer/cli/mapex/veris_files/1.3.7/parsed_veris_mappings_metadata.csv @@ -0,0 +1,2 @@ +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,2.0,12.1,enterprise,,,02/03/21,10/27/21,,VERIS Framework,1.3.7,2 diff --git a/src/mappings_explorer/cli/mapex/write_parsed_mappings.py b/src/mappings_explorer/cli/mapex/write_parsed_mappings.py index 23c4429f..398a542e 100644 --- a/src/mappings_explorer/cli/mapex/write_parsed_mappings.py +++ b/src/mappings_explorer/cli/mapex/write_parsed_mappings.py @@ -18,16 +18,16 @@ def write_parsed_mappings_csv(parsed_mappings, filepath, metadata_key): # create csv with metadata metadata_object = parsed_mappings["metadata"] metadata_object["key"] = metadata_key - metadata_object_df = pd.DataFrame(metadata_object, index=[0]) - metadata_object_df.to_csv(f"{filepath}_metadata-objects.csv") + metadata_df = pd.DataFrame(metadata_object, index=[0]) + metadata_df.to_csv(f"{filepath}_metadata.csv") # create csv with attack objects attack_objects = parsed_mappings["attack-objects"] for attack_object in attack_objects: - attack_object["metadata_key"] = metadata_key + attack_object["metadata-key"] = metadata_key attack_object_df = pd.DataFrame(attack_objects) - attack_object_df.to_csv(f"{filepath}_attack-objects.csv") + attack_object_df.to_csv(f"{filepath}_attack_objects.csv") def write_parsed_mappings_navigator_layer(parsed_mappings, filepath, mapping_type): diff --git a/src/mappings_explorer/cli/mapex_convert/parse_nist_mappings.py b/src/mappings_explorer/cli/mapex_convert/parse_nist_mappings.py index 6e6d7d3a..0f5e5462 100644 --- a/src/mappings_explorer/cli/mapex_convert/parse_nist_mappings.py +++ b/src/mappings_explorer/cli/mapex_convert/parse_nist_mappings.py @@ -30,7 +30,7 @@ def configure_nist_mappings(dataframe, attack_version, mappings_version): "references": [], "tags": [], "mapping-description": "", - "capability-id": row["Control Name"], + "capability-id": row["Control ID"], "mapping-type": row["Mapping Type"], } ) diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r4/parsed_nist800-53-r4-10_1mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r4/parsed_nist800-53-r4-10_1mappings.json index 12b8f741..4800bbf8 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r4/parsed_nist800-53-r4-10_1mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r4/parsed_nist800-53-r4-10_1mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r4", "attack-version": "10.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification Or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Incident Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Trustworthiness", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Resource Availability", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r4", "attack-version": "10.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r5/parsed_nist800-53-r5-10_1mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r5/parsed_nist800-53-r5-10_1mappings.json index 74265e09..7885752a 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r5/parsed_nist800-53-r5-10_1mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/10.1/r5/parsed_nist800-53-r5-10_1mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r5", "attack-version": "10.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Location", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Location", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Incident Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Resource Availability", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r5", "attack-version": "10.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-43", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-43", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r4/parsed_nist800-53-r4-12_1mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r4/parsed_nist800-53-r4-12_1mappings.json index 3bc33414..08c04154 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r4/parsed_nist800-53-r4-12_1mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r4/parsed_nist800-53-r4-12_1mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r4", "attack-version": "12.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification Or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforncement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Event Logging", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Event Logging", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Response to Audit Processing Failure", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Audit Review, Analysis, and Reporting ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Audit Review, Analysis, & Reporting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Interconnections", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restriction for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users) ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users) ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Incident Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Trustworthiness", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Information System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1595.003", "attack-object-name": "Wordlist Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Resource Availability", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.015", "attack-object-name": "ListPlanting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r4", "attack-version": "12.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1595.003", "attack-object-name": "Wordlist Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.015", "attack-object-name": "ListPlanting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r5/parsed_nist800-53-r5-12_1mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r5/parsed_nist800-53-r5-12_1mappings.json index 73cf7fc2..cb50f065 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r5/parsed_nist800-53-r5-12_1mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/12.1/r5/parsed_nist800-53-r5-12_1mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r5", "attack-version": "12.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforncement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Policy and Procedures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Event Logging", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Event Logging", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Response to Audit Processing Failure", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Audit Review, Analysis, and Reporting ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Audit Review, Analysis, & Reporting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Exchange", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Location", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Location", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restriction for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users) ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (Organizational Users) ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Incident Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "External System Services", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Operations Security", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1595.003", "attack-object-name": "Wordlist Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Resource Availability", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection ", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-persistence", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.015", "attack-object-name": "ListPlanting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r5", "attack-version": "12.1", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-1", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AU-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.005", "attack-object-name": "Device Registration", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1593.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.006", "attack-object-name": "Multi-Factor Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.007", "attack-object-name": "Hybrid Identity", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1585.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1586.003", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.005", "attack-object-name": "Reversible Encryption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1621", "attack-object-name": "Multi-Factor Authentication Request Generation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1649", "attack-object-name": "Steal or Forge Authentication Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-38", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1595.003", "attack-object-name": "Wordlist Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-43", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-43", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1583.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1584.007", "attack-object-name": "Serverless", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1606.001", "attack-object-name": "Web Cookies", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.015", "attack-object-name": "ListPlanting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.010", "attack-object-name": "Downgrade Attack", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1025", "attack-object-name": "Data from Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.007", "attack-object-name": "Double File Extension", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.003", "attack-object-name": "DHCP Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.005", "attack-object-name": "Terminal Services DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.016", "attack-object-name": "Installer Packages", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.003", "attack-object-name": "XPC Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1622", "attack-object-name": "Debugger Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1648", "attack-object-name": "Serverless Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.002", "attack-object-name": "Socket Filters", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.013", "attack-object-name": "Mavinject", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.014", "attack-object-name": "MMC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Browser Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.009", "attack-object-name": "Safe Mode Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.008", "attack-object-name": "Email Hiding Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.009", "attack-object-name": "Resource Forking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.007", "attack-object-name": "Dynamic API Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.008", "attack-object-name": "Stripped Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.009", "attack-object-name": "Embedded Payloads", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.007", "attack-object-name": "Clear Network Connection History and Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.008", "attack-object-name": "Clear Mailbox Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.009", "attack-object-name": "Clear Persistence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.010", "attack-object-name": "Process Argument Spoofing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.013", "attack-object-name": "KernelCallbackTable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1647", "attack-object-name": "Plist File Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.004", "attack-object-name": "IIS Components", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r4/parsed_nist800-53-r4-8_2mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r4/parsed_nist800-53-r4-8_2mappings.json index ad7b5365..fdd31983 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r4/parsed_nist800-53-r4-8_2mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r4/parsed_nist800-53-r4-8_2mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r4", "attack-version": "8.2", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification Or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Security Architecture", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Security Architecture", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Trustworthiness", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r4", "attack-version": "8.2", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "PL-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "PL-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r5/parsed_nist800-53-r5-8_2mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r5/parsed_nist800-53-r5-8_2mappings.json index 3164b8e6..e4407921 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r5/parsed_nist800-53-r5-8_2mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/8.2/r5/parsed_nist800-53-r5-8_2mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r5", "attack-version": "8.2", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Architectures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Architectures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r5", "attack-version": "8.2", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "PL-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "PL-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "Rc.common", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r4/parsed_nist800-53-r4-9_0mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r4/parsed_nist800-53-r4-9_0mappings.json index 72de0154..8257f14e 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r4/parsed_nist800-53-r4-9_0mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r4/parsed_nist800-53-r4-9_0mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r4", "attack-version": "9.0", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification Or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control For Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use Of External Information Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Publicly Accessible Content", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control Decisions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Reference Monitor", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation Of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-Installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions For Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Recovery And Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification And Authentication (Non-Organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification And Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Testing And Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Trustworthiness", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, And Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-Provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security Architecture And Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment And Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Of Security Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Application Partitioning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture And Provisioning For Name / Address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeypots", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection Of Information At Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment And Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-Modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Honeyclients", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing And Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-Of-Band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information In Shared Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port And I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality And Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Handling And Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, And Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, And Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r4", "attack-version": "9.0", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-24", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-25", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-13", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r5/parsed_nist800-53-r5-9_0mappings.json b/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r5/parsed_nist800-53-r5-9_0mappings.json index 03987a7a..b6f8ae40 100644 --- a/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r5/parsed_nist800-53-r5-9_0mappings.json +++ b/src/mappings_explorer/cli/parsed_mappings/nist/9.0/r5/parsed_nist800-53-r5-9_0mappings.json @@ -1 +1 @@ -{"metadata": {"mapping-version": "r5", "attack-version": "9.0", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concurrent Session Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Lock", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Termination", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Permitted Actions Without Identification or Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Remote Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Wireless Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Control for Mobile Devices", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Account Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Use of External Systems", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Sharing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Data Mining Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Flow Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of Duties", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Privilege", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsuccessful Logon Attempts", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Use Notification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Control Assessments", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Penetration Testing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "User-installed Software", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Baseline Configuration", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Change Control", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Access Restrictions for Change", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Configuration Settings", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Least Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Component Inventory", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Recovery and Reconstitution", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Contingency Plan", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Storage Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alternate Processing Site", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Backup", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Re-authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identity Proofing", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Device Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identifier Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authenticator Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Authentication Feedback", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Module Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Identification and Authentication (non-organizational Users)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Service Identification and Authentication", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Media Use", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Architectures", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Threat Hunting", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Vulnerability Monitoring and Scanning", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Criticality Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Configuration Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Testing and Evaluation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supply Chain Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Development Process, Standards, and Tools", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer-provided Training", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Developer Security and Privacy Architecture and Design", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Unsupported System Components", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Development Life Cycle", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Process", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security and Privacy Engineering Principles", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Disconnect", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cryptographic Key Establishment and Management", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission of Security and Privacy Attributes", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Public Key Infrastructure Certificates", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Mobile Code", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Separation of System and User Functionality", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (authoritative Source)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Secure Name/address Resolution Service (recursive or Caching Resolver)", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Architecture and Provisioning for Name/address Resolution Service", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Session Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Decoys", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Protection of Information at Rest", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Heterogeneity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Function Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Concealment and Misdirection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Covert Channel Analysis", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Non-modifiable Executable Programs", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "External Malicious Code Identification", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Distributed Processing and Storage", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Out-of-band Channels", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Process Isolation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information in Shared System Resources", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Port and I/O Device Access", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Usage Restrictions", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Detonation Chambers", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cross Domain Policy Enforcement", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Boundary Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Transmission Confidentiality and Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Input Validation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Management and Retention", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Output Filtering", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Memory Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Flaw Remediation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Information Fragmentation", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Malicious Code Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "System Monitoring", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Security Alerts, Advisories, and Directives", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "Software, Firmware, and Information Integrity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Spam Protection", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Component Authenticity", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Provenance", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Acquisition Strategies, Tools, and Methods", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "Supplier Assessments and Reviews", "mapping-type": "mitigates"}]} \ No newline at end of file +{"metadata": {"mapping-version": "r5", "attack-version": "9.0", "technology-domain": "enterprise", "author": "", "contact": "", "creation-date": "02/03/21", "last-update": "10/27/21", "organization": "", "mapping-framework": "NIST Security controls", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-14", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-19", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "AC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.011", "attack-object-name": "Services Registry Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "CM-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "CP-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.001", "attack-object-name": "Token Impersonation/Theft", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.003", "attack-object-name": "Make and Impersonate Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.007", "attack-object-name": "Msiexec", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.001", "attack-object-name": "Launchctl", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "IA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "MP-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "PL-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "RA-9", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SA-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-17", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-18", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-20", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-21", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-22", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-26", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-28", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-29", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-30", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-31", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-34", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-35", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-36", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-37", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-39", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1200", "attack-object-name": "Hardware Additions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-41", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-43", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-44", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-46", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.004", "attack-object-name": "Domain Fronting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SC-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-10", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-12", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-15", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-16", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.003", "attack-object-name": "Outlook Forms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.004", "attack-object-name": "Outlook Home Page", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.002", "attack-object-name": "DLL Side-Loading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-2", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-23", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-3", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001", "attack-object-name": "Data Obfuscation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.001", "attack-object-name": "Junk Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.002", "attack-object-name": "Steganography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1001.003", "attack-object-name": "Protocol Impersonation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.002", "attack-object-name": "Security Account Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.005", "attack-object-name": "Cached Domain Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1011.001", "attack-object-name": "Exfiltration Over Bluetooth", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1030", "attack-object-name": "Data Transfer Size Limits", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.003", "attack-object-name": "Rename System Utilities", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.004", "attack-object-name": "Launchd", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1091", "attack-object-name": "Replication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1092", "attack-object-name": "Communication Through Removable Media", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.001", "attack-object-name": "Dead Drop Resolver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1102.003", "attack-object-name": "One-Way Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1111", "attack-object-name": "Two-Factor Authentication Interception", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1132.002", "attack-object-name": "Non-Standard Encoding", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1197", "attack-object-name": "BITS Jobs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1539", "attack-object-name": "Steal Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.014", "attack-object-name": "Emond", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.007", "attack-object-name": "Re-opened Applications", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.003", "attack-object-name": "Bash History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.001", "attack-object-name": "Keychain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.002", "attack-object-name": "Securityd Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.004", "attack-object-name": "Windows Credential Manager", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1555.005", "attack-object-name": "Password Managers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1560.001", "attack-object-name": "Archive via Utility", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.002", "attack-object-name": "Hidden Users", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.007", "attack-object-name": "VBA Stomping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.001", "attack-object-name": "Symmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.005", "attack-object-name": "Executable Installer File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.010", "attack-object-name": "Services File Permissions Weakness", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.002", "attack-object-name": "Logon Script (Mac)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1037.005", "attack-object-name": "Startup Items", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1056.002", "attack-object-name": "GUI Input Capture", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.008", "attack-object-name": "Network Device CLI", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1129", "attack-object-name": "Shared Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1176", "attack-object-name": "Browser Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1185", "attack-object-name": "Man in the Browser", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1195.003", "attack-object-name": "Compromise Hardware Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216", "attack-object-name": "Signed Script Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1216.001", "attack-object-name": "PubPrn", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.001", "attack-object-name": "Compiled HTML File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.002", "attack-object-name": "Control Panel", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.004", "attack-object-name": "InstallUtil", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.008", "attack-object-name": "Odbcconf", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.009", "attack-object-name": "Regsvcs/Regasm", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1218.012", "attack-object-name": "Verclsid", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1220", "attack-object-name": "XSL Script Processing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.004", "attack-object-name": "ROMMONkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.004", "attack-object-name": "Unix Shell Configuration Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.011", "attack-object-name": "Plist Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1547.013", "attack-object-name": "XDG Autostart Entries", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1548.004", "attack-object-name": "Elevated Execution with Prompt", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1550.004", "attack-object-name": "Web Session Cookie", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.001", "attack-object-name": "Gatekeeper Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.005", "attack-object-name": "Mark-of-the-Web Bypass", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1553.006", "attack-object-name": "Code Signing Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1556.004", "attack-object-name": "Network Device Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.004", "attack-object-name": "NTFS File Attributes", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.004", "attack-object-name": "Dylib Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.006", "attack-object-name": "Dynamic Linker Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1574.012", "attack-object-name": "COR_PROFILER", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-7", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.001", "attack-object-name": "Spearphishing Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.002", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "SI-8", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-11", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-4", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-5", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1059.002", "attack-object-name": "AppleScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1505.002", "attack-object-name": "Transport Agent", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.001", "attack-object-name": "Patch System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}, {"comments": "", "attack-object-id": "T1601.002", "attack-object-name": "Downgrade System Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "SR-6", "mapping-type": "mitigates"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/security_stack/AWS/parsed_AWS.json b/src/mappings_explorer/cli/parsed_mappings/security_stack/AWS/parsed_AWS.json index 3e196128..411b9e9c 100644 --- a/src/mappings_explorer/cli/parsed_mappings/security_stack/AWS/parsed_AWS.json +++ b/src/mappings_explorer/cli/parsed_mappings/security_stack/AWS/parsed_AWS.json @@ -1 +1 @@ -{"metadata": {"mapping-version": 1, "attack-version": 9, "technology-domain": "enterprise", "author": "", "contact": "ctid@mitre-engenuity.org", "creation-date": "07/22/2021", "last-update": "", "organization": "", "mapping-framework": "AWS", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1529", "attack-object-name": "System Shutdown/Reboot", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html"], "tags": ["Storage"], "mapping-description": "", "capability-id": "AWS S3", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html"], "tags": ["Storage"], "mapping-description": "", "capability-id": "AWS S3", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc", "https://aws.amazon.com/shield/features/"], "tags": ["Denial of Service", "Network"], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc", "https://aws.amazon.com/shield/features/"], "tags": ["Denial of Service", "Network"], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://aws.amazon.com/kms/", "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://aws.amazon.com/kms/", "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1529", "attack-object-name": "System Shutdown/Reboot", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html"], "tags": ["Identity"], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html"], "tags": ["Identity"], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html"], "tags": ["Metrics"], "mapping-description": "", "capability-id": "AWS CloudWatch", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html"], "tags": ["Metrics"], "mapping-description": "", "capability-id": "AWS CloudWatch", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html"], "tags": ["Metrics"], "mapping-description": "", "capability-id": "AWS CloudWatch", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1592", "attack-object-name": "Gather Victim Host Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1589", "attack-object-name": "Gather Victim Identity Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1591", "attack-object-name": "Gather Victim Org Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://aws.amazon.com/cloudhsm/", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://aws.amazon.com/cloudhsm/", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://aws.amazon.com/cloudhsm/", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}]} \ No newline at end of file +{"metadata": {"mapping-version": 1, "attack-version": 9, "technology-domain": "enterprise", "author": "", "contact": "ctid@mitre-engenuity.org", "creation-date": "07/22/2021", "last-update": "", "organization": "", "mapping-framework": "AWS", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1565"}, {"comments": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1565"}, {"comments": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1565"}, {"comments": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1565"}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": "T1561"}, {"comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": "T1561"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1529", "attack-object-name": "System Shutdown/Reboot", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html"], "tags": ["Database"], "mapping-description": "", "capability-id": "AWS RDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1020"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted misuse of cloud accounts: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that appropriate AWS Identity and Access Management (IAM) policies are in place to enforce fine-grained access policies and mitigate the impact of compromised valid accounts: \"iam-customer-policy-blocked-kms-actions\", \"iam-inline-policy-blocked-kms-actions\", \"iam-no-inline-policy-check\", \"iam-group-has-users-check\", \"iam-policy-blacklisted-check\", \"iam-policy-no-statements-with-admin-access\", \"iam-policy-no-statements-with-full-access\", \"iam-role-managed-policy-check\", \"iam-user-group-membership-check\", \"iam-user-no-policies-check\", and \"ec2-instance-profile-attached\" are run on configuration changes. \"iam-password-policy\", \"iam-policy-in-use\", \"iam-root-access-key-check\", \"iam-user-mfa-enabled\", \"iam-user-unused-credentials-check\", and \"mfa-enabled-for-iam-console-access\" are run periodically. The \"access-keys-rotated\" managed rule ensures that IAM access keys are rotated at an appropriate rate.\nGiven that these rules provide robust coverage for a variety of IAM configuration problems and most are evaluated on configuration changes, they result in an overall score of Significant.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1078"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted manipulation of cloud accounts: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to manipulate cloud credentials via other mechanisms, resulting in an overall score of Partial.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide significant protection against attempted manipulation of cloud accounts, including the creation of new ones: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to create cloud credentials via other mechanisms, resulting in an overall score of Partial.", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: \"approved-amis-by-id\" and \"approved-amis-by-tag\", both of which are run on configuration changes. They provide significant coverage, resulting in an overall score of Significant.", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1204"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1491"}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1491"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1498"}, {"comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1498"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage, which may include files containing credentials: \"s3-account-level-public-access-blocks\", \"s3-bucket-level-public-access-prohibited\", \"s3-bucket-public-read-prohibited\", \"s3-bucket-policy-not-more-permissive\", \"cloudfront-origin-access-identity-enabled\", and \"cloudfront-default-root-object-configured\" identify objects that are publicly available or subject to overly permissive access policies; and \"s3-bucket-policy-grantee-check\" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data - which may include files containing credentials - are encrypted to prevent malicious access: \"s3-bucket-server-side-encryption-enabled\" and \"s3-default-encryption-kms\" for S3 storage, \"ec2-ebs-encryption-by-default\" and \"encrypted-volumes\" for EBS volumes.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Partial.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "The \"ec2-imdsv2-check\" managed rule can identify instances which are configured to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less secure than IMDSv2. This provides partial coverage, since adversaries may find ways to exploit the more secure IMDSv2, resulting in an overall score of Partial.", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The \"eks-secrets-encrypted\" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial.", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The \"ec2-managedinstance-applications-required\" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial.", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: \"lab-waf-enabled\" for Application Load Balancers; \"api-gw-associated-with-waf\" for Amazon API Gateway API stages; \"cloudfront-associated-with-waf\" for Amazon CloudFront distributions; \"fms-webacl-resource-policy-check\", \"fms-webacl-resource-policy-check\", and \"fms-webacl-rulegroup-association-check\" for AWS Firewall Manager; \"vpc-default-security-group-closed\", \"vpc-network-acl-unused-check\", and \"vpc-sg-open-only-to-authorized-ports\" for VPC security groups; and \"ec2-security-group-attached-to-eni\" for EC2 and ENI security groups; all of which are run on configuration changes.\nThe following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: \"internet-gateway-authorized-vpc-only\" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; \"lambda-inside-vpc\" can identify VPCs that have granted execution access to unauthorized Lambda functions; \"service-vpc-endpoint-enabled\" can verify that endpoints are active for the appropriate services across VPCs; \"subnet-auto-assign-public-ip-disabled\" checks for public IP addresses assigned to subnets within VPCs.\nCoverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant.", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1562"}, {"comments": "The following AWS Config managed rules can identify potentially malicious changes to cloud logging: \"api-gw-execution-logging-enabled\", \"cloudfront-accesslogs-enabled\", \"elasticsearch-logs-to-cloudwatch\", \"elb-logging-enabled\", \"redshift-cluster-configuration-check\", \"rds-logging-enabled\", and \"s3-bucket-logging-enabled\" are run on configuration changes. \"cloudtrail-security-trail-enabled\", \"cloud-trail-cloud-watch-logs-enabled\", \"cloudtrail-s3-dataevents-enabled\", \"vpc-flow-logs-enabled\", \"waf-classic-logging-enabled\", and \"wafv2-logging-enabled\" are run periodically.\nCoverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant.", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1562"}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings are based on the set of AWS managed rules provided by AWS Config, which are predefined rules that AWS Config uses to test for compliance with common best practices.\nAWS Config rules can be set to one of two types, \"configuration changes\" and \"periodic\", which are evaluated upon configuration changes and at a user-defined period, respectively.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://docs.aws.amazon.com/config", "https://docs.aws.amazon.com/config/latest/developerguide", "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Config", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html"], "tags": ["Storage"], "mapping-description": "", "capability-id": "AWS S3", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html"], "tags": ["Storage"], "mapping-description": "", "capability-id": "AWS S3", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep.", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1566"}, {"comments": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1566"}, {"comments": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.", "attack-object-id": "T1566.003", "attack-object-name": "Spearphishing via Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1566"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Listed findings above flag instances where there are indications of account compromise.", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "Listed findings above flag instances where there are indications of account compromise.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following finding types in Amazon GuardDuty can be used to identify potentially malicious interactions with S3 which may lead to the compromise of any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller\nThe score is capped at Partial since the findings only apply to credential files stored within S3 buckets and only certain types of suspicious behaviors.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection.", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1552"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.\nTrojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1568"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1090"}, {"comments": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1090"}, {"comments": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1090"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1029", "attack-object-name": "Scheduled Transfer", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.\nTrojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1567"}, {"comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1567"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The Impact:S3/MaliciousIPCaller finding type is looking for API calls commonly associated with Impact tactic of techniques where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1565"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1498"}, {"comments": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1498"}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Scores for this service are capped at Partial due to limited coverage and accuracy information.\nThe temporal factor for this control is consistent: the first instance of a finding taking place is alerted within 5 minutes of the event occurring. After that any subsequent events can be customized to be reported at 15 minutes, 1 hour, or the default of 6 hours.\nThe following findings were not mappable:\n Backdoor:EC2/Spambot\n Impact:EC2/AbusedDomainRequest.Reputation\n InitialAccess:IAMUser/AnomalousBehavior", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following finding types can be used to detect behavior that can lead to the defacement of\ncloud resources:\nImpact:S3/MaliciousIPCaller\nExfiltration:S3/MaliciousIPCaller\nExfiltration:S3/ObjectRead.Unusual\nPenTest:S3/KaliLinux\nPenTest:S3/ParrotLinux\nPenTest:S3/PentooLinux\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom\nUnauthorizedAccess:S3/TorIPCaller", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1491"}, {"comments": "The following finding types can be used to detect behavior that can lead to the defacement of\ncloud resources:\nImpact:S3/MaliciousIPCaller\nExfiltration:S3/MaliciousIPCaller\nExfiltration:S3/ObjectRead.Unusual\nPenTest:S3/KaliLinux\nPenTest:S3/ParrotLinux\nPenTest:S3/PentooLinux\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom\nUnauthorizedAccess:S3/TorIPCaller", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon GuardDuty", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1491"}, {"comments": "There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc", "https://aws.amazon.com/shield/features/"], "tags": ["Denial of Service", "Network"], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1498"}, {"comments": "AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1498"}, {"comments": "There is not much documentation that lends itself useful to scoring the accuracy of this control although offerings such as Shield Advanced protection groups and the AWS Shield Response Team (SRT) can be leveraged to improve the accuracy of this control. The control states that DDOS attacks can be mitigated in real time (temporal factor) and not increase cause latency for impacted services.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc", "https://aws.amazon.com/shield/features/"], "tags": ["Denial of Service", "Network"], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1499"}, {"comments": "AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1499"}, {"comments": "AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances.", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Shield", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1499"}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.", "attack-object-id": "T1020.001", "attack-object-name": "Traffic Duplication", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1020"}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS IoT Device Defender audit checks can identify potentially malicious use of valid cloud credentials by AWS IoT devices, which may indicate that devices have been compromised: \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) indicates that device certificates signed using a revoked CA certificate are still active, which may indicate that devices using those certificates are controlled by an adversary if the CA certificate was revoked due to compromise. \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API), and \"Conflicting MQTT client IDs\" (\"CONFLICTING_CLIENT_IDS_CHECK\" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or IDs and/or certificates that have been revoked due to compromise, all of which suggest that an adversary may be using clones of compromised devices to leverage their access.\nThe following AWS IoT Device Defender cloud-side detection metrics can identify potentially malicious use of valid cloud credentials by IoT devices, which may indicate that devices have been compromised: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Authorization failures\" (\"aws:num-authorization-failures\") counts above a typical threshold may indicate that a compromised device is attempting to use its connection to AWS IoT to access resources for which it does not have access and being denied. High counts for \"Disconnects\" (\"aws:num-disconnects\"), especially in conjunction with high counts for \"Connection attempts\" (\"aws:num-connection-attempts\"), which include successful attempts, may indicate that a compromised device is connecting and disconnecting from AWS IoT using the device's associated access.\nCoverage factor is partial for these metrics, checks, and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and in some cases resolve configuration problems that should be fixed in order to limit the potential impact of compromised accounts with access to AWS IoT resources: The \"Authenticated Cognito role overly permissive\" (\"AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles. The \"Unauthenticated Cognito role overly permissive\" (\"UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles and do not require authentication, which pose a substantial risk because they can be trivially accessed. The \"AWS IoT policies overly permissive\" (\"IOT_POLICY_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify AWS IoT policies which grant excessive privileges and permissions for AWS IoT actions and supports the \"REPLACE_DEFAULT_POLICY_VERSION\" mitigation action which can reduce permissions to limit potential misuse. The \"Role alias allows access to unused services\" (\"IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK\" in the CLI and API) and \"Role alias overly permissive\" (\"IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit checks can identify AWS IoT role aliases which allow connected devices to authenticate using their certificates and obtain short-lived AWS credentials from an associated IAM role which grant permissions and privileges beyond those necessary to the devices' functions and should be fixed in order to prevent further account compromise from compromised devices.\nCoverage factor is partial for these checks and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API) and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys.\nCoverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Mappings for AWS IoT Device Defender audit are based on the current set of AWS IoT Device Defender audit checks that can be enabled. AWS IoT Device Defender's predefined mitigation actions are also included for those audit checks that support them. Audit checks can be run as needed (on-demand audits) or scheduled to be run periodically (scheduled audits), so temporal scoring factors are uniformly high for this control, based on the assumption that checks are run (at minimum) on a frequent basis. Audit check and mitigation names are identified in quotes throughout this mapping.\nMappings for AWS IoT Device Defender detect are based on the current set of AWS IoT Device Defender device-side and cloud-side detection metrics. Cloud-side detection alarms are triggered when set thresholds are exceeded, and device-side detection metrics are published on a chosen interval with a minimum value of 5 minutes, so temporal scoring factors are uniformly high for this control, based on the assumption that thresholds are set to sensible values that detect suspicious values quickly and device-side metric publishing is not set to an unreasonably large interval. Detect metric names are identified in quotes throughout this mapping.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://aws.amazon.com/iot-device-defender/", "https://docs.aws.amazon.com/iot-device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect"], "tags": ["Internet of Things", "IoT"], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": ""}, {"comments": "The \"Logging disabled\" audit check (\"LOGGING_DISABLED_CHECK\" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging.", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "The \"ENABLE_IOT_LOGGING\" mitigation action (which is supported by the \"Logging disabled\" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging.", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS IoT Device Defender", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": "T1562"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may protect against malicious use of cloud accounts by implementing service control policies that define what actions an account may take. If best practices are followed, AWS accounts should only have the least amount of privileges required.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups. ", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1087"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", "https://aws.amazon.com/organizations/getting-started/best-practices/"], "tags": ["Identity"], "mapping-description": "", "capability-id": "AWS Organizations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1565"}, {"comments": "", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1491"}, {"comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1491"}, {"comments": "", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1561"}, {"comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1561"}, {"comments": "", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://aws.amazon.com/cloudendure-disaster-recovery/", "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm"], "tags": [], "mapping-description": "", "capability-id": "AWS CloudEndure Disaster Recovery", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://aws.amazon.com/kms/", "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1552"}, {"comments": "", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://aws.amazon.com/kms/", "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1588"}, {"comments": "The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Key Management Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1588"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this the score is capped at Partial. ", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1222"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1562.003", "attack-object-name": "Impair Command History Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1070.004", "attack-object-name": "File Deletion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1070.005", "attack-object-name": "Network Share Connection Removal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1070.006", "attack-object-name": "Timestomp", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1599", "attack-object-name": "Network Boundary Bridging", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1599.001", "attack-object-name": "Network Address Translation Traversal", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1599"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1003.007", "attack-object-name": "Proc Filesystem", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1003"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1003"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1529", "attack-object-name": "System Shutdown/Reboot", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1548"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ", "attack-object-id": "T1037.004", "attack-object-name": "RC Scripts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1037"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1543"}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The CIS Benchmarks assessment package is considered out of scope because a separate project will be responsible for mapping CIS Benchmarks and ATT&CK.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html"], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Inspector", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", "attack-object-id": "T1590.001", "attack-object-name": "Domain Properties", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", "attack-object-id": "T1590.006", "attack-object-name": "Network Security Appliances", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level. ", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1205"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1557"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1557"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1565"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Can limit access to client management interfaces or configuration databases.", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1602"}, {"comments": "Can limit access to client management interfaces or configuration databases.", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1602"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1542"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1499"}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The mappings contained in this file were based on Amazon's \"Security in Amazon Virtual Private Cloud\" documentation listed in the references section. The following VPC components were assessed to produce this mapping: Security Groups, Network Access Control Lists (NACLs), VPC Peering, VPC Endpoints, and Virtual Private Network (VPN).", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.aws.amazon.com/vpc/latest/userguide/security.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html"], "tags": ["Identity"], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Amazon Cognito has the ability to alert and block accounts where credentials were found to be compromised elsewhere (compromised credential protection). The service also detects unusual sign-in activity, such as sign-in attempts from new locations and devices and can either prompt users for additional verification or block the sign-in request. There was insufficient detail on the operation of these capabilities and therefore a conservative assessment of a Partial score has been assigned.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html"], "tags": ["Identity"], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Amazon Cognito", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1059"}, {"comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1059"}, {"comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1059"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://aws.amazon.com/waf/", "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Minimal because the rule sets only protect against the web protocols sub-technique.", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html"], "tags": ["Metrics"], "mapping-description": "", "capability-id": "AWS CloudWatch", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html"], "tags": ["Metrics"], "mapping-description": "", "capability-id": "AWS CloudWatch", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html"], "tags": ["Metrics"], "mapping-description": "", "capability-id": "AWS CloudWatch", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1592", "attack-object-name": "Gather Victim Host Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1592.001", "attack-object-name": "Hardware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1592"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1592.002", "attack-object-name": "Software", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1592"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1592.003", "attack-object-name": "Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1592"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1592.004", "attack-object-name": "Client Configurations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1592"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1589", "attack-object-name": "Gather Victim Identity Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1589.001", "attack-object-name": "Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1589"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1589.002", "attack-object-name": "Email Addresses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1589"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1589.003", "attack-object-name": "Employee Names", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1589"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1590.001", "attack-object-name": "Domain Properties", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1590.002", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1590.003", "attack-object-name": "Network Trust Dependencies", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1590.006", "attack-object-name": "Network Security Appliances", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1591", "attack-object-name": "Gather Victim Org Information", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1591.001", "attack-object-name": "Determine Physical Locations", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1591"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1591.002", "attack-object-name": "Business Relationships", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1591"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1591.003", "attack-object-name": "Identify Business Tempo", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1591"}, {"comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", "attack-object-id": "T1591.004", "attack-object-name": "Identify Roles", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1591"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights.\nAWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks.\n3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the \"root\" user\nBy monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised.\nThis is scored as Significant because it reports on suspicious activity by AWS accounts. ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1078"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Significant because it can monitor all changes to IAM policy which can be used to detect any changes made to accounts. ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1098"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1562"}, {"comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1562"}, {"comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1562"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "Managed Insights: AWS Security Hub reports on collections of related findings which are known as managed insights. When possible, these managed insights are mapped to ATT&CK techniques (e.g., \"S3 buckets with public write or read permissions\"). It should be noted that not all managed insights have the level of detail to be able to map them to ATT&CK techniques and are not included in the mapping (e.g., \"EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)\"). \nAWS Config: AWS Security Hub supports reporting on findings from AWS Config (e.g., for CIS AWS Foundations Benchmark controls among others). Given that AWS Config is its own service, these findings will not be mapped to ATT&CK. The only controls that will be included in this mapping are those for which Security Hub implements custom logic. It should also be noted that there will be a future CTID project that maps specific CIS Benchmarks to ATT&CK techniques. \n", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"], "tags": [], "mapping-description": "", "capability-id": "AWS Security Hub", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer. ", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1550"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.aws.amazon.com/iam/index.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Secrets Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1071"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1071"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1071"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1071"}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1498"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1498"}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall.", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1205"}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1542"}, {"comments": "", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html"], "tags": ["Network"], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", "attack-object-id": "T1590.001", "attack-object-name": "Domain Properties", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", "attack-object-id": "T1590.006", "attack-object-name": "Network Security Appliances", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Network Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS Single Sign-On", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://aws.amazon.com/cloudhsm/", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1552"}, {"comments": "", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://aws.amazon.com/cloudhsm/", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1588"}, {"comments": "Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1588"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://aws.amazon.com/cloudhsm/", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1553"}, {"comments": "Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", "attack-object-id": "T1553.002", "attack-object-name": "Code Signing", "references": [], "tags": [], "mapping-description": "", "capability-id": "AWS CloudHSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1553"}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/security_stack/Azure/parsed_Azure.json b/src/mappings_explorer/cli/parsed_mappings/security_stack/Azure/parsed_Azure.json index 3aef87aa..e18257f1 100644 --- a/src/mappings_explorer/cli/parsed_mappings/security_stack/Azure/parsed_Azure.json +++ b/src/mappings_explorer/cli/parsed_mappings/security_stack/Azure/parsed_Azure.json @@ -1 +1 @@ -{"metadata": {"mapping-version": 1, "attack-version": 8.2, "technology-domain": "enterprise", "author": "", "contact": "ctid@mitre-engenuity.org", "creation-date": "03/4/2021", "last-update": "", "organization": "", "mapping-framework": "Azure", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1140", "attack-object-name": "Deobfuscate/Decode Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1082", "attack-object-name": "System Information Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1202", "attack-object-name": "Indirect Command Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1074", "attack-object-name": "Data Staged", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1113", "attack-object-name": "Screen Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1140", "attack-object-name": "Deobfuscate/Decode Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1217", "attack-object-name": "Browser Bookmark Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1115", "attack-object-name": "Clipboard Data", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1083", "attack-object-name": "File and Directory Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1056", "attack-object-name": "Input Capture", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1057", "attack-object-name": "Process Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1113", "attack-object-name": "Screen Capture", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1518", "attack-object-name": "Software Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1082", "attack-object-name": "System Information Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1016", "attack-object-name": "System Network Configuration Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1049", "attack-object-name": "System Network Connections Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1125", "attack-object-name": "Video Capture", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1074", "attack-object-name": "Data Staged", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Most scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. But given sufficient resources, an adversary may still successfully execute the attack vectors included in this mapping.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts"], "tags": ["Azure Active Directory", "Credentials", "Identity", "Passwords"], "mapping-description": "", "capability-id": "Azure AD Password Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1207", "attack-object-name": "Rogue Domain Controller", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Credentials"], "mapping-description": "", "capability-id": "Azure Defender for Key Vault", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Credentials"], "mapping-description": "", "capability-id": "Azure Defender for Key Vault", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Credentials", "Identity", "Passwords", "MFA"], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Credentials", "Identity", "Passwords", "MFA"], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Note there is also a Managed HSM service.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview", "https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Note there is also a Managed HSM service.", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview", "https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Note there is also a Managed HSM service.", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview", "https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1584", "attack-object-name": "Compromise Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/dns/dns-alias#prevent-dangling-dns-records"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Alias Records", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections", "https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection"], "tags": ["Azure Security Center", "Database"], "mapping-description": "", "capability-id": "Alerts for Azure Cosmos DB", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections", "https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection"], "tags": ["Azure Security Center", "Database"], "mapping-description": "", "capability-id": "Alerts for Azure Cosmos DB", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Managed identities for Azure resources", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Associated with the Azure Security Center.\nThe alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer"], "tags": ["Analytics", "Azure Security Center", "Network"], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": true}, {"comments": "Associated with the Azure Security Center.\nThe alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer"], "tags": ["Analytics", "Azure Security Center", "Network"], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Associated with the Azure Security Center.\nThe alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer"], "tags": ["Analytics", "Azure Security Center", "Network"], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways"], "tags": ["Network"], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways"], "tags": ["Network"], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways"], "tags": ["Network"], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1584", "attack-object-name": "Compromise Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1140", "attack-object-name": "Deobfuscate/Decode Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1594", "attack-object-name": "Search Victim-Owned Websites", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1123", "attack-object-name": "Audio Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1056", "attack-object-name": "Input Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1057", "attack-object-name": "Process Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1012", "attack-object-name": "Query Registry", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1113", "attack-object-name": "Screen Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1074", "attack-object-name": "Data Staged", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1534", "attack-object-name": "Internal Spearphishing", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "All scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. Due to the fact that a user's password is not checked against the banned list of passwords unless the user changes or resets their password (which is an infrequent event), there is still ample opportunity for attackers to utilize this technique to gain access. This is what prevented the score from being elevated to Significant.\n", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad"], "tags": ["Azure Active Directory", "Credentials", "Identity", "Passwords"], "mapping-description": "", "capability-id": "Azure Active Directory Password Protection", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api", "https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api", "https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api", "https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless"], "tags": ["Azure Active Directory", "Credentials", "Identity", "Passwords"], "mapping-description": "", "capability-id": "Passwordless Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": true}, {"comments": "", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation"], "tags": ["Azure Active Directory", "Identity"], "mapping-description": "", "capability-id": "Continuous Access Evaluation", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": true}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": true}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": true}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1083", "attack-object-name": "File and Directory Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": true}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}]} \ No newline at end of file +{"metadata": {"mapping-version": 1, "attack-version": 8.2, "technology-domain": "enterprise", "author": "", "contact": "ctid@mitre-engenuity.org", "creation-date": "03/4/2021", "last-update": "", "organization": "", "mapping-framework": "Azure", "mapping-framework-version": ""}, "attack-objects": [{"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives.\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "Response Type: Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1078"}, {"comments": "When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial.\n\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "Response Type: Containment\nSupports risk detection responses such as blocking a user's access and enforcing MFA. These responses contain the impact of this sub-technique but do not eradicate it (by forcing a password reset).", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": ""}, {"comments": "This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial.", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1606"}, {"comments": "Response Type: Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1606"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"], "tags": ["Credentials", "Azure Active Directory", "Identity", "Microsoft 365 Defender"], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": ""}, {"comments": "This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours).", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "Response Type: Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Protection", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: \"A logon from a malicious IP has been detected\", \"A logon from a malicious IP has been detected. [seen multiple times]\".", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: \"A logon from a malicious IP has been detected\", \"A logon from a malicious IP has been detected. [seen multiple times]\".", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: \"Detected anomalous mix of upper and lower case characters in command-line\", \"Detected encoded executable in command line data\", \"Detected obfuscated command line\", \"Detected suspicious combination of HTA and PowerShell\", \"Detected suspicious commandline arguments\", \"Detected suspicious commandline used to start all executables in a directory\", \"Detected suspicious credentials in commandline\", \"Dynamic PS script construction\", \"Suspicious PowerShell Activity Detected\", \"Suspicious PowerShell cmdlets executed\", \"Suspicious command execution\".", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1059"}, {"comments": "This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: \"Detected anomalous mix of upper and lower case characters in command-line\", \"Detected encoded executable in command line data\", \"Detected obfuscated command line\", \"Detected suspicious combination of HTA and PowerShell\", \"Detected suspicious commandline arguments\", \"Detected suspicious commandline used to start all executables in a directory\", \"Detected suspicious credentials in commandline\", \"Dynamic PS script construction\", \"Suspicious PowerShell Activity Detected\", \"Suspicious PowerShell cmdlets executed\", \"Suspicious command execution\".", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1059"}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: \"Detected possible execution of keygen executable\", \"Detected possible execution of malware dropper\", \"Detected suspicious file creation\".", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1204"}, {"comments": "", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: \"Windows registry persistence method detected\".", "attack-object-id": "T1547.001", "attack-object-name": "Registry Run Keys / Startup Folder", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: \"Suspicious Account Creation Detected\".", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: \"Suspect service installation\".", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1543"}, {"comments": "", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: \"Suspicious Screensaver process executed\".", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: \"Sticky keys attack detected\".", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: \"Detected change to a registry key that can be abused to bypass UAC\"", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1548"}, {"comments": "", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: \"Fileless attack technique detected\", \"Fileless attack behavior detected\", \"Fileless attack toolkit detected\", \"Suspicious SVCHOST process executed\".", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1140", "attack-object-name": "Deobfuscate/Decode Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: \"Detected suspicious use of Cacls to lower the security state of the system\".", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1222"}, {"comments": "", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: \"Suspicious WindowPosition registry value detected\".", "attack-object-id": "T1564.003", "attack-object-name": "Hidden Window", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1564"}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: \"Malicious firewall rule created by ZINC server implant [seen multiple times]\", \"Detected suspicious new firewall rule\".", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: \"Detected the disabling of critical services\", \"Detected actions indicative of disabling and deleting IIS log files\".", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: \"Detected suspicious file cleanup commands\", \"Suspicious Volume Shadow Copy Activity\".", "attack-object-id": "T1070.004", "attack-object-name": "File Deletion", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1070"}, {"comments": "This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: \"Detected actions indicative of disabling and deleting IIS log files\", \"An event log was cleared\".", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1070"}, {"comments": "", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: \"Detected suspicious execution via rundll32.exe\", \"Detected suspicious combination of HTA and PowerShell\".", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1218"}, {"comments": "This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: \"Detected suspicious execution via rundll32.exe\", \"Detected suspicious combination of HTA and PowerShell\".", "attack-object-id": "T1218.011", "attack-object-name": "Rundll32", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1218"}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: \"A logon from a malicious IP has been detected\", \"A logon from a malicious IP has been detected. [seen multiple times]\", \"Successful brute force attack\", \"Suspicious authentication activity\".", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: \"A logon from a malicious IP has been detected\", \"A logon from a malicious IP has been detected. [seen multiple times]\", \"Successful brute force attack\", \"Suspicious authentication activity\".", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: \"A logon from a malicious IP has been detected\", \"A logon from a malicious IP has been detected. [seen multiple times]\", \"Successful brute force attack\", \"Suspicious authentication activity\".", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: \"Detected enabling of the WDigest UseLogonCredential registry key\".", "attack-object-id": "T1003.004", "attack-object-name": "LSA Secrets", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1003"}, {"comments": "", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: \"Suspected Kerberos Golden Ticket attack parameters observed\".", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: \"Multiple Domain Accounts Queried\", \"Local Administrators group members were enumerated\".", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1087"}, {"comments": "This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: \"Multiple Domain Accounts Queried\", \"Local Administrators group members were enumerated\".", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1087"}, {"comments": "", "attack-object-id": "T1082", "attack-object-name": "System Information Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: \"Suspect integrity level indicative of RDP hijacking\", \"Suspect service installation\".", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1563"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: \"Detected potentially suspicious use of Telegram tool\".", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1048"}, {"comments": "", "attack-object-id": "T1489", "attack-object-name": "Service Stop", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1202", "attack-object-name": "Indirect Command Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows"], "tags": ["Azure Defender", "Azure Defender for Servers", "Windows"], "mapping-description": "", "capability-id": "Alerts for Windows Machines", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Authentication to Linux machines should require SSH keys\" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "This control's \"Authentication to Linux machines should require SSH keys\" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "This control's \"Authentication to Linux machines should require SSH keys\" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Secure Boot should be enabled on your Linux virtual machine\" and \"Virtual machines should be attested for boot integrity health\" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.", "attack-object-id": "T1542.001", "attack-object-name": "System Firmware", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1542"}, {"comments": "This control's \"Secure Boot should be enabled on your Linux virtual machine\" and \"Virtual machines should be attested for boot integrity health\" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1542"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Container CPU and memory limits should be enforced\" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1543"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1546"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1505"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1222"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1564.001", "attack-object-name": "Hidden Files and Directories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1564"}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1564.005", "attack-object-name": "Hidden File System", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1564"}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1564"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1556"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1074", "attack-object-name": "Data Staged", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.", "attack-object-id": "T1074.001", "attack-object-name": "Local Data Staging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1074"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Immutable (read-only) root filesystem should be enforced for containers\" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. \n\nLikewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications.\n\nDue to it being a recommendation, its score is capped at Partial.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1565"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Deprecated accounts should be removed from your subscription\" and \"Deprecated accounts with owner permissions should be removed from your subscription\" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. \nLikewise, the recommendations related to External account permissions can also mitigate this sub-technique.\nBecause these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "Security Center recommendations include recommendations to enable security controls that have already been mapped separately (e.g. \"Azure Defender for App Service should be enabled\"). Rather than including the (sub-)techniques that these controls map to within this mapping, consult the mapping files for these controls. To make this latter task easier, we have tagged all such controls with the \"Azure Security Center Recommendation\" tag.\nAll scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.\nIoT related recommendations were not included in this mapping.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference", "https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction"], "tags": ["Azure Security Center", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Security Center Recommendations", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access. ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage"], "tags": ["Azure Defender", "Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Defender for Storage", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1059"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on usage of web shells. No documentation is provided on logic for this detection.", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1505"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.", "attack-object-id": "T1564.001", "attack-object-name": "Hidden Files and Directories", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1564"}, {"comments": "This control may alert on containers using privileged commands, running SSH servers, or running mining software.", "attack-object-id": "T1564.006", "attack-object-name": "Run Virtual Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1564"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1070"}, {"comments": "This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.", "attack-object-id": "T1070.003", "attack-object-name": "Clear Command History", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1070"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.", "attack-object-id": "T1027.004", "attack-object-name": "Compile After Delivery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1027"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may alert on suspicious access to encrypted user passwords. The documentation does not reference \"/etc/passwd\" and \"/etc/shadow\" directly nor does it describe the logic in determining suspicious access.", "attack-object-id": "T1003.008", "attack-object-name": "/etc/passwd and /etc/shadow", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1003"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Detections are periodic at an unknown rate.", "attack-object-id": "T1113", "attack-object-name": "Screen Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux"], "tags": ["Azure Defender", "Linux"], "mapping-description": "", "capability-id": "Linux auditd alerts and Log Analytics agent integration", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following alerts are available for Windows Defender security features being disabled but none for third party security tools: \"Antimalware broad files exclusion in your virtual machine\", \"Antimalware disabled and code execution in your virtual machine\", \"Antimalware disabled in your virtual machine\", \"Antimalware file exclusion and code execution in your virtual machine\", \"Antimalware file exclusion in your virtual machine\", \"Antimalware real-time protection was disabled in your virtual machine\", \"Antimalware real-time protection was disabled temporarily in your virtual machine\", \"Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine\", \"Antimalware temporarily disabled in your virtual machine\", \"Antimalware unusual file exclusion in your virtual machine\".", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: \"MicroBurst exploitation toolkit used to enumerate resources in your subscriptions\", \"Azurite toolkit run detected\".", "attack-object-id": "T1069.003", "attack-object-name": "Cloud Groups", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1069"}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: \"PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables\", \"PowerZure exploitation toolkit used to enumerate resources\", \"MicroBurst exploitation toolkit used to enumerate resources in your subscriptions\", \"Azurite toolkit run detected\".", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1087"}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-resource-manager-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-resourcemanager"], "tags": ["Azure Defender"], "mapping-description": "", "capability-id": "Azure Defender for Resource Manager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Can limit access to client management interfaces or configuration databases", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1602"}, {"comments": "Can limit access to client management interfaces or configuration databases", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1602"}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1542"}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1048"}, {"comments": "This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1048"}, {"comments": "This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1048"}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note: one can employ Application Security Groups (ASG) in Network Security Group (NSG) rules to map rules to workloads etc. Not scoring ASG as a separate control. One can employ Adaptive Network Hardening (ANH) to generate recommended NSG rules based on traffic, known trusted configuration, threat intelligence, and other inidcators of compromise. Not scoring ANH as a separate control.", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview", "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works", "https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening"], "tags": ["Adaptive Network Hardening", "Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Network Security Groups", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1205"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Rare processes run by Service accounts\" query can identify potential misuse of default accounts. Because this detection is specific to rare processes its coverage score is Minimal resulting in a Minimal score.", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "The following Azure Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: \"Suspicious Windows Login outside normal hours\", \"User account added or removed from security group by an unauthorized user\", \"User Account added to Built in Domain Local or Global Group\", \"User Login IP Address Teleportation\", \"User made Owner of multiple teams\", \"Tracking Privileged Account Rare Activity\", \"New Admin account activity which was not seen historically\", \"New client running queries\", \"New users running queries\", \"Non-owner mailbox login activity\", \"Powershell or non-browser mailbox login activity\", \"Rare User Agent strings\", \"Same IP address with multiple csUserAgent\" which may indicate that an account is being used from a new device, \"Rare domains seen in Cloud Logs\" when accounts from uncommon domains access or attempt to access cloud resources, \"Same User - Successful logon for a given App and failure on another App within 1m and low distribution\", \"Hosts with new logons\", \"Inactive or new account signins\", \"Long lookback User Account Created and Deleted within 10mins\", \"Anomalous Geo Location Logon\", and \"Anomalous Sign-in Activity\".\nThe following Azure Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: \"Anomalous User Agent connection attempt\", \"New UserAgent observed in last 24 hours\" which may indicate that an account is being used from a new device, \"Anomalous sign-in location by user account and authenticating application\", \"Anomalous login followed by Teams action\", \"GitHub Signin Burst from Multiple Locations\", \"Sign-ins from IPs that attempt sign-ins to disabled accounts\", \"Failed Host logons but success logon to AzureAD\", and \"Anomalous RDP Login Detections\".", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "The following Azure Sentinel Hunting queries can identify potential compromise of local accounts based on access attempts and/or account usage: \"Suspicious Windows Login outside normal hours\", \"User Login IP Address Teleportation\", \"User account added or removed from a security group by an unauthorized user\", \"User Account added to Built in Domain Local or Global Group\", \"User added to SQL Server SecurityAdmin Group\", \"User Role altered on SQL Server\", \"User made Owner of multiple teams\", \"Tracking Privileged Account Rare Activity\", and \"Anomalous Login to Devices\".\nThe following Azure Sentinel Analytics queries can identify potential compromise of local accounts based on access attempts and/or account usage: \"User account enabled and disabled within 10 mins\", \"Long lookback User Account Created and Deleted within 10mins\", \"Explicit MFA Deny\", \"Hosts with new logons\", \"Inactive or new account signins\", \"Anomalous SSH Login Detection\", and \"Anomalous RDP Login Detections\".", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "The following Azure Sentinel Hunting queries can identify potential compromise of cloud accounts: \"New Admin account activity which was not seen historically\", \"New client running queries\", \"New users running queries\", \"User returning more data than daily average\", \"User Login IP Address Teleportation\", \"Non-owner mailbox login activity\", \"Powershell or non-browser mailbox login activity\", \"Rare User Agent strings\" and \"Same IP address with multiple csUserAgent\" which may indicate that an account is being used from a new device, \"Rare domains seen in Cloud Logs\", \"Same User - Successful logon for a given App and failure on another App within 1m and low distribution\", \"Anomalous Azure Active Directory Apps based on authentication location\", \"Anomalous Geo Location Logon\", \"Anomalous Sign-in Activity\", \"Azure Active Directory sign-in burst from multiple locations\", and \"Azure Active Directory signins from new locations\".\n\nThe following Azure Sentinel Analytics queries can identify potential compromise of cloud accounts: \"Anomalous User Agent connection attempt\" and \"New UserAgent observed in last 24 hours\", which may indicate that an account is being used from a new device which may belong to an adversary; \"Anomalous sign-in location by user account and authenticating application\", \"GitHub Signin Burst from Multiple Locations\", \"GitHub Activites from a New Country\", and \"Sign-ins from IPs that attempt sign-ins to disabled accounts\", which may indicate adversary access from atypical locations; \"Azure Active Directory PowerShell accessing non-AAD resources\", \"Anomalous login followed by Teams action\", \"Login to AWS management console without MFA\", and \"Azure Active Directory PowerShell accessing non-AAD resources\" which may indicate an adversary attempting to use a valid account to access resources from other contexts. The \"Correlate Unfamiliar sign-in properties\" query can further enhance detection of anomalous activity.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: \"Azure DevOps - Project Visibility changed to public\" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. \"Azure DevOps - Public project created\" and \"Azure DevOps - Public project enabled by admin\" can identify specific instances of potential defense evasion.\nThe following Azure Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: \"AzureDevops Service Connection Abuse\" can detect potential malicious behavior associated with use of large number of service connections, \"External Upstream Source added to Azure DevOps\" identifies a specific behavior that could compromise the DevOps build pipeline, \"Azure DevOps Pull Request Policy Bypassing - History\" can identify specific potentially malicious behavior that compromises the build process, \"Azure DevOps Pipeline modified by a New User\" identifies potentially malicious activity that could compromise the DevOps pipeline, \"Azure DevOps Administrator Group Monitoring\" monitors for specific activity which could compromise the build/release process, \"New Agent Added to Pool by New User or a New OS\" can detect a suspicious behavior that could potentially compromise DevOps pipeline.", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1195"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The \"Summary of user logons by logon type\" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement.\nThe following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: \"VIP account more than 6 failed logons in 10\", \"Multiple Failed Logon on SQL Server in Short time Span\", \"Permutations on logon attempts by UserPrincipalNames indicating potential brute force\", \"Potential IIS brute force\", \"Failed attempt to access Azure Portal\", \"Failed Login Attempt by Expired account\", \"Failed Logon Attempts on SQL Server\", \"Failed Logon on SQL Server from Same IPAddress in Short time Span\", \"Failed service logon attempt by user account with available AuditData\", \"Login attempt by Blocked MFA user\", \"Login spike with increase failure rate\", \"Attempts to sign-in to disabled accounts by IP address\", \"Attempts to sign-in to disabled accounts by account name\", \"Brute Force attack against Azure Portal\", and \"Anomalous Failed Logon\"\nThe following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: \"Brute force attack against Azure Portal\", \"Password spray attack against Azure AD application\", \"Successful logon from IP and failure from a different IP\", \"Failed logon attempts in authpriv\", \"Failed AzureAD logons but success logon to host\", \"Excessive Windows logon failures\", \"Failed login attempts to Azure Portal\", \"Failed logon attempts by valid accounts within 10 mins\", \"Brute Force Attack against GitHub Account\", \"Distributed Password cracking attempts in AzureAD\", \"Potential Password Spray Attack\" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, \"Attempts to sign in to disabled accounts\", \"Sign-ins from IPs that attempt sign-ins to disabled accounts\", \"High count of failed logins by a user\", \"Hi count of failed attempts same client IP\", \"SSH - Potential Brute Force\", and \"SecurityEvent - Multiple authentication failures followed by success\".", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "The \"Summary of user logons by logon type\" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement.\nThe following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: \"VIP account more than 6 failed logons in 10\", \"Multiple Failed Logon on SQL Server in Short time Span\", \"Permutations on logon attempts by UserPrincipalNames indicating potential brute force\", \"Potential IIS brute force\", \"Failed attempt to access Azure Portal\", \"Failed Login Attempt by Expired account\", \"Failed Logon Attempts on SQL Server\", \"Failed Logon on SQL Server from Same IPAddress in Short time Span\", \"Failed service logon attempt by user account with available AuditData\", \"Login attempt by Blocked MFA user\", \"Login spike with increase failure rate\", \"Attempts to sign-in to disabled accounts by IP address\", \"Attempts to sign-in to disabled accounts by account name\", \"Brute Force attack against Azure Portal\", and \"Anomalous Failed Logon\"\nThe following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: \"Brute force attack against Azure Portal\", \"Password spray attack against Azure AD application\", \"Successful logon from IP and failure from a different IP\", \"Failed logon attempts in authpriv\", \"Failed AzureAD logons but success logon to host\", \"Excessive Windows logon failures\", \"Failed login attempts to Azure Portal\", \"Failed logon attempts by valid accounts within 10 mins\", \"Brute Force Attack against GitHub Account\", \"Distributed Password cracking attempts in AzureAD\", \"Potential Password Spray Attack\" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, \"Attempts to sign in to disabled accounts\", \"Sign-ins from IPs that attempt sign-ins to disabled accounts\", \"High count of failed logins by a user\", \"Hi count of failed attempts same client IP\", \"SSH - Potential Brute Force\", and \"SecurityEvent - Multiple authentication failures followed by success\".", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "The \"Summary of user logons by logon type\" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement.\nThe following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: \"VIP account more than 6 failed logons in 10\", \"Multiple Failed Logon on SQL Server in Short time Span\", \"Permutations on logon attempts by UserPrincipalNames indicating potential brute force\", \"Potential IIS brute force\", \"Failed attempt to access Azure Portal\", \"Failed Login Attempt by Expired account\", \"Failed Logon Attempts on SQL Server\", \"Failed Logon on SQL Server from Same IPAddress in Short time Span\", \"Failed service logon attempt by user account with available AuditData\", \"Login attempt by Blocked MFA user\", \"Login spike with increase failure rate\", \"Attempts to sign-in to disabled accounts by IP address\", \"Attempts to sign-in to disabled accounts by account name\", \"Brute Force attack against Azure Portal\", and \"Anomalous Failed Logon\"\nThe following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: \"Brute force attack against Azure Portal\", \"Password spray attack against Azure AD application\", \"Successful logon from IP and failure from a different IP\", \"Failed logon attempts in authpriv\", \"Failed AzureAD logons but success logon to host\", \"Excessive Windows logon failures\", \"Failed login attempts to Azure Portal\", \"Failed logon attempts by valid accounts within 10 mins\", \"Brute Force Attack against GitHub Account\", \"Distributed Password cracking attempts in AzureAD\", \"Potential Password Spray Attack\" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, \"Attempts to sign in to disabled accounts\", \"Sign-ins from IPs that attempt sign-ins to disabled accounts\", \"High count of failed logins by a user\", \"Hi count of failed attempts same client IP\", \"SSH - Potential Brute Force\", and \"SecurityEvent - Multiple authentication failures followed by success\".", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"First access credential added to Application or Service Principal where no credential was present\" query can identify potentially malicious changes to Service Principal credentials.\nThe Azure Sentinel Analytics \"Credential added after admin consented to Application\" and \"New access credential added to Application or Service Principal\" queries can identify potentially malicious manipulation of additional cloud credentials.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Analytics queries can identify potentially malicious use of web protocols: \"Powershell Empire cmdlets seen in command line\" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. \"Request for single resource on domain\" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "The following Azure Sentinel Hunting queries can identify potentially malicious use of DNS: \"RareDNSLookupWithDataTransfer\" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. \"Abnormally Long DNS URI queries\" can identify suspicious DNS queries that may be indicative of command and control operations. \"DNS - domain anomalous lookup increase\", \"DNS Full Name anomalous lookup increase\", and \"DNS lookups for commonly abused TLDs\" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics \"SharePointFileOperation via previously unseen IPs\" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1567"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics \"SharePointFileOperation via previously unseen IPs\" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1567"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"High count of connections by client IP on many ports\" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Hunting queries can identify potential exfiltration: \"Abnormally long DNS URI queries\" can identify potential exfiltration via DNS. \"Multiple users email forwarded to same destination\" and \"Office Mail Forwarding - Hunting Version\" can detect potential exfiltration via email.\nThe Azure Sentinel Analytics \"Multiple users email forwarded to same destination\" query can detect potential exfiltration via email. The coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1048"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Security Event Log Cleared\" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The Azure Sentinel Hunting \"Windows System Time changed on hosts\" query can detect potential timestomping activities.\nThe Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can identify use of Empire, which can timestomp files and/or payloads on a target machine to help them blend in.", "attack-object-id": "T1070.006", "attack-object-name": "Timestomp", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1070"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can identify use of Empire, which leverages PowerShell for the majority of its client-side agent tasks and can conduct PowerShell remoting. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The Azure Sentinel Hunting \"Cscript script daily summary breakdown\" can detect potentially malicious scripting. The Azure Sentinel Hunting \"Hosts running a rare process with commandline\" query can identify uncommon command shell usage that may be malicious.\nThe Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Azure Sentinel Analytics \"Base64 encoded Windows process command-lines\" query can identify Base64 encoded PE files being launched via the command line.", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The Azure Sentinel Hunting \"Rare process running on a Linux host\" query can identify uncommon shell usage that may be malicious.", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The Azure Sentinel Hunting \"Cscript script daily summary breakdown\" can detect potentially malicious scripting. The Azure Sentinel Hunting \"Hosts running a rare process with commandline\" query can identify uncommon command shell usage that may be malicious.", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript/JScript", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The Azure Sentinel Hunting \"Cscript script daily summary breakdown\" can detect potentially malicious scripting. The Azure Sentinel Hunting \"Hosts running a rare process with commandline\" query can identify uncommon command shell usage that may be malicious.", "attack-object-id": "T1059.005", "attack-object-name": "Visual Basic", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The Azure Sentinel Hunting \"Cscript script daily summary breakdown\" can detect potentially malicious scripting. The Azure Sentinel Hunting \"Hosts running a rare process with commandline\" query can identify uncommon command shell usage that may be malicious.", "attack-object-id": "T1059.006", "attack-object-name": "Python", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Hunting queries can identify potentially malicious access to SharePoint: \"SharePointFileOperation via clientIP with previously unseen user agents\", \"SharePointFileOperation via devices with previously unseen user agents\", and \"SharePointFileOperation via previously unseen IPs\".\nThe Azure Sentinel Analytics \"SharePointFileOperation via devices with previously unseen user agents\" query can identify a high number of upload or download actions by an unknown and possible malicious actor.", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1213"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"New User created on SQL Server\" query can detect a specific type of potentially malicious local account creation.\nThe following Azure Sentinel Analytics queries can identify potentially malicious local account creation: \"Summary of users created using uncommon/undocumented commandline switches\" which can identify use of the net command to create user accounts, \"User created by unauthorized user\", \"User Granted Access and associated audit activity\" and \"User Granted Access and Grants others Access\" which may identify account creation followed by suspicious behavior, \"User account created and deleted within 10 mins\" which suggests an account may have existed only long enough to fulfill a malicious purpose, and \"Powershell Empire cmdlets seen in command line\" which can identify use of Empire, including for account creation.", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "The following Azure Sentinel Analytics queries can identify potentially malicious domain account creation: \"Summary of users created using uncommon/undocumented commandline switches\" which can identify use of the net command to create user accounts, \"User created by unauthorized user\", \"User Granted Access and associated audit activity\" and \"User Granted Access and Grants others Access\" which may identify account creation followed by suspicious behavior, \"User account created and deleted within 10 mins\" which suggests an account may have existed only long enough to fulfill a malicious purpose, and \"Powershell Empire cmdlets seen in command line\" which can identify use of Empire, including for account creation.", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "The Azure Sentinel Hunting queries can identify potentially malicious cloud account creation: \"External user added and removed in short timeframe\" and \"External user from a new organisation added\" can identify the addition of new external Teams user accounts.\nThe following Azure Sentinel Analytics queries can identify potentially malicious cloud account creation: \"User Granted Access and created resources\" which identifies a newly created user account gaining access and creating resources in Azure, and \"New Cloud Shell User\".", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can identify use of Empire, which has the ability to collect emails on a target system. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.", "attack-object-id": "T1114.001", "attack-object-name": "Local Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1114"}, {"comments": "The Azure Sentinel Hunting \"Suspect Mailbox Export on IIS/OWA\" query can identify potential malicious exfiltration hosting via IIS. The Azure Sentinel Hunting \"Host Exporting Mailbox and Removing Export\" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1114.002", "attack-object-name": "Remote Email Collection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1114"}, {"comments": "The Azure Sentinel Hunting \"Mail redirect via ExO transport rule\" query can detect potentially malicious email redirection, but is limited to Exchange servers only.", "attack-object-id": "T1114.003", "attack-object-name": "Email Forwarding Rule", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1114"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Web shell command alert enrichment\", \"Web shell Detection\", and \"Web shell file alert enrichment\" queries can identify potentially malicious activity via web shell.", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1505"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1573", "attack-object-name": "Encrypted Channel", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Analytics queries can detect potentially malicious usage of asymmetric cryptography channels: \"DNS events related to ToR proxies\" can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc. \"Powershell Empire cmdlets seen in command line\" can identify use of Empire, which can use TLS to encrypt a command and control channel.", "attack-object-id": "T1573.002", "attack-object-name": "Asymmetric Cryptography", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1573"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"DNS events related to ToR proxies\" query can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc.", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1090"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: \"Azure Sentinel Analytics Rules Administrative Operations\", \"Azure Sentinel Connectors Administrative Operations\", and \"Azure Sentinel Workbooks Administrative Operations\".\nThe Azure Sentinel Analytics \"Starting or Stopping HealthService to Avoid Detection\" query can detect potentially malicious disabling of telemetry collection/detection.\nThe coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The Azure Sentinel Analytics \"Audit policy manipulation using auditpol utility\" query can detect potentially malicious to modification and/or disabling of logging via the auditpol utility. The coverage for these queries is minimal (specific to Audit policy) resulting in an overall Minimal score.", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The Azure Sentinel Hunting \"Azure Sentinel Analytics Rules Administrative Operations\" query can identify potential attempts to impair defenses by changing or deleting detection analytics.\nThe Azure Sentinel Analytics \"Azure DevOps - Retention Reduced to Zero\" query can identify that an adversary is looking to reduce their malicious activity's footprint by preventing retention of artifacts. Control is specific to indicators produced by Azure DevOps. The coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The following Azure Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: \"Azure Network Security Group NSG Administrative Operations\" query can identify potential defensive evasion involving changing or disabling network access rules. \"Port opened for an Azure Resource\" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration.\nThe Azure Sentinel Analytics \"Security Service Registry ACL Modification\" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1562"}, {"comments": "The Azure Sentinel Analytics \"Exchange AuditLog disabled\" query can detect potentially malicious disabling of Exchange logs. The Azure Sentinel Analytics \"Azure DevOps Audit Stream Disabled\" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Potential DGA detected\" query can detect clients with a high NXDomain count, which might indicate an adversary cycling through possible C2 domains where most C2s are not live.\nThe following Azure Sentinel Analytics queries can identify potential use of domain generation algorithms: \"Possible contact with a domain generated by a DGA\" and \"Potential DGA detected\" within DNS.", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1568"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following Azure Sentinel Analytics queries can identify potentially malicious use of Outlook rules: \"Office policy tampering\", \"Malicious Inbox Rule\" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and \"Mail redirect via ExO transport rule\" (potentially to an adversary mailbox configured to collect mail).", "attack-object-id": "T1137.005", "attack-object-name": "Outlook Rules", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1137"}, {"comments": "The Azure Sentinel Hunting \"Previously unseen bot or applicaiton added to Teams\" [sic] query can detect the addition of a potentially malicious add-in, but is specific to Microsoft Teams.", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1137"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1140", "attack-object-name": "Deobfuscate/Decode Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Azure Sentinel Analytics includes a \"Potential Kerberoasting\" query. Kerberoasting via Empire can also be detected using the Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query.", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect execution of these sub-techniques via Empire, but does not address other procedures.", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1558"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect execution of these sub-techniques via Empire, but does not address other procedures.", "attack-object-id": "T1558.002", "attack-object-name": "Silver Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1558"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"anomalous RDP Activity\" query can detect potential lateral\nmovement employing RDP.\n\nThe following Azure Sentinel Analytics queries can identify potentially malicious use\nof RDP:\n\"Anomalous RDP Login Detections\", \"Multiple RDP connections from Single Systems\",\n\"Rare RDP Connections\", and \"RDP Nesting\".", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "The Azure Sentinel Hunting \"Anomalous Resource Access\" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage remote COM execution for lateral movement, but does not address other procedures.", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Azure Sentinel Analytics also provides a \"New internet-exposed SSH endpoints\" query.\nThe coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Azure DevOps - Variable Secret Not Secured\" query can identify credentials stored in the build process and protect against future credential access by suggesting that they be moved to a secret or stored in KeyVault before they can be accessed by an adversary.\nThe coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1552"}, {"comments": "The Azure Sentinel Hunting \"Query looking for secrets\" query can identify potentially malicious database requests for secrets like passwords or other credentials.\nThe Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can use various modules to search for files containing passwords, but does not address other procedures.\nThe coverage for these queries is minimal resulting in an overall Minimal score.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1552"}, {"comments": "The Azure Sentinel Analytics \"ADFS DKM Master Key Export\" and \"ADFS Key Export (Sysmon)\" queries can detect potentially malicious access intended to decrypt access tokens. The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures.\nThe coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1552"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Rare client observed with high reverse DNS lookup count\" query can detect if a particular IP is observed performing an unusually high number of reverse DNS lookups and has not been observed doing so previously.", "attack-object-id": "T1590.002", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1590"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which includes various modules to attempt to bypass UAC for privilege escalation, but does not address other procedures.", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1548"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.", "attack-object-id": "T1134.002", "attack-object-name": "Create Process with Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1134"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1134"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Enumeration of users and groups\" query can identify potentially malicious account discovery through the use of the net tool.\nThe Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1087"}, {"comments": "The Azure Sentinel Hunting \"Enumeration of users and groups\" query can identify potentially malicious account discovery through the use of the net tool.\nThe Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1087"}, {"comments": "The Azure Sentinel Analytics \"Mail.Read Permissions Granted to Application\" query can identify applications that may have been abused to gain access to mailboxes.", "attack-object-id": "T1087.003", "attack-object-name": "Email Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1087"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1547"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1547"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.", "attack-object-id": "T1547.001", "attack-object-name": "Registry Run Keys / Startup Folder", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1547"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1217", "attack-object-name": "Browser Bookmark Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1115", "attack-object-name": "Clipboard Data", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1543"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can extract passwords from common web browsers including Firefox and Chrome, but does not address other procedures.", "attack-object-id": "T1555.003", "attack-object-name": "Credentials from Web Browsers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1555"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can modify group policy objects to install and execute malicious scheduled tasks, but does not address other procedures.", "attack-object-id": "T1484.001", "attack-object-name": "Group Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1484"}, {"comments": "The Azure Sentinel Analytics \"Modified Domain Federation Trust Settings\" query can detect potentially malicious changes to domain trust settings.", "attack-object-id": "T1484.002", "attack-object-name": "Domain Trust Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1484"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1546"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1083", "attack-object-name": "File and Directory Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1056", "attack-object-name": "Input Capture", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.", "attack-object-id": "T1056.001", "attack-object-name": "Keylogging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1056"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.", "attack-object-id": "T1056.004", "attack-object-name": "Credential API Hooking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1056"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks, but does not address other procedures.", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1557"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1003"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1057", "attack-object-name": "Process Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Editing Linux scheduled tasks through Crontab\" query can detect potentially malicious modification of cron jobs.", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1113", "attack-object-name": "Screen Capture", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1518", "attack-object-name": "Software Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can enumerate antivirus software on the target, but does not address other procedures.", "attack-object-id": "T1518.001", "attack-object-name": "Security Software Discovery", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1518"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1082", "attack-object-name": "System Information Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1016", "attack-object-name": "System Network Configuration Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1049", "attack-object-name": "System Network Connections Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1569"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can use abuse trusted utilities including MSBuild.exe, but does not address other procedures.", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1127"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Azure DevOps - PAT used with Browser.\" query can identify potentially malicious usage of Personal Access Tokens intended for code or applications to be used through the web browser.", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1550"}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can perform pass the hash attacks, but does not address other procedures.", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1550"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1125", "attack-object-name": "Video Capture", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1102", "attack-object-name": "Web Service", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Powershell Empire cmdlets seen in command line\" query can detect the use of Empire, which can use Dropbox and GitHub for command and control, but does not address other procedures.", "attack-object-id": "T1102.002", "attack-object-name": "Bidirectional Communication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1102"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1080", "attack-object-name": "Taint Shared Content", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1074", "attack-object-name": "Data Staged", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Analytics \"Malware in the recycle bin\" query can detect local hidden malware.", "attack-object-id": "T1074.001", "attack-object-name": "Local Data Staging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1074"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Exes with double file extension and access summary\" can identify malicious executable files that have been hidden as other file types.", "attack-object-id": "T1036.004", "attack-object-name": "Masquerade Task or Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1036"}, {"comments": "The Azure Sentinel Hunting \"Masquerading Files\" and \"Rare Process Path\" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Azure Sentinel Hunting \"Azure DevOps Display Name Changes\" query can detect potentially maliicous changes to the DevOps user display name.", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1036"}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following capabilities of Azure Sentinel were mapped: Default list of Azure Sentinel Analytics (from the rule template list) Default list of Azure Sentinel Hunting queries\nQueries based on 3rd party analytics and/or specific IOC information were omitted from this mapping. Query names are identified in quotes throughout this mapping.\nAzure Sentinel Analytics queries are generally periodic, typically on a period of one or more hours.\nAzure Sentinel Hunting queries are performed on demand. Note also that a number of the Hunting queries are examples that can be modified for additional use, but scoring was performed on the queries as-written.", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://docs.microsoft.com/en-us/azure/sentinel/overview", "https://docs.microsoft.com/en-us/azure/sentinel/hunting"], "tags": ["Analytics", "Threat Hunting"], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The Azure Sentinel Hunting \"Enumeration of users and groups\" query can identify potentially malicious group discovery through the use of the net tool.", "attack-object-id": "T1069.002", "attack-object-name": "Domain Groups", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1069"}, {"comments": "The Azure Sentinel Hunting \"Enumeration of users and groups\" query can identify potentially malicious group discovery through the use of the net tool.", "attack-object-id": "T1069.001", "attack-object-name": "Local Groups", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Sentinel", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1069"}, {"comments": "Most scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. But given sufficient resources, an adversary may still successfully execute the attack vectors included in this mapping.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts"], "tags": ["Azure Active Directory", "Credentials", "Identity", "Passwords"], "mapping-description": "", "capability-id": "Azure AD Password Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Password Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.\nIn regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Password Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.\nIn regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Password Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The following alert of this control is able to detect domain account discovery: \"Account enumeration reconnaissance (external ID 2003)\". This shouldn't occur frequently and therefore the false positive rate should be minimal.\nThe \"Security principal reconnaissance (LDAP) (external ID 2038)\" alert is also relevant and its machine learning capabilities should reduce the false positive rate.\nThe \"User and IP address reconnaissance (SMB) (external ID 2012)\" alert can also provide a detection on a variation of this sub-technique.", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1087"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1201", "attack-object-name": "Password Policy Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Security principal reconnaissance (LDAP) (external ID 2038)\" alert can be used to detect when an adversary \"perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed.\" This alert employs machine learning which should reduce the number of false positives.\nAdditionally, this control's \"User and Group membership reconnaissance (SAMR) (external ID 2021)\" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.", "attack-object-id": "T1069.002", "attack-object-name": "Domain Groups", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1069"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Suspected identity theft (pass-the-hash) (external ID 2017)\" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.\nThis control's \"Suspected identity theft (pass-the-ticket) (external ID 2018)\" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1550"}, {"comments": "This control's \"Suspected identity theft (pass-the-hash) (external ID 2017)\" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.\nThis control's \"Suspected identity theft (pass-the-ticket) (external ID 2018)\" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1550"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Suspected NTLM relay attack (Exchange account) (external ID 2037)\" alert can detect NTLM relay attack specific to the Exchange service. Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score.", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1557"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)\" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives.\nSimilarly, its \"Suspected Brute Force attack (LDAP) (external ID 2004)\" alert can detect brute force attacks using LDAP simple binds.\nThe \"Suspected Brute Force attack (SMB) (external ID 2033)\" alert is also relevant but the details are sparse.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control's \"Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)\" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives.\nSimilarly, its \"Suspected Brute Force attack (LDAP) (external ID 2004)\" alert can detect brute force attacks using LDAP simple binds.\nThe \"Suspected Brute Force attack (SMB) (external ID 2033)\" alert is also relevant but the details are sparse.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. \nSimilarly its \"Suspected AS-REP Roasting attack (external ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy of these alerts is unknown and therefore its score has been assessed as Partial.", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack. \nSimilarly its \"Suspected AS-REP Roasting attack (external ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy of these alerts is unknown and therefore its score has been assessed as Partial.", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives. The accuracy of these alerts is unknown resulting in a partial score.", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Malicious request of Data Protection API master key (external ID 2020)\" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.", "attack-object-id": "T1555.003", "attack-object-name": "Credentials from Web Browsers", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1555"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Powershell. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.\nThis control's \"Data exfiltration over SMB (external ID 2030)\" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB.\n", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1569"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1207", "attack-object-name": "Rogue Domain Controller", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Suspected DCSync attack (replication of directory services) (external ID 2006)\" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.", "attack-object-id": "T1003.006", "attack-object-name": "DCSync", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1003"}, {"comments": "The documentation for this control's \"Data exfiltration over SMB (external ID 2030)\" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score.", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1003"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Suspected skeleton key attack (encryption downgrade) (external ID 2010)\" alert can detect skeleton attacks. This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller. The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate.", "attack-object-id": "T1556.001", "attack-object-name": "Domain Controller Authentication", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1556"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Suspicious service creation (external ID 2026)\" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1543"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Suspicious communication over DNS (external ID 2031)\" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "Understandably (to avoid enabling adversaries to circumvent the detection), many of the detections provided by this control do not provide a detailed description of the detection logic making it often times difficult to map to ATT&CK Techniques.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/what-is"], "tags": ["Credentials", "DNS", "Identity", "Microsoft 365 Defender", "Windows"], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Suspicious communication over DNS (external ID 2031)\" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Defender for Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Credentials"], "mapping-description": "", "capability-id": "Azure Defender for Key Vault", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control provides alerts for suspicious activity for Azure Key Vault. Documentation has been offered on how to respond to alerts but no specific tool or feature is offered for response. ", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurekv"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Credentials"], "mapping-description": "", "capability-id": "Azure Defender for Key Vault", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-akscluster"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Kubernetes", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1204"}, {"comments": "", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1036"}, {"comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.", "attack-object-id": "T1036.006", "attack-object-name": "Space after Filename", "references": [], "tags": [], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1036"}, {"comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": [], "tags": [], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1036"}, {"comments": "", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "attack-object-id": "T1553.002", "attack-object-name": "Code Signing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1553"}, {"comments": "", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Adaptive Application Controls", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Credentials", "Identity", "Passwords", "MFA"], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Note that MFA that is triggered in response to privileged operations (such as assigning a user a privileged role) are considered functionality of the Azure AD Privileged Identity Management control. Consult the mapping for this control for the ATT&CK (sub-)techniques it maps to. This mapping specifically deals with MFA when it is enabled as a security default.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Credentials", "Identity", "Passwords", "MFA"], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. This is an incomplete protection measure though as the adversary may also have obtained credentials enabling bypassing the additional authentication method. ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Multi-Factor Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1557"}, {"comments": "This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1557"}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control reduces the likelihood of data manipulation for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1565"}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1498"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1498"}, {"comments": "This is a private network service, allowing connections between Azure, on-prem, and 3rd party services without traversing the Internet. Generally this reduces risk from MiTM, DOS, network-based data manipulation and network sniffing from untrusted network.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/azure/private-link/private-link-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Private Link", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Note there is also a Managed HSM service.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview", "https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Provides significant protection of private keys.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1552"}, {"comments": "Note there is also a Managed HSM service.", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview", "https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1588"}, {"comments": "Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1588"}, {"comments": "Note there is also a Managed HSM service.", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://docs.microsoft.com/en-us/azure/dedicated-hsm/overview", "https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1553"}, {"comments": "Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.", "attack-object-id": "T1553.002", "attack-object-name": "Code Signing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Dedicated HSM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1553"}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1195"}, {"comments": "This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.", "attack-object-id": "T1195.001", "attack-object-name": "Compromise Software Dependencies and Development Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1195"}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides significant protection against Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.", "attack-object-id": "T1499.004", "attack-object-name": "Application or System Exploitation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1499"}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control generally applies to techniques that leverage vulnerabilities in unpatched software, which can be specific techniques sub-techniques. ", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/automation/update-management/overview"], "tags": ["Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Automation Update Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1584", "attack-object-name": "Compromise Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/dns/dns-alias#prevent-dangling-dns-records"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Alias Records", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Alias records prevent dangling references by tightly coupling the life cycle of a DNS record with an Azure resource. For example, consider a DNS record that's qualified as an alias record to point to a public IP address or a Traffic Manager profile. If you delete those underlying resources, the DNS alias record becomes an empty record set. It no longer references the deleted resource. This control is effective for protecting DNS records that resolve to Azure resources but does not offer protection for records pointing to non-Azure resources, resulting in a Partial score.", "attack-object-id": "T1584.001", "attack-object-name": "Domains", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DNS Alias Records", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1584"}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery.", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1087"}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit what an adversary can do with a valid account.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can create accounts.", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1136"}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1578"}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1578"}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1578"}, {"comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.", "attack-object-id": "T1578.004", "attack-object-name": "Revert Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1578"}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "RBAC enables organizations to limit the number of users within the organization with an IAM role that has administrative privileges. This enables limiting the number of users within the tenant that have privileged access thereby resulting in a reduced attack surface and a coverage score factor of Partial. Most sub-techniques have been scored as Partial for this reason.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Role Based Access Control", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections", "https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection"], "tags": ["Azure Security Center", "Database"], "mapping-description": "", "capability-id": "Alerts for Azure Cosmos DB", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is \"Access from an unusual location to a Cosmos DB account\"", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for Azure Cosmos DB", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections", "https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection"], "tags": ["Azure Security Center", "Database"], "mapping-description": "", "capability-id": "Alerts for Azure Cosmos DB", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053.001", "attack-object-name": "At (Linux)", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053.002", "attack-object-name": "At (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053.003", "attack-object-name": "Cron", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1053.006", "attack-object-name": "Systemd Timers", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1053"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1098"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.001", "attack-object-name": "Registry Run Keys / Startup Folder", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.002", "attack-object-name": "Authentication Package", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.003", "attack-object-name": "Time Providers", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.004", "attack-object-name": "Winlogon Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.006", "attack-object-name": "Kernel Modules and Extensions", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.008", "attack-object-name": "LSASS Driver", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.009", "attack-object-name": "Shortcut Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.010", "attack-object-name": "Port Monitors", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1547.012", "attack-object-name": "Print Processors", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1547"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1037.001", "attack-object-name": "Logon Script (Windows)", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1037"}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1037"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1543.002", "attack-object-name": "Systemd Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1543"}, {"comments": "This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1543"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.001", "attack-object-name": "Change Default File Association", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.002", "attack-object-name": "Screensaver", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.004", "attack-object-name": ".bash_profile and .bashrc", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.007", "attack-object-name": "Netsh Helper DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.009", "attack-object-name": "AppCert DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.011", "attack-object-name": "Application Shimming", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.012", "attack-object-name": "Image File Execution Options Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1546.013", "attack-object-name": "PowerShell Profile", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1546"}, {"comments": "The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.\n", "attack-object-id": "T1546.010", "attack-object-name": "AppInit DLLs", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1546"}, {"comments": "The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.\n", "attack-object-id": "T1546.015", "attack-object-name": "Component Object Model Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1546"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1574.006", "attack-object-name": "LD_PRELOAD", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1574"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1137.002", "attack-object-name": "Office Test", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1137"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1548"}, {"comments": "This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1548.003", "attack-object-name": "Sudo and Sudo Caching", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1548"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.", "attack-object-id": "T1556.002", "attack-object-name": "Password Filter DLL", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1556"}, {"comments": "The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.", "attack-object-id": "T1556.003", "attack-object-name": "Pluggable Authentication Modules", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1556"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal. ", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1003"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.", "attack-object-id": "T1222.001", "attack-object-name": "Windows File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1222"}, {"comments": "This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.", "attack-object-id": "T1222.002", "attack-object-name": "Linux and Mac File and Directory Permissions Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1222"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.", "attack-object-id": "T1562.006", "attack-object-name": "Indicator Blocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1562"}, {"comments": "The techniques included in this mapping result in Windows Registry or file system artifacts being created or modified which can be detected by this control. \nThe detection score for most techniques included in this mapping was scored as Significant and where there are exceptions, comments have been provided. This Significant score assessment was due to the following factors: Coverage - (High) The control was able to detect most of the sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High) Although this control does not include built-in intelligence to minimize the false positive rate, the specific artifacts generated by the techniques in this mapping do not change frequently and therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at worst scans for changes on an hourly basis.\n", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender", "Azure Defender for Servers", "Windows", "Linux"], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.", "attack-object-id": "T1553.003", "attack-object-name": "SIP and Trust Provider Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1553"}, {"comments": "This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.", "attack-object-id": "T1553.004", "attack-object-name": "Install Root Certificate", "references": [], "tags": [], "mapping-description": "", "capability-id": "File Integrity Monitoring", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1553"}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.", "attack-object-id": "T1491.002", "attack-object-name": "External Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1491"}, {"comments": "Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.", "attack-object-id": "T1491.001", "attack-object-name": "Internal Defacement", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1491"}, {"comments": "Azure Backup service provides defense against destruction/manipulation of data at rest. Scoring as \"Significant\" since it is an essential practice against data destruction et al, and can eradicate the threat event by restoring from backup.", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://docs.microsoft.com/en-us/azure/backup/backup-overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.", "attack-object-id": "T1561.001", "attack-object-name": "Disk Content Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": "T1561"}, {"comments": "Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.", "attack-object-id": "T1561.002", "attack-object-name": "Disk Structure Wipe", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Backup", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": "T1561"}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview"], "tags": ["Azure Active Directory", "Azure Security Center Recommendation", "Identity"], "mapping-description": "", "capability-id": "Managed identities for Azure resources", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control provides an alternative to hard-coding credentials for accessing Azure services in application code. This control only protects credentials for accessing Azure services and not other credential types, resulting in a Partial coverage score.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": [], "tags": [], "mapping-description": "", "capability-id": "Managed identities for Azure resources", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1552"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1590.002", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "", "attack-object-id": "T1590.006", "attack-object-name": "Network Security Appliances", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique. ", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1505"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to restrict public access to Remote Desktop Protocol.", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "This control may provide recommendations to restrict public SSH access and enable usage of SSH keys. ", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is focused on the list of built-in policy definitions provided by Azure Policy. All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/overview", "https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Policy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Associated with the Azure Security Center.\nThe alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer"], "tags": ["Analytics", "Azure Security Center", "Network"], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Associated with the Azure Security Center.\nThe alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer"], "tags": ["Analytics", "Azure Security Center", "Network"], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. ", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "Associated with the Azure Security Center.\nThe alerts can pick up outbound Denial of Service (DOS) attacks, though that's not an ATT&CK technique per se (description oriented towards inbound DOS), also is a form of resource hijacking (though not in ATT&CK description, which is oriented towards cryptomining).", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer"], "tags": ["Analytics", "Azure Security Center", "Network"], "mapping-description": "", "capability-id": "Azure Alerts for Network Layer", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access. This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely. This reduces the availability of valid accounts to adversaries. This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user.", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1098"}, {"comments": "This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal.", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1098"}, {"comments": "Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1098"}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Privileged Identity Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1136"}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways"], "tags": ["Network"], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Man-in-the-Middle", "references": ["https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways"], "tags": ["Network"], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1557"}, {"comments": "", "attack-object-id": "T1557.001", "attack-object-name": "LLMNR/NBT-NS Poisoning and SMB Relay", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1557"}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways"], "tags": ["Network"], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure VPN Gateway", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1565"}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases. ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse"], "tags": ["Azure Defender", "Azure Defender for SQL", "Azure Security Center", "Azure Security Center Recommendation", "Database"], "mapping-description": "", "capability-id": "Advanced Threat Protection for Azure SQL Database", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1498.002", "attack-object-name": "Reflection Amplification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1498"}, {"comments": "", "attack-object-id": "T1498.001", "attack-object-name": "Direct Network Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1498"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DDOS Protection Standard", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1499"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1584", "attack-object-name": "Compromise Infrastructure", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Subdomain hijacking is a focus of this control, and its Dangling DNS detection alert feature is activated when an App Service website is decommissioned and its corresponding DNS entry is not deleted, allowing users to remove those entries before they can be leveraged by an adversary.", "attack-object-id": "T1584.001", "attack-object-name": "Domains", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1584"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1204"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1140", "attack-object-name": "Deobfuscate/Decode Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1566"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "This control monitors for execution of known malicious PowerShell PowerSploit cmdlets. Temporal factor is uknown.", "attack-object-id": "T1059.001", "attack-object-name": "PowerShell", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1059"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1594", "attack-object-name": "Search Victim-Owned Websites", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.001", "attack-object-name": "Dynamic-link Library Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.003", "attack-object-name": "Thread Execution Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.004", "attack-object-name": "Asynchronous Procedure Call", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.005", "attack-object-name": "Thread Local Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.011", "attack-object-name": "Extra Window Memory Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.012", "attack-object-name": "Process Hollowing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.013", "attack-object-name": "Process Doppelg\u00e4nging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.008", "attack-object-name": "Ptrace System Calls", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.009", "attack-object-name": "Proc Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.", "attack-object-id": "T1055.014", "attack-object-name": "VDSO Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1055"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1559", "attack-object-name": "Inter-Process Communication", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.", "attack-object-id": "T1559.001", "attack-object-name": "Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1559"}, {"comments": "This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.", "attack-object-id": "T1559.002", "attack-object-name": "Dynamic Data Exchange", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1559"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1036"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1087.001", "attack-object-name": "Local Account", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1087"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1123", "attack-object-name": "Audio Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Install-SSP module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1547.005", "attack-object-name": "Security Support Provider", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1547"}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via New-UserPersistenceOption on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1547.001", "attack-object-name": "Registry Run Keys / Startup Folder", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1547"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1543"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1482", "attack-object-name": "Domain Trust Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1574.001", "attack-object-name": "DLL Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1574.008", "attack-object-name": "Path Interception by Search Order Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1574.009", "attack-object-name": "Path Interception by Unquoted Path", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1574"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1056", "attack-object-name": "Input Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1056.001", "attack-object-name": "Keylogging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1056"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1027.005", "attack-object-name": "Indicator Removal from Tools", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1027"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1003"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1057", "attack-object-name": "Process Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1012", "attack-object-name": "Query Registry", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1053"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1113", "attack-object-name": "Screen Capture", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1558"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal.", "attack-object-id": "T1552.002", "attack-object-name": "Credentials in Registry", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1552"}, {"comments": "This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.", "attack-object-id": "T1552.006", "attack-object-name": "Group Policy Preferences", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1552"}, {"comments": "The AppServices_KnownCredentialAccessTools alert is used to detect suspicious processes associated with credential theft. This is clearly linked to the Credential Access tactic, but does not clearly detect any specific technique or set of techniques, so it has been omitted from this mapping.", "attack-object-id": "T1047", "attack-object-name": "Windows Management Instrumentation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/alerts-reference", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction", "https://azure.microsoft.com/en-us/services/app-service/", "https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction"], "tags": ["Azure Defender", "Azure Security Center", "Azure Security Center Recommendation", "Linux", "Windows"], "mapping-description": "", "capability-id": "Azure Defender for App Service", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection). Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1078"}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1074", "attack-object-name": "Data Staged", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.", "attack-object-id": "T1074.002", "attack-object-name": "Remote Data Staging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1074"}, {"comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.", "attack-object-id": "T1074.001", "attack-object-name": "Local Data Staging", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1074"}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "At first glance, this control seems mappable to Exfiltration (sub-)techniques but upon further analysis, it doesn't really mitigate exfiltration but rather its prerequisite Collection (sub-)techniques.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "tags": ["Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files. Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict cut, copy and paste operations. This can impede an adversary's ability to collect valuable information and/or files from the application. This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand.", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Conditional Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1213"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can identify large volume potential exfiltration activity.", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1567"}, {"comments": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\".", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1567"}, {"comments": "This control can identify large volume potential exfiltration activity.", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1567"}, {"comments": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\".", "attack-object-id": "T1567.001", "attack-object-name": "Exfiltration to Code Repository", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1567"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1535", "attack-object-name": "Unused/Unsupported Cloud Regions", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1526", "attack-object-name": "Cloud Service Discovery", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1213"}, {"comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "attack-object-id": "T1213.002", "attack-object-name": "Sharepoint", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1213"}, {"comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1213"}, {"comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "attack-object-id": "T1213.001", "attack-object-name": "Confluence", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1213"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1119", "attack-object-name": "Automated Collection", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can detect and encrypt sensitive information at rest on supported platforms.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1565"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can detect admin activity from risky IP addresses.", "attack-object-id": "T1484.002", "attack-object-name": "Domain Trust Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1484"}, {"comments": "This control can detect admin activity from risky IP addresses.", "attack-object-id": "T1484.001", "attack-object-name": "Group Policy Modification", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1484"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1098"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can identify anomalous admin activity.", "attack-object-id": "T1578.004", "attack-object-name": "Revert Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1578"}, {"comments": "This control can identify anomalous admin activity.", "attack-object-id": "T1578.003", "attack-object-name": "Delete Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1578"}, {"comments": "This control can identify anomalous admin activity.", "attack-object-id": "T1578.001", "attack-object-name": "Create Snapshot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1578"}, {"comments": "This control can identify anomalous admin activity.", "attack-object-id": "T1578.002", "attack-object-name": "Create Cloud Instance", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1578"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\".", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control is basically a CASB, and various features can generate logs and alerts that can be incorporated into a SIEM such as Sentinel for moderate to high temporal score.", "attack-object-id": "T1534", "attack-object-name": "Internal Spearphishing", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery", "https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection", "https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts"], "tags": [], "mapping-description": "", "capability-id": "Cloud App Security Policies", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping file covers Docker container registries security features along with the Azure Defender for Container Registries scanner. The scanning capability of the control is only available for Linux images in registries accessible from the public internet with shell access which limits the general applicability.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction", "https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro"], "tags": ["Azure Defender", "Azure Security Center Recommendation", "Containers"], "mapping-description": "", "capability-id": "Azure Defender for Container Registries", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations of MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. See the mapping for MFA for more details. \nThis control's \"Use limited administrative roles\" recommendation recommends reviewing and limiting the number of accounts with global admin privilege, reducing what an adversary can do with a compromised valid account.\nBecause these are recommendations and do not actually enforce the protections, the assessed score is capped at Partial. ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts. See the mapping for Azure AD Identity Protection.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "This control's \"Remove dormant accounts from sensitive groups\" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant.\nBecause these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal. ", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "This control's \"Protect and manage local admin passwords with Microsoft LAPS\" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts.\nBecause this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "This control's \"Protect and manage local admin passwords with Microsoft LAPS\" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts.\nBecause this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1078"}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1531", "attack-object-name": "Account Access Removal", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1606", "attack-object-name": "Forge Web Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens. This is a recommendation and therefore the score is capped at Partial.", "attack-object-id": "T1606.002", "attack-object-name": "SAML Tokens", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1606"}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1558", "attack-object-name": "Steal or Forge Kerberos Tickets", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Resolve unsecure account attributes\" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication. Preauthentication offers protection against offline (Kerberos) Password Cracking. \nBecause this is a recommendation its score is capped as Partial.", "attack-object-id": "T1558.004", "attack-object-name": "AS-REP Roasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket. It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller. Because this is a recommendation, its score has been capped as Partial.", "attack-object-id": "T1558.001", "attack-object-name": "Golden Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "This control's \"Modify unsecure Kerberos delegations to prevent impersonation\" recommendation promotes running the \"Unsecure Kerberos delegation\" report that can identify accounts that have unsecure Kerberos delegation configured. Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting. Due to this control providing a recommendation its score is capped at Partial.", "attack-object-id": "T1558.003", "attack-object-name": "Kerberoasting", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1558"}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.", "attack-object-id": "T1550.003", "attack-object-name": "Pass the Ticket", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1550"}, {"comments": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.", "attack-object-id": "T1550.002", "attack-object-name": "Pass the Hash", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1550"}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control was mapped to (sub-)techniques based on the Security Score improvement actions listed in a sample Azure AD tenant that we provisioned. We were unable to find a comprehensive list of the security checks made by the control listed in its documentation. We did note that there were some improvement actions listed that our tenant received the max score, leading us to believe that the actions listed were the complete list of checks and not just those that were outstanding for our tenant.\nThe following improvement actions were analyzed:\nRequire MFA for administrative roles, Designate more than one global admin, Do not allow users to grant consent to unmanaged applications, Use limited administrative roles, Do not expire passwords, Enable policy to block legacy authentication Turn on sign-in risk policy, Turn on user risk policy, Ensure all users can complete multi-factor authentication for secure access, Enable self-service password reset, Resolve unsecure account attributes, Reduce lateral movement path risk to sensitive entities, Set a honeytoken account, Stop clear text credentials exposure, Install Defender for Identity Sensor on all Domain Controllers, Disable Print spooler service on domain controllers, Configure VPN integration, Configure Microsoft Defender for Endpoint Integration (*excluded, would increase the scope, see mapping for Microsoft Defender for Endpoint), Stop legacy protocols communication, Stop weak cipher usage, Remove dormant accounts from sensitive groups, Protect and manage local admin passwords with Microsoft LAPS, Remove unsecure SID history attributes from entities, Fix Advanced Audit Policy issues, Modify unsecure Kerberos delegations to prevent impersonation. \nAll scores were capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"], "tags": ["Credentials", "Azure Active Directory", "Identity", "MFA"], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control's \"Remove unsecure SID history attributes from entities\" recommendation promotes running the \"Unsecure SID history attributes\" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial. ", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure AD Identity Secure Score", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1134"}, {"comments": "All scores have been assessed as Partial because this control increases the strength of user passwords thereby reducing the likelihood of a successful brute force attack. Due to the fact that a user's password is not checked against the banned list of passwords unless the user changes or resets their password (which is an infrequent event), there is still ample opportunity for attackers to utilize this technique to gain access. This is what prevented the score from being elevated to Significant.\n", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad"], "tags": ["Azure Active Directory", "Credentials", "Identity", "Passwords"], "mapping-description": "", "capability-id": "Azure Active Directory Password Protection", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Active Directory Password Protection", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Active Directory Password Protection", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Active Directory Password Protection", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Active Directory Password Protection", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1110"}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1566"}, {"comments": "This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1566"}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control monitors activity in cloud services and on virtual machines to block malware execution. This is dependent on a signature being available. ", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1204"}, {"comments": "This control monitors activity in cloud services and on virtual machines to detect malware execution. This is dependent on a signature being available. ", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1204"}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs) such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware", "https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples"], "tags": ["Azure Security Center"], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1027"}, {"comments": "This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.", "attack-object-id": "T1027.002", "attack-object-name": "Software Packing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Microsoft Antimalware for Azure", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1027"}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/web-application-firewall/overview"], "tags": ["Azure Security Center Recommendation"], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can protect web applications from protocol attacks that may be indicative of adversary activity.", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Web Application Firewall", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used forensically to identify clients that communicated with identified C2 hosts.", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1071"}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used for after-the-fact analysis of potential fast-flux DNS C2", "attack-object-id": "T1568.001", "attack-object-name": "Fast Flux DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1568"}, {"comments": "This control can be used for after-the-fact analysis of potential fast-flux DNS C2", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1568"}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can potentially be used to forensically identify exfiltration via DNS protocol.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1048"}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "The temporal score for this control on most of the techniques and subtechnique is minimal, since it does not provide specific analytics itself (though can be used to provide data to other analytics after the fact. \"The event-related data is collected near real time from the analytic and audit logs provided by enhanced DNS logging and diagnostics in Windows Server 2012 R2.\". Inventory-related data is uploaded every 48 hours.", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics"], "tags": ["DNS", "Network"], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure DNS Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": "T1566"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api", "https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api", "https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time?tabs=jit-config-asc%2Cjit-request-api", "https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained"], "tags": ["Azure Security Center", "Azure Security Center Recommendation", "Azure Defender for Servers"], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Just-in-Time VM Access", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to disable default accounts and restrict permissions for existing accounts.", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1078"}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may scan for users with unnecessary access to SQL stored procedures.", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": [], "tags": [], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1505"}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": ["https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment", "https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules"], "tags": ["Azure Defender for SQL", "Database"], "mapping-description": "", "capability-id": "SQL Vulnerability Assessment", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless"], "tags": ["Azure Active Directory", "Credentials", "Identity", "Passwords"], "mapping-description": "", "capability-id": "Passwordless Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Passwordless Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": [], "tags": [], "mapping-description": "", "capability-id": "Passwordless Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": [], "tags": [], "mapping-description": "", "capability-id": "Passwordless Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Passwordless Authentication", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": "T1110"}, {"comments": "", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.", "attack-object-id": "T1590.006", "attack-object-name": "Network Security Appliances", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1590"}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1595.002", "attack-object-name": "Vulnerability Scanning", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1595"}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.", "attack-object-id": "T1205.001", "attack-object-name": "Port Knocking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1205"}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/firewall/overview"], "tags": ["Azure Security Center Recommendation", "Network"], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Firewall", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "", "attack-object-id": "T1568", "attack-object-name": "Dynamic Resolution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Detects \"random\" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign \"random\" DNS names.", "attack-object-id": "T1568.001", "attack-object-name": "Fast Flux DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1568"}, {"comments": "Detects \"random\" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign \"random\" DNS names.", "attack-object-id": "T1568.002", "attack-object-name": "Domain Generation Algorithms", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1568"}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Can alert on anomalies and misuse of the DNS protocol.", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": "T1071"}, {"comments": "", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/security-center/defender-for-dns-introduction", "https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-dns"], "tags": ["Network", "DNS"], "mapping-description": "", "capability-id": "Alerts for DNS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation"], "tags": ["Azure Active Directory", "Identity"], "mapping-description": "", "capability-id": "Continuous Access Evaluation", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Minimal", "related-score": ""}, {"comments": "Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data. This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA. This mitigates the impact of an adversary using a valid account. This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": [], "tags": [], "mapping-description": "", "capability-id": "Continuous Access Evaluation", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": "T1078"}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Once this control is deployed, it will run a scan every four hours and scans can be run on demand. Documentation notes that within 48 hours of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.\nAll scores are capped at Partial since this control identifies vulnerabilities and does not address the detected vulnerabilities.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm", "https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm"], "tags": ["Azure Defender", "Azure Security Center"], "mapping-description": "", "capability-id": "Integrated Vulnerability Scanner Powered by Qualys", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/overview"], "tags": ["Azure Security Center Recommendation", "Credentials", "Passwords"], "mapping-description": "", "capability-id": "Azure Key Vault", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1602.001", "attack-object-name": "SNMP (MIB Dump)", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1602"}, {"comments": "", "attack-object-id": "T1602.002", "attack-object-name": "Network Device Configuration Dump", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1602"}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control can be used to identify anomalous TFTP boot traffic.", "attack-object-id": "T1542.005", "attack-object-name": "TFTP Boot", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1542"}, {"comments": "", "attack-object-id": "T1563", "attack-object-name": "Remote Service Session Hijacking", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1563.002", "attack-object-name": "RDP Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1563"}, {"comments": "", "attack-object-id": "T1563.001", "attack-object-name": "SSH Hijacking", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1563"}, {"comments": "", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).", "attack-object-id": "T1048.003", "attack-object-name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).", "attack-object-id": "T1048.002", "attack-object-name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).", "attack-object-id": "T1048.001", "attack-object-name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1048"}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can detect anomalous traffic with respect to remote access protocols and groups.", "attack-object-id": "T1021.006", "attack-object-name": "Windows Remote Management", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can detect anomalous traffic with respect to remote access protocols and groups.", "attack-object-id": "T1021.005", "attack-object-name": "VNC", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can detect anomalous traffic with respect to remote access protocols and groups.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can detect anomalous traffic with respect to remote access protocols and groups.", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can detect anomalous traffic with respect to remote access protocols and groups.", "attack-object-id": "T1021.001", "attack-object-name": "Remote Desktop Protocol", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "This control can detect anomalous traffic with respect to remote access protocols and groups.", "attack-object-id": "T1021.003", "attack-object-name": "Distributed Component Object Model", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1021"}, {"comments": "", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).", "attack-object-id": "T1071.003", "attack-object-name": "Mail Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).", "attack-object-id": "T1071.002", "attack-object-name": "File Transfer Protocols", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1071"}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.002", "attack-object-name": "Service Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1499.001", "attack-object-name": "OS Exhaustion Flood", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1499"}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics"], "tags": ["Analytics", "Network"], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1090.003", "attack-object-name": "Multi-hop Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "", "attack-object-id": "T1090.002", "attack-object-name": "External Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "", "attack-object-id": "T1090.001", "attack-object-name": "Internal Proxy", "references": [], "tags": [], "mapping-description": "", "capability-id": "Azure Network Traffic Analytics", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": "T1090"}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1525", "attack-object-name": "Implant Container Image", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.", "attack-object-id": "T1548.001", "attack-object-name": "Setuid and Setgid", "references": [], "tags": [], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1548"}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1083", "attack-object-name": "File and Directory Discovery", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": [], "tags": [], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": "T1021"}, {"comments": "All scores are capped at Partial since this control provides recommendations rather than applying/enforcing the recommended actions.", "attack-object-id": "T1005", "attack-object-name": "Data from Local System", "references": ["https://docs.microsoft.com/en-us/azure/security-center/harden-docker-hosts"], "tags": ["Azure Security Center", "Containers", "Linux"], "mapping-description": "", "capability-id": "Docker Host Hardening", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}]} \ No newline at end of file diff --git a/src/mappings_explorer/cli/parsed_mappings/security_stack/GCP/parsed_GCP.json b/src/mappings_explorer/cli/parsed_mappings/security_stack/GCP/parsed_GCP.json index 4068a2df..87bfd445 100644 --- a/src/mappings_explorer/cli/parsed_mappings/security_stack/GCP/parsed_GCP.json +++ b/src/mappings_explorer/cli/parsed_mappings/security_stack/GCP/parsed_GCP.json @@ -1 +1 @@ -{"metadata": {"mapping-version": 1, "attack-version": 10, "technology-domain": "enterprise", "author": "", "contact": "ctid@mitre-engenuity.org", "creation-date": "05/11/2022", "last-update": "", "organization": "", "mapping-framework": "GCP", "mapping-framework-version": ""}, "attack-objects": [{"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": ["https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features"], "tags": ["Encryption"], "mapping-description": "", "capability-id": "Confidential VM and Compute Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/certificate-authority-service/docs"], "tags": ["Certificate Service", "Network"], "mapping-description": "", "capability-id": "Certificate Authority Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://cloud.google.com/cdn/docs/overview"], "tags": ["Containers", "Kubernetes", "Logging"], "mapping-description": "", "capability-id": "Cloud CDN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/titan-security-key#section-3"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "Titan Security Key", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.001", "attack-object-name": "Change Default File Association", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1547.001", "attack-object-name": "Registry Run Keys / Startup Folder", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1564.001", "attack-object-name": "Hidden Files and Directories", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1584.002", "attack-object-name": "DNS Server", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1584", "attack-object-name": "Compromise Infrastructure", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1056", "attack-object-name": "Input Capture", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1056.004", "attack-object-name": "Credential API Hooking", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1082", "attack-object-name": "System Information Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1027.004", "attack-object-name": "Compile After Delivery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.007", "attack-object-name": "Netsh Helper DLL", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.004", "attack-object-name": "File Deletion", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.006", "attack-object-name": "Timestomp", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1057", "attack-object-name": "Process Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1016", "attack-object-name": "System Network Configuration Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1049", "attack-object-name": "System Network Connections Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1033", "attack-object-name": "System Owner/User Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1588.002", "attack-object-name": "Tool", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1497", "attack-object-name": "Virtualization/Sandbox Evasion", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1202", "attack-object-name": "Indirect Command Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview"], "tags": ["Auditing", "Access Management"], "mapping-description": "", "capability-id": "Access Transparency", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview"], "tags": ["Auditing", "Access Management"], "mapping-description": "", "capability-id": "Access Transparency", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"], "tags": ["Vulnerability Management"], "mapping-description": "", "capability-id": "Shielded VM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1014", "attack-object-name": "Rootkit", "references": ["https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"], "tags": ["Vulnerability Management"], "mapping-description": "", "capability-id": "Shielded VM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1589.001", "attack-object-name": "Credentials", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1014", "attack-object-name": "Rootkit", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/dlp/docs"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Cloud Data Loss Prevention", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/recaptcha-enterprise"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "ReCAPTCHA Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": ["https://cloud.google.com/recaptcha-enterprise"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "ReCAPTCHA Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/recaptcha-enterprise"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "ReCAPTCHA Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": false}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1069.003", "attack-object-name": "Cloud Groups", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": false}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": false}]} \ No newline at end of file +{"metadata": {"mapping-version": 1, "attack-version": 10, "technology-domain": "enterprise", "author": "", "contact": "ctid@mitre-engenuity.org", "creation-date": "05/11/2022", "last-update": "", "organization": "", "mapping-framework": "GCP", "mapping-framework-version": ""}, "attack-objects": [{"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time).", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"], "tags": ["Antivirus", "Antimalware", "Malware"], "mapping-description": "", "capability-id": "Virus Total", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1565.003", "attack-object-name": "Runtime Data Manipulation", "references": ["https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features"], "tags": ["Encryption"], "mapping-description": "", "capability-id": "Confidential VM and Compute Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides a secure alternative to storing encryption keys in the file system.", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://cloud.google.com/kms/docs/hsm"], "tags": ["Encryption", "Data Security"], "mapping-description": "", "capability-id": "Cloud Hardware Security Module (HSM)", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/certificate-authority-service/docs"], "tags": ["Certificate Service", "Network"], "mapping-description": "", "capability-id": "Certificate Authority Service", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/asset-inventory/docs/overview"], "tags": ["Credentials", "Access Management"], "mapping-description": "", "capability-id": "Cloud Asset Inventory", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/iap"], "tags": ["Identity", "Credentials"], "mapping-description": "", "capability-id": "Identity Aware Proxy", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control may provide information about software vulnerabilities in the environment. ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/container-analysis/docs/container-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview"], "tags": ["Containers", "Vulnerability Analysis", "OS Security"], "mapping-description": "", "capability-id": "Artifact Registry", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"], "tags": ["Kubernetes", "Containers"], "mapping-description": "", "capability-id": "Google Kubernetes Engine", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1546.006", "attack-object-name": "LC_LOAD_DYLIB Addition", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1204.002", "attack-object-name": "Malicious File", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1055.002", "attack-object-name": "Portable Executable Injection", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1221", "attack-object-name": "Template Injection", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1499.003", "attack-object-name": "Application Exhaustion Flood", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1566.002", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1137.006", "attack-object-name": "Add-ins", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\nThe cyber-attacks mapped are considered a subset of the most notable threat detection available for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation, and new threat signatures.", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"], "tags": ["Cloud IDS", "Intrusion Detection Service (IDS)", "Palo Alto Network's Threat Signatures", "Analytics"], "mapping-description": "", "capability-id": "Cloud IDS", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1562.001", "attack-object-name": "Disable or Modify Tools", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1562.002", "attack-object-name": "Disable Windows Event Logging", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"], "tags": ["Identity", "Access Management", "Credentials", "Network", "Configuration Management"], "mapping-description": "", "capability-id": "ResourceManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1485", "attack-object-name": "Data Destruction", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1491", "attack-object-name": "Defacement", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1561", "attack-object-name": "Disk Wipe", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was scored as significant due to the control\u2019s notable remediation capabilities.", "attack-object-id": "T1490", "attack-object-name": "Inhibit System Recovery", "references": ["https://www.actifio.com/solutions/cloud/google/"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Actifio Go", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.003", "attack-object-name": "Local Accounts", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1550", "attack-object-name": "Use Alternate Authentication Material", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1550.001", "attack-object-name": "Application Access Token", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1087.002", "attack-object-name": "Domain Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.002", "attack-object-name": "Exchange Email Delegate Permissions", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.003", "attack-object-name": "Add Office 365 Global Administrator Role", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.004", "attack-object-name": "SSH Authorized Keys", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1136.002", "attack-object-name": "Domain Account", "references": ["https://cloud.google.com/identity-platform/docs/concepts"], "tags": ["Identity", "Multi-Factor Authentication", "Passwords", "Credentials", "Access Management"], "mapping-description": "", "capability-id": "IdentityPlatform", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1609", "attack-object-name": "Container Administration Command", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1611", "attack-object-name": "Escape to Host", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/anthos-config-management/ "], "tags": ["Configuration Management", "Containers", "Policy"], "mapping-description": "", "capability-id": "AnthosConfigManagement", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1598", "attack-object-name": "Phishing for Information", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1204.001", "attack-object-name": "Malicious Link", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1598.003", "attack-object-name": "Spearphishing Link", "references": ["https://cloud.google.com/web-risk/docs/overview"], "tags": ["Network"], "mapping-description": "", "capability-id": "Web Risk", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://cloud.google.com/cdn/docs/overview"], "tags": ["Containers", "Kubernetes", "Logging"], "mapping-description": "", "capability-id": "Cloud CDN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1189", "attack-object-name": "Drive-by Compromise", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1566.001", "attack-object-name": "Spearphishing Attachment", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This solution was rated as significant due to the control\u2019s high threat protection coverage and temporal factors (e.g., real-time, periodical).", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"], "tags": ["Access Control Policies", "Data Loss Prevention"], "mapping-description": "", "capability-id": "BeyondCorp Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1213", "attack-object-name": "Data from Information Repositories", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/identity"], "tags": ["Identity", "Multi-Factor Authentication", "Credentials"], "mapping-description": "", "capability-id": "Cloud Identity", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://cloud.google.com/armor"], "tags": ["Network", "Firewall"], "mapping-description": "", "capability-id": "Cloud Armor", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Respond", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://support.google.com/a/answer/1734200?hl=en"], "tags": ["Identity", "Patch Management"], "mapping-description": "", "capability-id": "Endpoint Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1565", "attack-object-name": "Data Manipulation", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1565.002", "attack-object-name": "Transmitted Data Manipulation", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1557.002", "attack-object-name": "ARP Cache Poisoning", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"], "tags": ["Network", "Encryption"], "mapping-description": "", "capability-id": "CloudVPN", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552.005", "attack-object-name": "Cloud Instance Metadata API", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1553", "attack-object-name": "Subvert Trust Controls", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552.001", "attack-object-name": "Credentials In Files", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault.", "attack-object-id": "T1552.004", "attack-object-name": "Private Keys", "references": ["https://cloud.google.com/security-key-management"], "tags": ["Credentials"], "mapping-description": "", "capability-id": "Cloud Key Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1566", "attack-object-name": "Phishing", "references": ["https://cloud.google.com/titan-security-key#section-3"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "Titan Security Key", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1021.002", "attack-object-name": "SMB/Windows Admin Shares", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1037", "attack-object-name": "Boot or Logon Initialization Scripts", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1053.005", "attack-object-name": "Scheduled Task", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218.005", "attack-object-name": "Mshta", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543.001", "attack-object-name": "Launch Agent", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543.004", "attack-object-name": "Launch Daemon", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.001", "attack-object-name": "Change Default File Association", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1547.001", "attack-object-name": "Registry Run Keys / Startup Folder", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1547", "attack-object-name": "Boot or Logon Autostart Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546", "attack-object-name": "Event Triggered Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543", "attack-object-name": "Create or Modify System Process", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1564.001", "attack-object-name": "Hidden Files and Directories", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1564", "attack-object-name": "Hide Artifacts", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1003.003", "attack-object-name": "NTDS", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1134.005", "attack-object-name": "SID-History Injection", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1003", "attack-object-name": "OS Credential Dumping", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1548", "attack-object-name": "Abuse Elevation Control Mechanism", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1584.002", "attack-object-name": "DNS Server", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1562.004", "attack-object-name": "Disable or Modify System Firewall", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.002", "attack-object-name": "Clear Linux or Mac System Logs", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1136.001", "attack-object-name": "Local Account", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1106", "attack-object-name": "Native API", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1021.004", "attack-object-name": "SSH", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1052.001", "attack-object-name": "Exfiltration over USB", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1112", "attack-object-name": "Modify Registry", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1052", "attack-object-name": "Exfiltration Over Physical Medium", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1053", "attack-object-name": "Scheduled Task/Job", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1134", "attack-object-name": "Access Token Manipulation", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218", "attack-object-name": "Signed Binary Proxy Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1584", "attack-object-name": "Compromise Infrastructure", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1056", "attack-object-name": "Input Capture", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1056.003", "attack-object-name": "Web Portal Capture", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1056.004", "attack-object-name": "Credential API Hooking", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1071.001", "attack-object-name": "Web Protocols", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1059", "attack-object-name": "Command and Scripting Interpreter", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218.010", "attack-object-name": "Regsvr32", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1059.003", "attack-object-name": "Windows Command Shell", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1082", "attack-object-name": "System Information Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1218.003", "attack-object-name": "CMSTP", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1486", "attack-object-name": "Data Encrypted for Impact", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1204", "attack-object-name": "User Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1036.005", "attack-object-name": "Match Legitimate Name or Location", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1027.004", "attack-object-name": "Compile After Delivery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1127.001", "attack-object-name": "MSBuild", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1127", "attack-object-name": "Trusted Developer Utilities Proxy Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1036", "attack-object-name": "Masquerading", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1055", "attack-object-name": "Process Injection", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1037.003", "attack-object-name": "Network Logon Script", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1059.007", "attack-object-name": "JavaScript", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1560", "attack-object-name": "Archive Collected Data", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1132", "attack-object-name": "Data Encoding", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1132.001", "attack-object-name": "Standard Encoding", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1195.002", "attack-object-name": "Compromise Software Supply Chain", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1195", "attack-object-name": "Supply Chain Compromise", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.007", "attack-object-name": "Netsh Helper DLL", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1505", "attack-object-name": "Server Software Component", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1574.007", "attack-object-name": "Path Interception by PATH Environment Variable", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1574", "attack-object-name": "Hijack Execution Flow", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.004", "attack-object-name": "File Deletion", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1020", "attack-object-name": "Automated Exfiltration", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1011", "attack-object-name": "Exfiltration Over Other Network Medium", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1027", "attack-object-name": "Obfuscated Files or Information", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1543.003", "attack-object-name": "Windows Service", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.006", "attack-object-name": "Timestomp", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1003.001", "attack-object-name": "LSASS Memory", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1137.001", "attack-object-name": "Office Template Macros", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1137", "attack-object-name": "Office Application Startup", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1057", "attack-object-name": "Process Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1016", "attack-object-name": "System Network Configuration Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1049", "attack-object-name": "System Network Connections Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1033", "attack-object-name": "System Owner/User Discovery", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1588.002", "attack-object-name": "Tool", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1588", "attack-object-name": "Obtain Capabilities", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1070.001", "attack-object-name": "Clear Windows Event Logs", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1569.002", "attack-object-name": "Service Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1569", "attack-object-name": "System Services", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.008", "attack-object-name": "Accessibility Features", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1495", "attack-object-name": "Firmware Corruption", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1497", "attack-object-name": "Virtualization/Sandbox Evasion", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1202", "attack-object-name": "Indirect Command Execution", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE\u2019s ATT&CK framework. \n\nChronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. ", "attack-object-id": "T1546.003", "attack-object-name": "Windows Management Instrumentation Event Subscription", "references": ["https://cloud.google.com/chronicle/docs/overview", "https://github.com/chronicle/detection-rules"], "tags": ["SIEM", "Chronicle", "Threat Detection", "Analytics"], "mapping-description": "", "capability-id": "Chronicle", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1199", "attack-object-name": "Trusted Relationship", "references": ["https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview"], "tags": ["Auditing", "Access Management"], "mapping-description": "", "capability-id": "Access Transparency", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview"], "tags": ["Auditing", "Access Management"], "mapping-description": "", "capability-id": "Access Transparency", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"], "tags": ["Vulnerability Management"], "mapping-description": "", "capability-id": "Shielded VM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1014", "attack-object-name": "Rootkit", "references": ["https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"], "tags": ["Vulnerability Management"], "mapping-description": "", "capability-id": "Shielded VM", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1008", "attack-object-name": "Fallback Channels", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1041", "attack-object-name": "Exfiltration Over C2 Channel", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1048", "attack-object-name": "Exfiltration Over Alternative Protocol", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1071", "attack-object-name": "Application Layer Protocol", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1090", "attack-object-name": "Proxy", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1095", "attack-object-name": "Non-Application Layer Protocol", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1104", "attack-object-name": "Multi-Stage Channels", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1187", "attack-object-name": "Forced Authentication", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1205", "attack-object-name": "Traffic Signaling", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1219", "attack-object-name": "Remote Access Software", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1498", "attack-object-name": "Network Denial of Service", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1499", "attack-object-name": "Endpoint Denial of Service", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1571", "attack-object-name": "Non-Standard Port", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1572", "attack-object-name": "Protocol Tunneling", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Documentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the \"Firewalls\" control, or the parent control under which its documented.", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://cloud.google.com/firewalls"], "tags": ["Firewall", "Logging", "Network"], "mapping-description": "", "capability-id": "Firewalls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1505.003", "attack-object-name": "Web Shell", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1105", "attack-object-name": "Ingress Tool Transfer", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1059.004", "attack-object-name": "Unix Shell", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1071.004", "attack-object-name": "DNS", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1567.002", "attack-object-name": "Exfiltration to Cloud Storage", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1505.001", "attack-object-name": "SQL Stored Procedures", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1562.007", "attack-object-name": "Disable or Modify Cloud Firewall", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1589.001", "attack-object-name": "Credentials", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1496", "attack-object-name": "Resource Hijacking", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1213.003", "attack-object-name": "Code Repositories", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1078.001", "attack-object-name": "Default Accounts", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1542", "attack-object-name": "Pre-OS Boot", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1542.003", "attack-object-name": "Bootkit", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1014", "attack-object-name": "Rootkit", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1070", "attack-object-name": "Indicator Removal on Host", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1484", "attack-object-name": "Domain Policy Modification", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "This mapping was rated as significant due to the control\u2019s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time).\n\nSCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. \n\nTo improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS).\n\nFurther automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub.\n\nReference: https://github.com/GoogleCloudPlatform/security-response-automation ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"], "tags": ["Analytics", "Security Command Center", "Vulnerability Management"], "mapping-description": "", "capability-id": "Security Command Center", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1565.001", "attack-object-name": "Stored Data Manipulation", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1588.004", "attack-object-name": "Digital Certificates", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "There are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys.", "attack-object-id": "T1588.003", "attack-object-name": "Code Signing Certificates", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"], "tags": ["Storage", "Data Security", "Encryption", "Credentials"], "mapping-description": "", "capability-id": "Cloud Storage", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/dlp/docs"], "tags": ["Storage"], "mapping-description": "", "capability-id": "Cloud Data Loss Prevention", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1053.007", "attack-object-name": "Container Orchestration Job", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1612", "attack-object-name": "Build Image on Host", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1554", "attack-object-name": "Compromise Client Software Binary", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1036.001", "attack-object-name": "Invalid Code Signature", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1601", "attack-object-name": "Modify System Image", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "Binary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image.", "attack-object-id": "T1204.003", "attack-object-name": "Malicious Image", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"], "tags": ["Binary Authorization"], "mapping-description": "", "capability-id": "Binary Authorization", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110", "attack-object-name": "Brute Force", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1136", "attack-object-name": "Create Account", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1114", "attack-object-name": "Email Collection", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1133", "attack-object-name": "External Remote Services", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1556", "attack-object-name": "Modify Authentication Process", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1021", "attack-object-name": "Remote Services", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.002", "attack-object-name": "Domain Accounts", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.001", "attack-object-name": "Password Guessing", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.002", "attack-object-name": "Password Cracking", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.003", "attack-object-name": "Password Spraying", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": ["https://landing.google.com/advancedprotection/"], "tags": ["Multi-Factor Authentication", "Phishing"], "mapping-description": "", "capability-id": "AdvancedProtectionProgram", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1528", "attack-object-name": "Steal Application Access Token", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1555", "attack-object-name": "Credentials from Password Stores", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1552", "attack-object-name": "Unsecured Credentials", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1040", "attack-object-name": "Network Sniffing", "references": ["https://cloud.google.com/secret-manager/docs/overview"], "tags": ["Data Security"], "mapping-description": "", "capability-id": "Secret Manager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "", "attack-object-id": "T1590", "attack-object-name": "Gather Victim Network Information", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1590.004", "attack-object-name": "Network Topology", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1590.005", "attack-object-name": "IP Addresses", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1046", "attack-object-name": "Network Service Scanning", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1135", "attack-object-name": "Network Share Discovery", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1595", "attack-object-name": "Active Scanning", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1595.001", "attack-object-name": "Scanning IP Blocks", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1557", "attack-object-name": "Adversary-in-the-Middle", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1602", "attack-object-name": "Data from Configuration Repository", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1552.007", "attack-object-name": "Container API", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1018", "attack-object-name": "Remote System Discovery", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1570", "attack-object-name": "Lateral Tool Transfer", "references": ["https://cloud.google.com/vpc-service-controls/docs"], "tags": ["Network", "Virtual Private Cloud"], "mapping-description": "", "capability-id": "Virtual Private Cloud", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1580", "attack-object-name": "Cloud Infrastructure Discovery", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1538", "attack-object-name": "Cloud Service Dashboard", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1578", "attack-object-name": "Modify Cloud Compute Infrastructure", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1548.002", "attack-object-name": "Bypass User Account Control", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1562", "attack-object-name": "Impair Defenses", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1562.008", "attack-object-name": "Disable Cloud Logs", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure Role based access control and Azure policy ", "attack-object-id": "T1222", "attack-object-name": "File and Directory Permissions Modification", "references": ["https://cloud.google.com/policy-intelligence"], "tags": ["Identity", "Role Based Access Control", "Access Management", "Credentials"], "mapping-description": "", "capability-id": "Policy Intelligence", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/recaptcha-enterprise"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "ReCAPTCHA Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1110.004", "attack-object-name": "Credential Stuffing", "references": ["https://cloud.google.com/recaptcha-enterprise"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "ReCAPTCHA Enterprise", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1136.003", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/recaptcha-enterprise"], "tags": ["Multi-Factor Authentication", "Identity"], "mapping-description": "", "capability-id": "ReCAPTCHA Enterprise", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1537", "attack-object-name": "Transfer Data to Cloud Account", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1530", "attack-object-name": "Data from Cloud Storage Object", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Significant", "related-score": ""}, {"comments": "", "attack-object-id": "T1567", "attack-object-name": "Exfiltration Over Web Service", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "", "attack-object-id": "T1619", "attack-object-name": "Cloud Storage Object Discovery", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"], "tags": ["Virtual Private Cloud", "Access Control Policies", "Network"], "mapping-description": "", "capability-id": "VPC Service Controls", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1098", "attack-object-name": "Account Manipulation", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1098.001", "attack-object-name": "Additional Cloud Credentials", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1069", "attack-object-name": "Permission Groups Discovery", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1069.003", "attack-object-name": "Cloud Groups", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1078.004", "attack-object-name": "Cloud Accounts", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1087.004", "attack-object-name": "Cloud Account", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1087", "attack-object-name": "Account Discovery", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "Similar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management.", "attack-object-id": "T1613", "attack-object-name": "Container and Resource Discovery", "references": ["https://cloud.google.com/iam"], "tags": ["Identity", "Credentials", "Access Management", "Multi-Factor Authentication", "Role Based Access Control"], "mapping-description": "", "capability-id": "Identity and Access Management", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Minimal", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1190", "attack-object-name": "Exploit Public-Facing Application", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1203", "attack-object-name": "Exploitation for Client Execution", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1210", "attack-object-name": "Exploitation of Remote Services", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1211", "attack-object-name": "Exploitation for Defense Evasion", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "This mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE\u2019s ATT&CK framework.", "attack-object-id": "T1072", "attack-object-name": "Software Deployment Tools", "references": ["https://cloud.google.com/compute/docs/vm-manager"], "tags": ["Patch Management", "Vulnerability Management", "Configuration Management", "Credentials"], "mapping-description": "", "capability-id": "VMManager", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1078", "attack-object-name": "Valid Accounts", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1068", "attack-object-name": "Exploitation for Privilege Escalation", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1525", "attack-object-name": "Implant Internal Image", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1610", "attack-object-name": "Deploy Container", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Protect", "score-value": "Partial", "related-score": ""}, {"comments": "Google Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes.", "attack-object-id": "T1212", "attack-object-name": "Exploitation for Credential Access", "references": ["https://cloud.google.com/container-registry/docs/container-analysis", "https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr"], "tags": ["Containers", "Vulnerability Analysis"], "mapping-description": "", "capability-id": "Container Registry", "mapping-type": "technique-scores", "score-category": "Detect", "score-value": "Partial", "related-score": ""}]} \ No newline at end of file diff --git a/tests/expected_results/csv/cve/expected_cve_results_attack_objects.csv b/tests/expected_results/csv/cve/expected_cve_results_attack_objects.csv index 0687e550..548832fb 100644 --- a/tests/expected_results/csv/cve/expected_cve_results_attack_objects.csv +++ b/tests/expected_results/csv/cve/expected_cve_results_attack_objects.csv @@ -1,5 +1,5 @@ -,comments,id,name,references,tags,mapping-description,mapping-target,metadata-key,key -0,,T1059,Name for T1059,[],[],,CVE-2019-15243,0,0 -1,,T1190,Name for T1190,[],[],,CVE-2019-15243,1,1 -2,,T1078,Name for T1078,[],[],,CVE-2019-15243,2,2 -3,,T1068,Name for T1068,[],[],,CVE-2019-15976,3,3 +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1059,Name for T1059,[],[],,CVE-2019-15243,Primary Impact,0 +1,,T1190,Name for T1190,[],[],,CVE-2019-15243,Exploitation Technique,0 +2,,T1078,Name for T1078,[],[],,CVE-2019-15243,Exploitation Technique,0 +3,,T1068,Name for T1068,[],[],,CVE-2019-15976,Primary Impact,0 diff --git a/tests/expected_results/csv/cve/expected_cve_results_mapping_platforms.csv b/tests/expected_results/csv/cve/expected_cve_results_mapping_platforms.csv deleted file mode 100644 index 26f6a737..00000000 --- a/tests/expected_results/csv/cve/expected_cve_results_mapping_platforms.csv +++ /dev/null @@ -1,5 +0,0 @@ -,name,impact,phase,attack-object-key -0,CVE Vulnerability List,Primary Impact,Phase 2,0 -1,CVE Vulnerability List,Exploitation Technique,Phase 2,1 -2,CVE Vulnerability List,Exploitation Technique,Phase 2,2 -3,CVE Vulnerability List,Primary Impact,Phase 2,3 diff --git a/tests/expected_results/csv/cve/expected_cve_results_metadata.csv b/tests/expected_results/csv/cve/expected_cve_results_metadata.csv index 3ddad525..9f7a5a26 100644 --- a/tests/expected_results/csv/cve/expected_cve_results_metadata.csv +++ b/tests/expected_results/csv/cve/expected_cve_results_metadata.csv @@ -1,5 +1,2 @@ -,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-platform,mapping-platform-version,key +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key 0,,9.0,enterprise,,,02/03/21,10/27/21,,CVE Vulnerability List,,0 -1,,9.0,enterprise,,,02/03/21,10/27/21,,CVE Vulnerability List,,1 -2,,9.0,enterprise,,,02/03/21,10/27/21,,CVE Vulnerability List,,2 -3,,9.0,enterprise,,,02/03/21,10/27/21,,CVE Vulnerability List,,3 diff --git a/tests/expected_results/csv/nist/expected_nist_results_attack_objects.csv b/tests/expected_results/csv/nist/expected_nist_results_attack_objects.csv index d32e37a5..bf63c481 100644 --- a/tests/expected_results/csv/nist/expected_nist_results_attack_objects.csv +++ b/tests/expected_results/csv/nist/expected_nist_results_attack_objects.csv @@ -1,3 +1,3 @@ -,comments,id,name,references,tags,mapping-description,mapping-target,metadata-key,key -0,,T1137,Office Application Startup,[],[],,AC-10,0,0 -1,,T1137.002,Office Test,[],[],,AC-10,1,1 +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1137,Office Application Startup,[],[],,AC-10,mitigates,0 +1,,T1137.002,Office Test,[],[],,AC-10,mitigates,0 diff --git a/tests/expected_results/csv/nist/expected_nist_results_mapping_platforms.csv b/tests/expected_results/csv/nist/expected_nist_results_mapping_platforms.csv deleted file mode 100644 index 06d6a1a2..00000000 --- a/tests/expected_results/csv/nist/expected_nist_results_mapping_platforms.csv +++ /dev/null @@ -1,3 +0,0 @@ -,name,control-name,mapping-type,attack-object-key -0,NIST Security controls,Concurrent Session Control,mitigates,0 -1,NIST Security controls,Concurrent Session Control,mitigates,1 diff --git a/tests/expected_results/csv/nist/expected_nist_results_metadata.csv b/tests/expected_results/csv/nist/expected_nist_results_metadata.csv index 04252f82..0e4ba270 100644 --- a/tests/expected_results/csv/nist/expected_nist_results_metadata.csv +++ b/tests/expected_results/csv/nist/expected_nist_results_metadata.csv @@ -1,3 +1,2 @@ -,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-platform,mapping-platform-version,key -0,1,13.0,enterprise,,,,,,NIST Security controls,,0 -1,1,13.0,enterprise,,,,,,NIST Security controls,,1 +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,1,13.0,enterprise,,,02/03/21,10/27/21,,NIST Security controls,,0 diff --git a/tests/expected_results/csv/security_stack/expected_security_stack_results_attack_objects.csv b/tests/expected_results/csv/security_stack/expected_security_stack_results_attack_objects.csv index 6827fa7b..7d22448b 100644 --- a/tests/expected_results/csv/security_stack/expected_security_stack_results_attack_objects.csv +++ b/tests/expected_results/csv/security_stack/expected_security_stack_results_attack_objects.csv @@ -1,5 +1,15 @@ -,comments,id,name,references,tags,mapping-description,mapping-target,metadata-key,key -0,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,0,0 -1,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,1,1 -2,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,2,2 -3,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,3,3 +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata-key +0,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,,0 +1,score comment,T1078.004,Cloud Accounts,[],[],,Amazon Cognito,technique-scores,Protect,Partial,T1078,0 +2,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,,0 +3,score-comment,T1110.001,Password Guessing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +4,score-comment,T1110.002,Password Cracking,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +5,score-comment,T1110.003,Password Spraying,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +6,score-comment,T1110.004,Credential Stuffing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +7,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,,0 +8,score comment,T1078.004,Cloud Accounts,[],[],,Amazon Cognito,technique-scores,Protect,Partial,T1078,0 +9,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,,0 +10,score-comment,T1110.001,Password Guessing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +11,score-comment,T1110.002,Password Cracking,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +12,score-comment,T1110.003,Password Spraying,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +13,score-comment,T1110.004,Credential Stuffing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 diff --git a/tests/expected_results/csv/security_stack/expected_security_stack_results_mapping_platforms.csv b/tests/expected_results/csv/security_stack/expected_security_stack_results_mapping_platforms.csv deleted file mode 100644 index baf86f17..00000000 --- a/tests/expected_results/csv/security_stack/expected_security_stack_results_mapping_platforms.csv +++ /dev/null @@ -1,5 +0,0 @@ -,score-category,score-value,related-score,tags,attack-object-key -0,Protect,Minimal,True,['Identity'],0 -1,Protect,Significant,True,['Identity'],1 -2,Protect,Minimal,True,['Identity'],2 -3,Protect,Significant,True,['Identity'],3 diff --git a/tests/expected_results/csv/security_stack/expected_security_stack_results_metadata.csv b/tests/expected_results/csv/security_stack/expected_security_stack_results_metadata.csv index 9f1adcca..fc1cfdf4 100644 --- a/tests/expected_results/csv/security_stack/expected_security_stack_results_metadata.csv +++ b/tests/expected_results/csv/security_stack/expected_security_stack_results_metadata.csv @@ -1,5 +1,2 @@ -,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-platform,mapping-platform-version,key +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key 0,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,0 -1,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,1 -2,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,2 -3,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,3 diff --git a/tests/expected_results/csv/veris/expected_veris_results_attack_objects.csv b/tests/expected_results/csv/veris/expected_veris_results_attack_objects.csv index 2966700f..fcfa83d8 100644 --- a/tests/expected_results/csv/veris/expected_veris_results_attack_objects.csv +++ b/tests/expected_results/csv/veris/expected_veris_results_attack_objects.csv @@ -1,4 +1,4 @@ -,comments,id,name,references,tags,mapping-description,mapping-target,metadata-key,key -0,,T1047,Windows Management Instrumentation,[],[],,action.hacking.variety.Abuse of functionality,0,0 -1,,T1047,Windows Management Instrumentation,[],[],,action.hacking.vector.Command shell,1,1 -2,,T1053,Scheduled Task/Job,[],[],,action.hacking.variety.Abuse of functionality,2,2 +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,metadata-key +0,,T1047,Windows Management Instrumentation,[],[],,action.hacking.variety.Abuse of functionality,related-to,0 +1,,T1047,Windows Management Instrumentation,[],[],,action.hacking.vector.Command shell,related-to,0 +2,,T1053,Scheduled Task/Job,[],[],,action.hacking.variety.Abuse of functionality,related-to,0 diff --git a/tests/expected_results/csv/veris/expected_veris_results_mapping_platforms.csv b/tests/expected_results/csv/veris/expected_veris_results_mapping_platforms.csv deleted file mode 100644 index 442ba1a4..00000000 --- a/tests/expected_results/csv/veris/expected_veris_results_mapping_platforms.csv +++ /dev/null @@ -1,4 +0,0 @@ -,relationship-type,veris-path,attack-object-key -0,related-to,action.hacking.variety.Abuse of functionality,0 -1,related-to,action.hacking.vector.Command shell,1 -2,related-to,action.hacking.variety.Abuse of functionality,2 diff --git a/tests/expected_results/csv/veris/expected_veris_results_metadata.csv b/tests/expected_results/csv/veris/expected_veris_results_metadata.csv index 0810db45..5d942f41 100644 --- a/tests/expected_results/csv/veris/expected_veris_results_metadata.csv +++ b/tests/expected_results/csv/veris/expected_veris_results_metadata.csv @@ -1,4 +1,2 @@ -,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-platform,mapping-platform-version,key -0,1.9,9.0,enterprise,,,,,,VERIS Framework,1.3.5,0 -1,1.9,9.0,enterprise,,,,,,VERIS Framework,1.3.5,1 -2,1.9,9.0,enterprise,,,,,,VERIS Framework,1.3.5,2 +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key +0,1.9,9.0,enterprise,,,02/03/21,10/27/21,,VERIS Framework,1.3.5,0 diff --git a/tests/expected_results/expected_results_json.py b/tests/expected_results/expected_results_json.py index 46bd8400..31e157bb 100644 --- a/tests/expected_results/expected_results_json.py +++ b/tests/expected_results/expected_results_json.py @@ -1,392 +1,355 @@ -expected_nist_mapping_json = [ - { - "metadata": { - "mapping-version": "1", - "attack-version": "13.0", - "creation-date": "", - "last-update": "", - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "NIST Security controls", - "mapping-platform-version": "", # get correct value - "technology-domain": "enterprise", - }, - "attack-object": { - "id": "T1137", - "name": "Office Application Startup", - "mapping-target": "AC-10", - "tags": [], +expected_nist_mapping_json = { + "metadata": { + "mapping-version": "1", + "attack-version": "13.0", + "technology-domain": "enterprise", + "author": "", + "contact": "", + "creation-date": "02/03/21", + "last-update": "10/27/21", + "organization": "", + "mapping-framework": "NIST Security controls", + "mapping-framework-version": "", + }, + "attack-objects": [ + { "comments": "", + "attack-object-id": "T1137", + "attack-object-name": "Office Application Startup", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "control-name": "Concurrent Session Control", - "mapping-type": "mitigates", - "name": "NIST Security controls", - }, - }, - }, - { - "metadata": { - "mapping-version": "1", - "attack-version": "13.0", - "creation-date": "", - "last-update": "", - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "NIST Security controls", - "mapping-platform-version": "", # get correct value - "technology-domain": "enterprise", + "capability-id": "AC-10", + "mapping-type": "mitigates", }, - "attack-object": { - "id": "T1137.002", - "name": "Office Test", - "mapping-target": "AC-10", - "tags": [], + { "comments": "", + "attack-object-id": "T1137.002", + "attack-object-name": "Office Test", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "control-name": "Concurrent Session Control", - "mapping-type": "mitigates", - "name": "NIST Security controls", - }, + "capability-id": "AC-10", + "mapping-type": "mitigates", }, - }, -] + ], +} -expected_security_stack_mapping_json = [ - { - "metadata": { - "mapping-version": 1, - "attack-version": 9, - "creation-date": "05/27/2021", # confirm that this value is correct - "last-update": "", # confirm this value is correct - "author": "", - "contact": "ctid@mitre-engenuity.org", - "organization": "", - "mapping-platform": "AWS", - "mapping-platform-version": "", # get correct value - "technology-domain": "enterprise", - }, - "attack-object": { - "id": "T1078", - "name": "Valid Accounts", - "mapping-target": "Amazon Cognito", +expected_security_stack_mapping_json = { + "metadata": { + "mapping-version": 1, + "attack-version": 9, + "technology-domain": "enterprise", + "author": "", + "contact": "ctid@mitre-engenuity.org", + "creation-date": "05/27/2021", + "last-update": "", + "organization": "", + "mapping-framework": "AWS", + "mapping-framework-version": "", + }, + "attack-objects": [ + { "comments": "comment", + "attack-object-id": "T1078", + "attack-object-name": "Valid Accounts", "references": [ "https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html", ], - "mapping-platform": { - "score-category": "Protect", - "score-value": "Minimal", - "related-score": True, - "tags": ["Identity"], - }, - "mapping-description": "", "tags": ["Identity"], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Minimal", + "related-score": "", }, - }, - { - "metadata": { - "mapping-version": 1, - "attack-version": 9, - "creation-date": "05/27/2021", # confirm that this value is correct - "last-update": "", # confirm this value is correct - "author": "", - "contact": "ctid@mitre-engenuity.org", - "organization": "", - "mapping-platform": "AWS", - "mapping-platform-version": "", # get correct value - "technology-domain": "enterprise", + { + "comments": "score comment", + "attack-object-id": "T1078.004", + "attack-object-name": "Cloud Accounts", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Partial", + "related-score": "T1078", }, - "attack-object": { - "id": "T1110", - "name": "Brute Force", - "mapping-target": "Amazon Cognito", + { "comments": "comment", + "attack-object-id": "T1110", + "attack-object-name": "Brute Force", "references": [ "https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html", ], - "mapping-description": "", - "mapping-platform": { - "score-category": "Protect", - "score-value": "Significant", - "related-score": True, - "tags": ["Identity"], - }, "tags": ["Identity"], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "", }, - }, - { - "metadata": { - "mapping-version": 1, - "attack-version": 9, - "creation-date": "05/27/2021", # confirm that this value is correct - "last-update": "", # confirm this value is correct - "author": "", - "contact": "ctid@mitre-engenuity.org", - "organization": "", - "mapping-platform": "AWS", - "mapping-platform-version": "", # get correct value - "technology-domain": "enterprise", + { + "comments": "score-comment", + "attack-object-id": "T1110.001", + "attack-object-name": "Password Guessing", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", + }, + { + "comments": "score-comment", + "attack-object-id": "T1110.002", + "attack-object-name": "Password Cracking", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", }, - "attack-object": { - "id": "T1078", - "name": "Valid Accounts", - "mapping-target": "Amazon Cognito", + { + "comments": "score-comment", + "attack-object-id": "T1110.003", + "attack-object-name": "Password Spraying", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", + }, + { + "comments": "score-comment", + "attack-object-id": "T1110.004", + "attack-object-name": "Credential Stuffing", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", + }, + { "comments": "comment", + "attack-object-id": "T1078", + "attack-object-name": "Valid Accounts", "references": [ "https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html", ], - "mapping-platform": { - "score-category": "Protect", - "score-value": "Minimal", - "related-score": True, - "tags": ["Identity"], - }, - "mapping-description": "", "tags": ["Identity"], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Minimal", + "related-score": "", }, - }, - { - "metadata": { - "mapping-version": 1, - "attack-version": 9, - "creation-date": "05/27/2021", # confirm that this value is correct - "last-update": "", # confirm this value is correct - "author": "", - "contact": "ctid@mitre-engenuity.org", - "organization": "", - "mapping-platform": "AWS", - "mapping-platform-version": "", # get correct value - "technology-domain": "enterprise", + { + "comments": "score comment", + "attack-object-id": "T1078.004", + "attack-object-name": "Cloud Accounts", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Partial", + "related-score": "T1078", }, - "attack-object": { - "id": "T1110", - "name": "Brute Force", - "mapping-target": "Amazon Cognito", + { "comments": "comment", + "attack-object-id": "T1110", + "attack-object-name": "Brute Force", "references": [ "https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html", ], - "mapping-description": "", - "mapping-platform": { - "score-category": "Protect", - "score-value": "Significant", - "related-score": True, - "tags": ["Identity"], - }, "tags": ["Identity"], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "", }, - }, -] - -expected_veris_mapping_json = [ - { - "metadata": { - "mapping-version": "1.9", - "attack-version": "9.0", - "creation-date": "", # get correct value - "last-update": "", # get correct value - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "VERIS Framework", - "mapping-platform-version": "1.3.5", - "technology-domain": "enterprise", - }, - "attack-object": { - "id": "T1047", - "name": "Windows Management Instrumentation", - "mapping-target": "action.hacking.variety.Abuse of functionality", - "tags": [], - "comments": "", + { + "comments": "score-comment", + "attack-object-id": "T1110.001", + "attack-object-name": "Password Guessing", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "relationship-type": "related-to", - "veris-path": "action.hacking.variety.Abuse of functionality", - }, + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", }, - }, - { - "metadata": { - "mapping-version": "1.9", - "attack-version": "9.0", - "creation-date": "", # get correct value - "last-update": "", # get correct value - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "VERIS Framework", - "mapping-platform-version": "1.3.5", - "technology-domain": "enterprise", + { + "comments": "score-comment", + "attack-object-id": "T1110.002", + "attack-object-name": "Password Cracking", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", }, - "attack-object": { - "id": "T1047", - "name": "Windows Management Instrumentation", - "mapping-target": "action.hacking.vector.Command shell", + { + "comments": "score-comment", + "attack-object-id": "T1110.003", + "attack-object-name": "Password Spraying", + "references": [], "tags": [], - "comments": "", + "mapping-description": "", + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", + }, + { + "comments": "score-comment", + "attack-object-id": "T1110.004", + "attack-object-name": "Credential Stuffing", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "relationship-type": "related-to", - "veris-path": "action.hacking.vector.Command shell", - }, + "capability-id": "Amazon Cognito", + "mapping-type": "technique-scores", + "score-category": "Protect", + "score-value": "Significant", + "related-score": "T1110", }, + ], +} + +expected_veris_mapping_json = { + "metadata": { + "mapping-version": "1.9", + "attack-version": "9.0", + "technology-domain": "enterprise", + "author": "", + "contact": "", + "creation-date": "02/03/21", + "last-update": "10/27/21", + "organization": "", + "mapping-framework": "VERIS Framework", + "mapping-framework-version": "1.3.5", }, - { - "metadata": { - "mapping-version": "1.9", - "attack-version": "9.0", - "creation-date": "", # get correct value - "last-update": "", # get correct value - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "VERIS Framework", - "mapping-platform-version": "1.3.5", - "technology-domain": "enterprise", - }, - "attack-object": { - "id": "T1053", - "name": "Scheduled Task/Job", - "mapping-target": "action.hacking.variety.Abuse of functionality", - "tags": [], + "attack-objects": [ + { "comments": "", + "attack-object-id": "T1047", + "attack-object-name": "Windows Management Instrumentation", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "relationship-type": "related-to", - "veris-path": "action.hacking.variety.Abuse of functionality", - }, - }, - }, -] - -expected_cve_mapping_json = [ - { - "metadata": { - "mapping-version": "", # confirm that this value is correct - "attack-version": "9.0", - "creation-date": "02/03/21", # confirm this value is correct - "last-update": "10/27/21", # confirm this value is correct - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "CVE Vulnerability List", - "mapping-platform-version": "", # confirm this value is correct - "technology-domain": "enterprise", + "capability-id": "action.hacking.variety.Abuse of functionality", + "mapping-type": "related-to", }, - "attack-object": { - "id": "T1059", - "name": "Name for T1059", - "mapping-target": "CVE-2019-15243", - "tags": [], + { "comments": "", + "attack-object-id": "T1047", + "attack-object-name": "Windows Management Instrumentation", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "impact": "Primary Impact", - "name": "CVE Vulnerability List", - "phase": "Phase 2", - }, - }, - }, - { - "metadata": { - "mapping-version": "", # confirm that this value is correct - "attack-version": "9.0", - "creation-date": "02/03/21", # confirm this value is correct - "last-update": "10/27/21", # confirm this value is correct - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "CVE Vulnerability List", - "mapping-platform-version": "", # confirm this value is correct - "technology-domain": "enterprise", + "capability-id": "action.hacking.vector.Command shell", + "mapping-type": "related-to", }, - "attack-object": { - "id": "T1190", - "name": "Name for T1190", - "mapping-target": "CVE-2019-15243", - "tags": [], + { "comments": "", + "attack-object-id": "T1053", + "attack-object-name": "Scheduled Task/Job", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "impact": "Exploitation Technique", - "name": "CVE Vulnerability List", - "phase": "Phase 2", - }, + "capability-id": "action.hacking.variety.Abuse of functionality", + "mapping-type": "related-to", }, + ], +} + +expected_cve_mapping_json = { + "metadata": { + "mapping-version": "", + "attack-version": "9.0", + "technology-domain": "enterprise", + "author": "", + "contact": "", + "creation-date": "02/03/21", + "last-update": "10/27/21", + "organization": "", + "mapping-framework": "CVE Vulnerability List", + "mapping-framework-version": "", }, - { - "metadata": { - "mapping-version": "", # confirm that this value is correct - "attack-version": "9.0", - "creation-date": "02/03/21", # confirm this value is correct - "last-update": "10/27/21", # confirm this value is correct - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "CVE Vulnerability List", - "mapping-platform-version": "", # confirm this value is correct - "technology-domain": "enterprise", - }, - "attack-object": { - "id": "T1078", - "name": "Name for T1078", - "mapping-target": "CVE-2019-15243", - "tags": [], + "attack-objects": [ + { "comments": "", + "attack-object-id": "T1059", + "attack-object-name": "Name for T1059", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "impact": "Exploitation Technique", - "name": "CVE Vulnerability List", - "phase": "Phase 2", - }, + "capability-id": "CVE-2019-15243", + "mapping-type": "Primary Impact", }, - }, - { - "metadata": { - "mapping-version": "", # confirm that this value is correct - "attack-version": "9.0", - "creation-date": "02/03/21", # confirm this value is correct - "last-update": "10/27/21", # confirm this value is correct - "author": "", - "contact": "", - "organization": "", - "mapping-platform": "CVE Vulnerability List", - "mapping-platform-version": "", # confirm this value is correct - "technology-domain": "enterprise", + { + "comments": "", + "attack-object-id": "T1190", + "attack-object-name": "Name for T1190", + "references": [], + "tags": [], + "mapping-description": "", + "capability-id": "CVE-2019-15243", + "mapping-type": "Exploitation Technique", }, - "attack-object": { - "id": "T1068", - "name": "Name for T1068", - "mapping-target": "CVE-2019-15976", + { + "comments": "", + "attack-object-id": "T1078", + "attack-object-name": "Name for T1078", + "references": [], "tags": [], + "mapping-description": "", + "capability-id": "CVE-2019-15243", + "mapping-type": "Exploitation Technique", + }, + { "comments": "", + "attack-object-id": "T1068", + "attack-object-name": "Name for T1068", "references": [], + "tags": [], "mapping-description": "", - "mapping-platform": { - "impact": "Primary Impact", - "name": "CVE Vulnerability List", - "phase": "Phase 2", - }, + "capability-id": "CVE-2019-15976", + "mapping-type": "Primary Impact", }, - }, -] + ], +} diff --git a/tests/expected_results/expected_results_navigator_layer.py b/tests/expected_results/expected_results_navigator_layer.py new file mode 100644 index 00000000..39318337 --- /dev/null +++ b/tests/expected_results/expected_results_navigator_layer.py @@ -0,0 +1,110 @@ +expected_nist_navigator_layer = { + "name": "nist overview", + "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "13.0"}, + "sorting": 3, + "description": "nist heatmap overview of nist mappings, scores are the number of associated entries", + "domain": "enterprise-attack", + "techniques": [ + {"techniqueID": "T1137", "score": 1, "comment": "Related to AC-10"}, + {"techniqueID": "T1137.002", "score": 1, "comment": "Related to AC-10"}, + ], + "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 1}, +} + +expected_security_stack_navigator_layer = { + "name": "security stack overview", + "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": 9}, + "sorting": 3, + "description": "security stack heatmap overview of security stack mappings, scores are the number of associated entries", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1078", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + { + "techniqueID": "T1078.004", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + { + "techniqueID": "T1110", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + { + "techniqueID": "T1110.001", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + { + "techniqueID": "T1110.002", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + { + "techniqueID": "T1110.003", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + { + "techniqueID": "T1110.004", + "score": 2, + "comment": "Related to Amazon Cognito, Amazon Cognito", + }, + ], + "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 2, "maxValue": 2}, +} + +expected_veris_navigator_layer = { + "name": "veris overview", + "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "9.0"}, + "sorting": 3, + "description": "veris heatmap overview of veris mappings, scores are the number of associated entries", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1047", + "score": 2, + "comment": "Related to action.hacking.variety.Abuse of functionality, action.hacking.vector.Command shell", + }, + { + "techniqueID": "T1053", + "score": 1, + "comment": "Related to action.hacking.variety.Abuse of functionality", + }, + ], + "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 2}, +} + +expected_cve_navigator_layer = { + "name": "cve overview", + "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "9.0"}, + "sorting": 3, + "description": "cve heatmap overview of cve mappings, scores are the number of associated entries", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1059", + "score": 1, + "comment": "Related to CVE-2019-15243", + }, + { + "techniqueID": "T1190", + "score": 1, + "comment": "Related to CVE-2019-15243", + }, + { + "techniqueID": "T1078", + "score": 1, + "comment": "Related to CVE-2019-15243", + }, + { + "techniqueID": "T1068", + "score": 1, + "comment": "Related to CVE-2019-15976", + }, + ], + "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 1}, +} diff --git a/tests/files/security_stack/AWS_attack-objects.csv b/tests/files/security_stack/AWS_attack-objects.csv deleted file mode 100644 index 6827fa7b..00000000 --- a/tests/files/security_stack/AWS_attack-objects.csv +++ /dev/null @@ -1,5 +0,0 @@ -,comments,id,name,references,tags,mapping-description,mapping-target,metadata-key,key -0,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,0,0 -1,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,1,1 -2,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,2,2 -3,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,3,3 diff --git a/tests/files/security_stack/AWS_attack_objects.csv b/tests/files/security_stack/AWS_attack_objects.csv new file mode 100644 index 00000000..7d22448b --- /dev/null +++ b/tests/files/security_stack/AWS_attack_objects.csv @@ -0,0 +1,15 @@ +,comments,attack-object-id,attack-object-name,references,tags,mapping-description,capability-id,mapping-type,score-category,score-value,related-score,metadata-key +0,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,,0 +1,score comment,T1078.004,Cloud Accounts,[],[],,Amazon Cognito,technique-scores,Protect,Partial,T1078,0 +2,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,,0 +3,score-comment,T1110.001,Password Guessing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +4,score-comment,T1110.002,Password Cracking,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +5,score-comment,T1110.003,Password Spraying,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +6,score-comment,T1110.004,Credential Stuffing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +7,comment,T1078,Valid Accounts,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Minimal,,0 +8,score comment,T1078.004,Cloud Accounts,[],[],,Amazon Cognito,technique-scores,Protect,Partial,T1078,0 +9,comment,T1110,Brute Force,"['https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html', 'https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html']",['Identity'],,Amazon Cognito,technique-scores,Protect,Significant,,0 +10,score-comment,T1110.001,Password Guessing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +11,score-comment,T1110.002,Password Cracking,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +12,score-comment,T1110.003,Password Spraying,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 +13,score-comment,T1110.004,Credential Stuffing,[],[],,Amazon Cognito,technique-scores,Protect,Significant,T1110,0 diff --git a/tests/files/security_stack/AWS_mapping-platforms.csv b/tests/files/security_stack/AWS_mapping-platforms.csv deleted file mode 100644 index baf86f17..00000000 --- a/tests/files/security_stack/AWS_mapping-platforms.csv +++ /dev/null @@ -1,5 +0,0 @@ -,score-category,score-value,related-score,tags,attack-object-key -0,Protect,Minimal,True,['Identity'],0 -1,Protect,Significant,True,['Identity'],1 -2,Protect,Minimal,True,['Identity'],2 -3,Protect,Significant,True,['Identity'],3 diff --git a/tests/files/security_stack/AWS_metadata.csv b/tests/files/security_stack/AWS_metadata.csv index 9f1adcca..fc1cfdf4 100644 --- a/tests/files/security_stack/AWS_metadata.csv +++ b/tests/files/security_stack/AWS_metadata.csv @@ -1,5 +1,2 @@ -,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-platform,mapping-platform-version,key +,mapping-version,attack-version,technology-domain,author,contact,creation-date,last-update,organization,mapping-framework,mapping-framework-version,key 0,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,0 -1,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,1 -2,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,2 -3,1,9,enterprise,,ctid@mitre-engenuity.org,05/27/2021,,,AWS,,3 diff --git a/tests/parsers.py b/tests/parsers.py new file mode 100644 index 00000000..6bb7b962 --- /dev/null +++ b/tests/parsers.py @@ -0,0 +1,60 @@ +import os + +from mappings_explorer.cli.mapex_convert.parse_cve_mappings import ( + configure_cve_mappings, +) +from mappings_explorer.cli.mapex_convert.parse_nist_mappings import ( + configure_nist_mappings, +) +from mappings_explorer.cli.mapex_convert.parse_security_stack_mappings import ( + configure_security_stack_mappings, +) +from mappings_explorer.cli.mapex_convert.parse_veris_mappings import ( + configure_veris_mappings, +) +from mappings_explorer.cli.mapex_convert.read_files import ( + read_csv_file, + read_excel_file, + read_json_file, + read_yaml_file, +) + + +def nist_mappings_parser(): + filepath = os.path.join(os.path.dirname(__file__), "files/test_nist_mappings.xlsx") + attack_version = "13.0" + mappings_version = "1" + dataframe = read_excel_file(filepath) + parsed_mappings = configure_nist_mappings( + dataframe, attack_version, mappings_version + ) + return parsed_mappings + + +def security_stack_mappings_parser(filepath): + parsed_mappings = {} + for file in os.listdir(filepath): + data = read_yaml_file(f"{filepath}/{file}") + configure_security_stack_mappings(data, parsed_mappings) + return parsed_mappings + + +def veris_mappings_parser(): + filepath = os.path.join(os.path.dirname(__file__), "files/test_veris_mappings.json") + veris_mappings = read_json_file(filepath) + domain = "enterprise" + parsed_mappings = configure_veris_mappings(veris_mappings, domain) + return parsed_mappings + + +def cve_mappings_parser(): + filepath = os.path.join(os.path.dirname(__file__), "files/test_cve_mappings.csv") + id_to_name_dict = { + "T1059": {"name": "Name for T1059", "domain": "enterprise"}, + "T1190": {"name": "Name for T1190", "domain": "enterprise"}, + "T1078": {"name": "Name for T1078", "domain": "enterprise"}, + "T1068": {"name": "Name for T1068", "domain": "enterprise"}, + } + cve_mappings = read_csv_file(filepath) + parsed_mappings = configure_cve_mappings(cve_mappings, id_to_name_dict) + return parsed_mappings diff --git a/tests/test_cli.py b/tests/test_mapex_cli.py similarity index 58% rename from tests/test_cli.py rename to tests/test_mapex_cli.py index 30350d71..dc3404b0 100644 --- a/tests/test_cli.py +++ b/tests/test_mapex_cli.py @@ -2,29 +2,17 @@ import os import yaml - -from src.mappings_explorer.cli.cli import ( - configure_cve_mappings, - configure_nist_mappings, - configure_security_stack_mappings, - configure_veris_mappings, -) -from src.mappings_explorer.cli.read_files import ( - read_csv_file, - read_excel_file, - read_json_file, - read_yaml_file, -) -from src.mappings_explorer.cli.write_parsed_mappings import ( +from mappings_explorer.cli.mapex.write_parsed_mappings import ( write_parsed_mappings_csv, - write_parsed_mappings_json, + write_parsed_mappings_navigator_layer, write_parsed_mappings_yaml, ) -from tests.expected_results.expected_results_json import ( - expected_cve_mapping_json, - expected_nist_mapping_json, - expected_security_stack_mapping_json, - expected_veris_mapping_json, + +from tests.expected_results.expected_results_navigator_layer import ( + expected_cve_navigator_layer, + expected_nist_navigator_layer, + expected_security_stack_navigator_layer, + expected_veris_navigator_layer, ) from tests.expected_results.expected_results_yaml import ( expected_cve_mapping_yaml, @@ -32,20 +20,15 @@ expected_security_stack_mapping_yaml, expected_veris_mapping_yaml, ) +from tests.parsers import ( + cve_mappings_parser, + nist_mappings_parser, + security_stack_mappings_parser, + veris_mappings_parser, +) -def nist_mappings_parser(): - filepath = os.path.join(os.path.dirname(__file__), "files/test_nist_mappings.xlsx") - attack_version = "13.0" - mappings_version = "1" - dataframe = read_excel_file(filepath) - parsed_mappings = configure_nist_mappings( - dataframe, attack_version, mappings_version - ) - return parsed_mappings - - -def test_nist_mappings_parser_yaml(tmpdir): +def test_write_nist_mappings_to_yaml(tmpdir): # ARRANGE parsed_mappings = yaml.dump(nist_mappings_parser()) filename = "nist_mappings" @@ -60,21 +43,6 @@ def test_nist_mappings_parser_yaml(tmpdir): assert result == expected_nist_mapping_yaml -def test_nist_mappings_parser_json(tmpdir): - # ARRANGE - filename = "nist_mappings" - filepath = f"{tmpdir}/{filename}" - parsed_mappings = nist_mappings_parser() - - # ACT - write_parsed_mappings_json(parsed_mappings, filepath) - file = open(f"{filepath}.json", "r", encoding="UTF-8") - result = json.load(file) - - # ASSERT - assert result == expected_nist_mapping_json - - def test_nist_mappings_parser_csv(tmpdir): # ARRANGE filename = "nist_mappings" @@ -86,35 +54,34 @@ def test_nist_mappings_parser_csv(tmpdir): "r", encoding="UTF-8", ) - expected_mapping_platforms_file = open( - f"{veris_directory}/expected_nist_results_mapping_platforms.csv", - "r", - encoding="UTF-8", - ) expected_metadata_file = open( f"{veris_directory}/expected_nist_results_metadata.csv", "r", encoding="UTF-8" ) + metadata_key = 0 # ACT - write_parsed_mappings_csv(parsed_mappings, filepath) - attack_objects_file = open(f"{filepath}_attack-objects.csv", "r", encoding="UTF-8") - mapping_platforms_file = open( - f"{filepath}_mapping-platforms.csv", "r", encoding="UTF-8" - ) + write_parsed_mappings_csv(parsed_mappings, filepath, metadata_key) + attack_objects_file = open(f"{filepath}_attack_objects.csv", "r", encoding="UTF-8") metadata_file = open(f"{filepath}_metadata.csv", "r", encoding="UTF-8") # ASSERT assert expected_attack_objects_file.read() == attack_objects_file.read() - assert expected_mapping_platforms_file.read() == mapping_platforms_file.read() assert expected_metadata_file.read() == metadata_file.read() -def security_stack_mappings_parser(filepath): - parsed_mappings = [] - for file in os.listdir(filepath): - data = read_yaml_file(f"{filepath}/{file}") - configure_security_stack_mappings(data, parsed_mappings) - return parsed_mappings +def test_nist_mappings_parser_navigator_layer(tmpdir): + # ARRANGE + filename = "nist_mappings" + filepath = f"{tmpdir}/{filename}" + parsed_mappings = nist_mappings_parser() + + # ACT + write_parsed_mappings_navigator_layer(parsed_mappings, filepath, "nist") + file = open(f"{filepath}_navigator_layer.json", "r", encoding="UTF-8") + result = json.load(file) + + # ASSERT + assert result == expected_nist_navigator_layer def test_security_stack_mappings_yaml(tmpdir): @@ -140,29 +107,6 @@ def test_security_stack_mappings_yaml(tmpdir): assert result == expected_security_stack_mapping_yaml -def test_security_stack_mappings_json(tmpdir): - # ARRANGE - root_filepath = os.path.join(os.path.dirname(__file__), "files/security_stack") - - # ACT - for _, directories, _ in os.walk(root_filepath): - for directory in directories: - # get parsed data - filepath = f"{root_filepath}/{directory}" - parsed_mappings = security_stack_mappings_parser(filepath) - - # write parsed data to file - filename = f"security_stack_{directory}_mappings" - tmpdir.mkdir(directory).join(filename) - output_filepath = f"{tmpdir}/{directory}/{filename}" - write_parsed_mappings_json(parsed_mappings, output_filepath) - file = open(f"{output_filepath}.json", "r", encoding="UTF-8") - result = json.load(file) - - # ASSERT - assert result == expected_security_stack_mapping_json - - def test_security_stack_mappings_csv(tmpdir): # ARRANGE root_filepath = os.path.join(os.path.dirname(__file__), "files/security_stack") @@ -172,11 +116,6 @@ def test_security_stack_mappings_csv(tmpdir): "r", encoding="UTF-8", ) - expected_mapping_platforms_file = open( - f"{security_stack_directory}/expected_security_stack_results_mapping_platforms.csv", - "r", - encoding="UTF-8", - ) expected_metadata_file = open( f"{security_stack_directory}/expected_security_stack_results_metadata.csv", "r", @@ -185,38 +124,52 @@ def test_security_stack_mappings_csv(tmpdir): # ACT for _, directories, _ in os.walk(root_filepath): + metadata_key = 0 for directory in directories: - print("DIRECTORY!", directory) # get parsed data filepath = f"{root_filepath}/{directory}" parsed_mappings = security_stack_mappings_parser(filepath) - # write parsed data to file + # write parsed data to csv files filename = f"security_stack_{directory}_mappings" tmpdir.mkdir(directory).join(filename) - write_parsed_mappings_csv(parsed_mappings, filepath) + write_parsed_mappings_csv(parsed_mappings, filepath, metadata_key) + metadata_key += 1 attack_objects_file = open( - f"{filepath}_attack-objects.csv", "r", encoding="UTF-8" - ) - mapping_platforms_file = open( - f"{filepath}_mapping-platforms.csv", "r", encoding="UTF-8" + f"{filepath}_attack_objects.csv", "r", encoding="UTF-8" ) metadata_file = open(f"{filepath}_metadata.csv", "r", encoding="UTF-8") # ASSERT assert expected_attack_objects_file.read() == attack_objects_file.read() - assert ( - expected_mapping_platforms_file.read() == mapping_platforms_file.read() - ) assert expected_metadata_file.read() == metadata_file.read() -def veris_mappings_parser(): - filepath = os.path.join(os.path.dirname(__file__), "files/test_veris_mappings.json") - veris_mappings = read_json_file(filepath) - domain = "enterprise" - parsed_mappings = configure_veris_mappings(veris_mappings, domain) - return parsed_mappings +def test_security_stack_mappings_navigator_layer(tmpdir): + # ARRANGE + root_filepath = os.path.join(os.path.dirname(__file__), "files/security_stack") + + # ACT + for _, directories, _ in os.walk(root_filepath): + for directory in directories: + # get parsed data + filepath = f"{root_filepath}/{directory}" + parsed_mappings = security_stack_mappings_parser(filepath) + + # write parsed data to file + filename = f"security_stack_{directory}_mappings" + tmpdir.mkdir(directory).join(filename) + output_filepath = f"{tmpdir}/{directory}/{filename}" + write_parsed_mappings_navigator_layer( + parsed_mappings, output_filepath, "security stack" + ) + file = open( + f"{output_filepath}_navigator_layer.json", "r", encoding="UTF-8" + ) + result = json.load(file) + + # ASSERT + assert result == expected_security_stack_navigator_layer def test_veris_mappings_yaml(tmpdir): @@ -234,21 +187,6 @@ def test_veris_mappings_yaml(tmpdir): assert result == expected_veris_mapping_yaml -def test_veris_mappings_json(tmpdir): - # ARRANGE - parsed_mappings = veris_mappings_parser() - filename = "veris_mappings" - filepath = f"{tmpdir}/{filename}" - - # ACT - write_parsed_mappings_json(parsed_mappings, filepath) - file = open(f"{filepath}.json", "r", encoding="UTF-8") - result = json.load(file) - - # ASSERT - assert result == expected_veris_mapping_json - - def test_veris_mappings_parser_csv(tmpdir): # ARRANGE filename = "veris_mappings" @@ -260,70 +198,49 @@ def test_veris_mappings_parser_csv(tmpdir): "r", encoding="UTF-8", ) - expected_mapping_platforms_file = open( - f"{veris_directory}/expected_veris_results_mapping_platforms.csv", - "r", - encoding="UTF-8", - ) expected_metadata_file = open( f"{veris_directory}/expected_veris_results_metadata.csv", "r", encoding="UTF-8" ) # ACT - write_parsed_mappings_csv(parsed_mappings, filepath) - attack_objects_file = open(f"{filepath}_attack-objects.csv", "r", encoding="UTF-8") - mapping_platforms_file = open( - f"{filepath}_mapping-platforms.csv", "r", encoding="UTF-8" - ) + metadata_key = 0 + write_parsed_mappings_csv(parsed_mappings, filepath, metadata_key) + attack_objects_file = open(f"{filepath}_attack_objects.csv", "r", encoding="UTF-8") metadata_file = open(f"{filepath}_metadata.csv", "r", encoding="UTF-8") # ASSERT assert expected_attack_objects_file.read() == attack_objects_file.read() - assert expected_mapping_platforms_file.read() == mapping_platforms_file.read() assert expected_metadata_file.read() == metadata_file.read() -def cve_mappings_parser(): - filepath = os.path.join(os.path.dirname(__file__), "files/test_cve_mappings.csv") - id_to_name_dict = { - "T1059": {"name": "Name for T1059", "domain": "enterprise"}, - "T1190": {"name": "Name for T1190", "domain": "enterprise"}, - "T1078": {"name": "Name for T1078", "domain": "enterprise"}, - "T1068": {"name": "Name for T1068", "domain": "enterprise"}, - } - cve_mappings = read_csv_file(filepath) - parsed_mappings = configure_cve_mappings(cve_mappings, id_to_name_dict) - return parsed_mappings - - -def test_cve_mappings_yaml(tmpdir): +def test_veris_mappings_navigator_layer(tmpdir): # ARRANGE - parsed_mappings = yaml.dump(cve_mappings_parser()) - filename = "cve_mappings" + parsed_mappings = veris_mappings_parser() + filename = "veris_mappings" filepath = f"{tmpdir}/{filename}" # ACT - write_parsed_mappings_yaml(parsed_mappings, filepath) - file = open(f"{filepath}.yaml", "r", encoding="UTF-8") - result = yaml.safe_load(file) + write_parsed_mappings_navigator_layer(parsed_mappings, filepath, "veris") + file = open(f"{filepath}_navigator_layer.json", "r", encoding="UTF-8") + result = json.load(file) # ASSERT - assert result == expected_cve_mapping_yaml + assert result == expected_veris_navigator_layer -def test_cve_mappings_json(tmpdir): +def test_cve_mappings_yaml(tmpdir): # ARRANGE - parsed_mappings = cve_mappings_parser() + parsed_mappings = yaml.dump(cve_mappings_parser()) filename = "cve_mappings" filepath = f"{tmpdir}/{filename}" # ACT - write_parsed_mappings_json(parsed_mappings, filepath) - file = open(f"{filepath}.json", "r", encoding="UTF-8") + write_parsed_mappings_yaml(parsed_mappings, filepath) + file = open(f"{filepath}.yaml", "r", encoding="UTF-8") result = yaml.safe_load(file) # ASSERT - assert result == expected_cve_mapping_json + assert result == expected_cve_mapping_yaml def test_cve_mappings_parser_csv(tmpdir): @@ -337,24 +254,31 @@ def test_cve_mappings_parser_csv(tmpdir): "r", encoding="UTF-8", ) - expected_mapping_platforms_file = open( - f"{cve_directory}/expected_cve_results_mapping_platforms.csv", - "r", - encoding="UTF-8", - ) expected_metadata_file = open( f"{cve_directory}/expected_cve_results_metadata.csv", "r", encoding="UTF-8" ) # ACT - write_parsed_mappings_csv(parsed_mappings, filepath) - attack_objects_file = open(f"{filepath}_attack-objects.csv", "r", encoding="UTF-8") - mapping_platforms_file = open( - f"{filepath}_mapping-platforms.csv", "r", encoding="UTF-8" - ) + metadata_key = 0 + write_parsed_mappings_csv(parsed_mappings, filepath, metadata_key) + attack_objects_file = open(f"{filepath}_attack_objects.csv", "r", encoding="UTF-8") metadata_file = open(f"{filepath}_metadata.csv", "r", encoding="UTF-8") # ASSERT assert expected_attack_objects_file.read() == attack_objects_file.read() - assert expected_mapping_platforms_file.read() == mapping_platforms_file.read() assert expected_metadata_file.read() == metadata_file.read() + + +def test_cve_mappings_navigator_layer(tmpdir): + # ARRANGE + parsed_mappings = cve_mappings_parser() + filename = "cve_mappings" + filepath = f"{tmpdir}/{filename}" + + # ACT + write_parsed_mappings_navigator_layer(parsed_mappings, filepath, "cve") + file = open(f"{filepath}_navigator_layer.json", "r", encoding="UTF-8") + result = yaml.safe_load(file) + + # ASSERT + assert result == expected_cve_navigator_layer diff --git a/tests/test_mapex_convert_cli.py b/tests/test_mapex_convert_cli.py new file mode 100644 index 00000000..96cd054a --- /dev/null +++ b/tests/test_mapex_convert_cli.py @@ -0,0 +1,87 @@ +import json +import os + +import yaml +from mappings_explorer.cli.mapex_convert.cli import write_parsed_mappings_json + +from tests.expected_results.expected_results_json import ( + expected_cve_mapping_json, + expected_nist_mapping_json, + expected_security_stack_mapping_json, + expected_veris_mapping_json, +) +from tests.parsers import ( + cve_mappings_parser, + nist_mappings_parser, + security_stack_mappings_parser, + veris_mappings_parser, +) + + +def test_nist_mappings_parser_json(tmpdir): + # ARRANGE + filename = "nist_mappings" + filepath = f"{tmpdir}/{filename}" + parsed_mappings = nist_mappings_parser() + + # ACT + write_parsed_mappings_json(parsed_mappings, filepath) + file = open(f"{filepath}.json", "r", encoding="UTF-8") + result = json.load(file) + + # ASSERT + assert result == expected_nist_mapping_json + + +def test_security_stack_mappings_json(tmpdir): + # ARRANGE + root_filepath = os.path.join(os.path.dirname(__file__), "files/security_stack") + + # ACT + for _, directories, _ in os.walk(root_filepath): + for directory in directories: + # get parsed data + filepath = f"{root_filepath}/{directory}" + parsed_mappings = security_stack_mappings_parser(filepath) + + # write parsed data to file + filename = f"security_stack_{directory}_mappings" + tmpdir.mkdir(directory).join(filename) + output_filepath = f"{tmpdir}/{directory}/{filename}" + write_parsed_mappings_json(parsed_mappings, output_filepath) + file = open(f"{output_filepath}.json", "r", encoding="UTF-8") + result = json.load(file) + + # ASSERT + assert result == expected_security_stack_mapping_json + + +def test_veris_mappings_json(tmpdir): + # ARRANGE + parsed_mappings = veris_mappings_parser() + filename = "veris_mappings" + filepath = f"{tmpdir}/{filename}" + + # ACT + write_parsed_mappings_json(parsed_mappings, filepath) + file = open(f"{filepath}.json", "r", encoding="UTF-8") + result = json.load(file) + + # ASSERT + print("RESULT", result) + assert result == expected_veris_mapping_json + + +def test_cve_mappings_json(tmpdir): + # ARRANGE + parsed_mappings = cve_mappings_parser() + filename = "cve_mappings" + filepath = f"{tmpdir}/{filename}" + + # ACT + write_parsed_mappings_json(parsed_mappings, filepath) + file = open(f"{filepath}.json", "r", encoding="UTF-8") + result = yaml.safe_load(file) + + # ASSERT + assert result == expected_cve_mapping_json